In response to the pandemic, the U.S. Department of Health and Human Services (“HHS”) announced that its Office of Civil Rights (“OCR”) would use discretion in enforcing certain provisions of the HIPAA Privacy and Security Rules for providers using audio–visual methods and platforms to provide healthcare services via telehealth. As the pandemic shifts, the future of this discretion remains uncertain, prompting HHS to announce new guidance for the use of audio–only telehealth methods.
On June 13, 2022, HHS released new guidance on the acceptability of audio–only telehealth once the enforcement discretion policy lapses with the end of the Public Health Emergency. This guidance is aimed to increase accessibility of healthcare services for those in rural areas and those who may not be able to access video technology due to a disability or extenuating circumstances. Here’s how the different aspects of HIPAA apply to audio–only telehealth:
- HIPAA Privacy Rule: Audio–only telehealth is acceptable under the HIPAA Privacy Rule as long as providers still take steps to safeguard protected health information (“PHI”). Steps include using a private space, or if one is unavailable, lowering voices and avoiding the use of speakerphone.
- HIPAA Security Rule: While HIPAA’s data security safeguards do not apply to standard telephone lines; smartphone apps, VoIP platforms, technologies that record and/or transcribe telehealth sessions, and messaging apps that electronically store audio messages do fall under the HIPAA Security Rule. Security risk analyses should be conducted to assess the security of PHI when using these technologies, and analyses should be further used to construct a risk management plan.
- Business Associate Agreements (“BAA”): If a telecommunications service provider (“TSP”) only connects a provider and patient and does not create, maintain, or store PHI, no BAA is needed. However, if a TSP creates, maintains, or stores any form of PHI, a BAA will be necessary.
HHS clarified that these guidelines apply regardless of whether any health plan covers or pays for audio–only telehealth. As the end of the enforcement discretion period gets closer, providers should take this guidance into account and make sure practices are in full HIPAA compliance.
If you have questions, please do not hesitate to reach out to any member of Gardner Skelton’s team.