HIPAA & Telehealth: FAQs from HHS Guidance on Audio-Only Telehealth

16 June 2022 Health Care Law Today Blog
Author(s): Jennifer J. Hennessy Aaron T. Maguregui

Preparation for operations after the end of the Public Health Emergency (PHE) have commenced. HHS released guidance on using remote communication technologies for audio-only telehealth services in compliance with HIPAA. In March of 2020, HHS stated it would exercise enforcement discretion for noncompliance with HIPAA in connection with the good faith provision of telehealth services using non-public facing audio or video remote communication technologies during the PHE. That enforcement discretion will end when the PHE ends.

In this latest guidance, HHS noted that due to various barriers, such as disability, financial, or language, not all patients are able to access audio-video telehealth technologies and that audio-only telehealth helps to address the needs of these patients. Here are four key FAQs based on the guidance that telehealth providers and platform-providers, covered by HIPAA, should consider when implementing an audio-only telehealth offering:

1.  Are audio-only telehealth services able to be provided in compliance with the HIPAA Privacy Rule when the PHE ends? Yes. Telehealth providers need to implement reasonable safeguards to protect the privacy of protected health information (PHI), such as communicating in a private setting, or using lowered voices and not using speakerphone where a private setting is not feasible in order to comply with the HIPAA Privacy Rule. Telehealth providers must also verify the identity of any patient not known to the telehealth provider.

2.  Is it possible to comply with the HIPAA Security Rule when providing telehealth services over the phone or a mobile app? Yes. Technologies covered under the HIPAA Security Rule include smartphone applications, VoIP technologies, technologies that record or transcribe telehealth sessions, and messaging services that electronically store audio messages. One aspect of complying with the HIPAA Security Rule is that a security risk analysis on the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI must be conducted when using such technologies. The security risk analysis should then be used to assist in the development of a risk management plan to address the identified risks and vulnerabilities.

3.  Does a telehealth provider need a business associate agreement (BAA) with the telephone company and/or wireless carrier? Maybe. Telecommunications service providers (TSPs) are the companies that provide voice and/or data transmissions services such as the telephone company, the wireless carrier, and/or, in some cases, a mobile application provider. Telehealth providers must enter into a BAA with a TSP that creates, receives, maintains, or transmits PHI for or on behalf of the telehealth provider. However, telehealth providers do not need to enter into a BAA with a TSP where the TSP: (i) only has transient access to the PHI transmitted; (ii) does not create, receive, or maintain PHI on behalf of the telehealth provider; and (iii) does not require access on a routine basis to the PHI transmitted on the call. TSPs meeting all of these specifications are known as “conduits.” HHS provided the following examples of scenarios where a BAA is or is not required with a TSP: 

Scenario BAA Required?
TSP only connects a call between the telehealth provider and the patient, and does not create, receive, or maintain any PHI from the session. No
Telehealth provider wants to conduct audio-only telehealth sessions with patients using a smartphone app that stores PHI (e.g., recordings, transcripts) in the app developer’s cloud infrastructure for the telehealth provider’s later use.  Yes, BAA required with developer of smartphone app
Telehealth provider uses smartphone app to translate oral communications to another language to provide meaningful access to individuals with limited English proficiency.  Yes, BAA required with developer of smartphone app

Also, since the HIPAA Security Rule only applies to electronic PHI, it does not apply to services using a standard telephone line (i.e., landline). In general, telehealth providers should be cautious about relying on TSPs that do not sign BAAs and must conduct due diligence to ensure the TSP does not access or maintain PHI transmitted during the call.

4.  Does a telehealth provider need to ensure that its patients are complying with HIPAA? HHS notes that patients may use any telephone system they choose and telehealth providers are not responsible for the privacy or security of patients’ information once it has been received by the patient’s phone or other device. However, telehealth providers should note that if they provide a mobile app to the patient for use in either accessing telehealth services or storing medical information, the mobile app must comply with the HIPAA Privacy and Security Rule.

The planning and transition from PHE to post-PHE processes should start now for telehealth providers. Conducting risk assessments and diligence on existing vendors and their compliance with privacy and security laws must occur immediately. If a vendor that accesses, views, or maintains PHI refuses to sign a BAA, telehealth providers should immediately look to terminate the relationship with that vendor and consider alternative vendors that will sign a BAA. Developing a strategy for HIPAA compliance now, before the PHE sunsets, will pay dividends in the future.

Want to Learn More?

For more information on telemedicine, telehealth, virtual care, remote patient monitoring, digital health, and other health innovations, including the team, publications, and representative experience, visit Foley’s Telemedicine & Digital Health Industry Team.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.