HHS Issues Guidance on Audio-Only Telehealth and HIPAA Compliance
June 22, 2022
On June 13, 2022, the Office of Civil Rights (OCR) updated its website with guidance related to audio-only telehealth and HIPAA Privacy and Security Rules. The OCR stated the guidance was in direct response to Executive Order 14058, which was issued in December 2021 and ordered the federal government agencies to design and deliver services in a more equitable and effective manner, especially for those who have been historically underserved. The guidance notes that telehealth that includes video may be difficult for certain populations to access because of various factors, including financial resources, limited English proficiency, disability, internet access, availability of sufficient broadband and cell coverage in the geographic area.
In March 2020, the OCR issued a notification and guidance related to the use of telehealth services during the COVID-19 public health emergency. Importantly, this new guidance will apply in situations where those rules do not and will remain in effect even after the public health emergency is declared to be over.
The HIPAA Privacy rules specifically provide for telehealth services, including audio-only services. Covered entities, including healthcare providers and health plans, must take steps to verify the identity of the individual. There are no prescribed methods of identification. Covered entities must apply reasonable safeguards to protect the privacy of protected health information (PHI) and avoid incidental uses or disclosures of PHI. Examples include not using speakerphones, using a lowered voice and providing the services in a private setting.
Regarding the HIPAA Security rules, a traditional landline telephone is not considered electronic communication. Thus, the rules would not apply to such communication. However, if the covered entity uses voice over internet protocol (VoIP), a cell phone, Wi-Fi, a smartphone application or technology to transcribe or record the communication, the HIPAA Security rules would apply. In that case, the covered entity must identify, assess and address the potential risks and vulnerabilities (such as the transmission being intercepted by an unauthorized third party) and whether the communication method is encrypted.
If the telecommunications service provider (TSP) is only a conduit for the communication and does not create, receive or maintain any PHI from the session, no business associate agreement is required. An example would be a cell phone or internet provider if the session is conducted with a cell phone over Wi-Fi. However, if the TSP maintains the PHI after the session, an agreement would be required. An example would be a smart phone application that records the session and stores it in the cloud.
No action is required of employer plan sponsors as a result of the new guidance. However, it is welcome news for plans with underserved populations, as those participants may be able to better access health services due to the updated rules.
OCR Audio-only Guidance »