Preparation for operations after the end of the Public Health Emergency (PHE) have commenced. HHS released guidance on using remote communication technologies for audio-only telehealth services in compliance with HIPAA. In March of 2020, HHS stated it would exercise enforcement discretion for noncompliance with HIPAA in connection with the good faith provision of telehealth services using non-public facing audio or video remote communication technologies during the PHE. That enforcement discretion will end when the PHE ends.
In this latest guidance, HHS noted that due to various barriers, such as disability, financial, or language, not all patients are able to access audio-video telehealth technologies and that audio-only telehealth helps to address the needs of these patients. Here are four key FAQs based on the guidance that telehealth providers and platform-providers, covered by HIPAA, should consider when implementing an audio-only telehealth offering:
1. Are audio-only telehealth services able to be provided in compliance with the HIPAA Privacy Rule when the PHE ends? Yes. Telehealth providers need to implement reasonable safeguards to protect the privacy of protected health information (PHI), such as communicating in a private setting, or using lowered voices and not using speakerphone where a private setting is not feasible in order to comply with the HIPAA Privacy Rule. Telehealth providers must also verify the identity of any patient not known to the telehealth provider.
2. Is it possible to comply with the HIPAA Security Rule when providing telehealth services over the phone or a mobile app? Yes. Technologies covered under the HIPAA Security Rule include smartphone applications, VoIP technologies, technologies that record or transcribe telehealth sessions, and messaging services that electronically store audio messages. One aspect of complying with the HIPAA Security Rule is that a security risk analysis on the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI must be conducted when using such technologies. The security risk analysis should then be used to assist in the development of a risk management plan to address the identified risks and vulnerabilities.
3. Does a telehealth provider need a business associate agreement (BAA) with the telephone company and/or wireless carrier? Maybe. Telecommunications service providers (TSPs) are the companies that provide voice and/or data transmissions services such as the telephone company, the wireless carrier, and/or, in some cases, a mobile application provider. Telehealth providers must enter into a BAA with a TSP that creates, receives, maintains, or transmits PHI for or on behalf of the telehealth provider. However, telehealth providers do not need to enter into a BAA with a TSP where the TSP: (i) only has transient access to the PHI transmitted; (ii) does not create, receive, or maintain PHI on behalf of the telehealth provider; and (iii) does not require access on a routine basis to the PHI transmitted on the call. TSPs meeting all of these specifications are known as “conduits.” HHS provided the following examples of scenarios where a BAA is or is not required with a TSP:
|TSP only connects a call between the telehealth provider and the patient, and does not create, receive, or maintain any PHI from the session.||No|
|Telehealth provider wants to conduct audio-only telehealth sessions with patients using a smartphone app that stores PHI (e.g., recordings, transcripts) in the app developer’s cloud infrastructure for the telehealth provider’s later use.||Yes, BAA required with developer of smartphone app|
|Telehealth provider uses smartphone app to translate oral communications to another language to provide meaningful access to individuals with limited English proficiency.||Yes, BAA required with developer of smartphone app|
Also, since the HIPAA Security Rule only applies to electronic PHI, it does not apply to services using a standard telephone line (i.e., landline). In general, telehealth providers should be cautious about relying on TSPs that do not sign BAAs and must conduct due diligence to ensure the TSP does not access or maintain PHI transmitted during the call.
4. Does a telehealth provider need to ensure that its patients are complying with HIPAA? HHS notes that patients may use any telephone system they choose and telehealth providers are not responsible for the privacy or security of patients’ information once it has been received by the patient’s phone or other device. However, telehealth providers should note that if they provide a mobile app to the patient for use in either accessing telehealth services or storing medical information, the mobile app must comply with the HIPAA Privacy and Security Rule.
The planning and transition from PHE to post-PHE processes should start now for telehealth providers. Conducting risk assessments and diligence on existing vendors and their compliance with privacy and security laws must occur immediately. If a vendor that accesses, views, or maintains PHI refuses to sign a BAA, telehealth providers should immediately look to terminate the relationship with that vendor and consider alternative vendors that will sign a BAA. Developing a strategy for HIPAA compliance now, before the PHE sunsets, will pay dividends in the future.
Want to Learn More?
For more information on telemedicine, telehealth, virtual care, remote patient monitoring, digital health, and other health innovations, including the team, publications, and representative experience, visit Foley’s Telemedicine & Digital Health Industry Team.