June 16, 2022
You need to hear this: Enforcement of HIPAA rules pertaining to audio-only telehealth services that have been lax through the pandemic will be tightening up. Partly due to that, this week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance to ensure covered health care providers and health plans stay HIPAA compliant when providing these type of services.
Enforcement discretion in tough times
The March 2020 Notification of Enforcement Discretion, issued at the start of the pandemic, allowed covered health care providers to use any available non-public facing remote communication technologies for telehealth, even where those technologies, and how they are used, may not fully comply with the HIPAA Rules. At that time, HHS said it would not bring enforcement actions over HIPAA rules against telemedicine providers attempting to comply in good faith.
The newly issued guidance should help prepare entities for when that notification expires. When will that be you ask? When the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, including any extensions. So, we really don’t know, but it could feasibly happen sooner than later.
While it seems best practice always, speakerphones and loud voices should be shushed to protect patient privacy whenever healthcare providers are conducting audio-only telemedicine appointments. In other words, if a private space is not available for such calls, turn off the phone’s speaker option and speak quietly.
Furthermore, it’s important to know the differences for compliancy between using a standard telephone line or a smartphone app. The guidance states that HIPAA’s required electronic data security safeguards do not apply to telemedicine conducted over a standard telephone line but do apply to appointments over internet-based voice services. Because such apps not only provide transmission services, but are also creating, receiving, and maintaining PHI, the provider would need to enter into a Business Associate Agreement (BAA) with the app developer before it can use the app with patients.
Risk analysis and risk management considerations
A covered entity’s risk analysis and risk management should include considerations of whether:
- There is a risk the transmission could be intercepted by an unauthorized third party.
- The remote communication technology (e.g., mobile device, app) supports encrypted transmissions.
- There is a risk ePHI created or stored because of a telehealth session (e.g., session recordings or transcripts) could be accessed by an unauthorized third party, and whether encryption is available to secure recordings or transcripts of created or stored telehealth sessions.
- Authentication is required to access the device or app where telehealth session ePHI may be stored.
- The device or app automatically terminates the session or locks after a period of inactivity.
Finally, why it matters
“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options,” said Lisa Pino, director of HHS’s Office of Civil Rights, in a statement. “This guidance explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information.”
As always, we encourage you to contact the HIPAA experts at PrivaPlan for more information or questions.