Covered health care providers increasingly use remote communication technologies to provide audio-only telehealth. New audio-only HIPAA privacy guidance was issued on 6/13/22 by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The OCR is responsible for enforcing the privacy regulations to ensure that audio-only telehealth is delivered consistently with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules). This new HIPAA telephone guidance was developed to help covered entities understand how to use audio-only telehealth in compliance with the HIPAA Rules now and after the Public Health Emergency expires. The date of that expiration is currently set to July 22, 2022.
HHS is issuing this guidance on audio-only telehealth to ensure that individuals can continue benefiting by clarifying how covered entities can provide telehealth services while improving public confidence that their health information will be protected.
Despite telehealth’s recent success in expanding access to health care, certain people may have difficulty accessing or be unable to access technologies used for audio-video telehealth. This may happen for several reasons, including limited financial resources, limited English proficiency, disability, internet access, sufficient bandwidth coverage, and cell coverage in the geographic area. Audio-only telehealth, especially using technologies that do not require broadband availability, can help address the needs of some of these individuals. To support access to telephone telehealth services, the OCR guidelines addresses questions that HHS has received about whether and in which circumstances audio-only telehealth is permissible under existing HIPAA Rules.
OCR’s Telehealth Notification and FAQs
The following FAQs1 provide guidance to assist covered entities in complying with the HIPAA Rules when OCR’s Telehealth Notification is no longer in effect.
- Does the HIPAA Privacy Rule permits covered health care providers and health plans to use remote communication technologies to provide audio-only telehealth services?
Yes. HIPAA-covered entities can use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule.
The HIPAA Privacy Rule requires that covered entities apply reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures, including when providing telehealth services. For example, OCR expects covered health care providers to provide telehealth services in private settings to the extent feasible. If telehealth services cannot be provided in a private setting (e.g., where a provider shares an office with a colleague or a family member), covered health care providers still must implement reasonable safeguards, such as using lowered voices and not using speakerphones, to limit incidental uses or disclosures of PHI.
In addition, if the individual is unknown to the covered entity, the entity must verify the individual’s identity either orally or in writing (which may include using electronic methods). The HIPAA Privacy Rules do not mandate a specific way to verify identity. However, covered entities should be mindful that civil rights laws generally require communications with an individual with a disability to be as effective as communications with others, including by providing appropriate auxiliary aids and services where necessary. This requirement extends to all communications with an individual with a disability, including communications related to verifying an individual’s identity. In addition, when necessary, covered entities must verify the individual’s identity by using language assistance services to provide meaningful access for individuals with limited English proficiency.
- Do covered health care providers and health plans have to meet the requirements of the HIPAA Security Rule to use remote communication technologies to provide audio-only telehealth services?
Yes, in certain circumstances. The HIPAA Security Rule applies to electronically protected health information (ePHI), PHI transmitted by or maintained in electronic media.
The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity using a standard telephone line, often described as a traditional landline, because the information transmitted is not electronic. Accordingly, a covered entity does not need to apply the Security Rule safeguards to telehealth services they provide using traditional landlines (regardless of the type of telephone technology the individual uses).
However, traditional landlines are rapidly being replaced with electronic communication technologies such as Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra-, extranets, cellular, and Wi-Fi. The HIPAA Security Rule applies when a covered entity uses electronic communication technologies. Covered entities using telephone systems that transmit ePHI need to apply the HIPAA Security Rule safeguards to those technologies. Note that an individual receiving telehealth services may use any telephone system they choose and is not bound by the HIPAA Rules when doing so. In addition, a covered entity is not responsible for the privacy or security of individuals’ health information once it has been received by the individual’s phone or other devices.
For example, some current electronic technologies that covered entities use for remote communications that require compliance with the Security Rule may include:
- Communication applications (apps) on a smartphone or another computing device.
- VoIP technologies.
- Technologies that electronically record or transcribe a telehealth session.
- Messaging services that electronically store audio messages.
Potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when using such technologies need to be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes, as required by the HIPAA Security Rule. A covered entity’s risk analysis and risk management should include considerations of whether:
- There is a risk an unauthorized third party could intercept the transmission.
- The remote communication technology (e.g., mobile device, app) supports encrypted transmissions.
- There is a risk that ePHI created or stored as a result of a telehealth session (e.g., session recordings or transcripts) could be accessed by an unauthorized third party, and whether encryption is available to secure recordings or transcripts of created or stored telehealth sessions.
- Authentication is required to access the device or app where telehealth session ePHI may be stored.
- The device or app automatically terminates the session or locks after a period of inactivity.
As communication technologies (e.g., networks, devices, apps) evolve rapidly, a robust inventory and asset management process can help covered entities identify such technologies and the information systems that use them to help ensure an accurate and thorough risk analysis. See OCR’s Security Rule guidance webpage for information about implementing the HIPAA Security Rule requirements.
- Do the HIPAA Rules permit a covered health care provider or a health plan to conduct audio-only telehealth using remote communication technologies without a business associate agreement with the vendor?
Yes, in some circumstances. The HIPAA Rules require a covered entity to enter into a business associate agreement (BAA) with a telecommunication service provider (TSP) only when the vendor acts as a business associate. As explained in previous guidance, a covered entity using a telephone to communicate with patients is not required to enter into a BAA with a TSP that has only transient access to the PHI it transmits because the vendor is acting merely as a conduit for the PHI. If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call, no business associate relationship has been created. Therefore, a BAA is not needed.
- For example, a covered health care provider may conduct an audio-only telehealth session with a patient using a smartphone without a BAA between the covered health care provider and the TSP, where the TSP does not create, receive, or maintain any PHI from the session and is only connecting the call.
However, a covered entity must enter into a BAA with a vendor that is more than a mere conduit for PHI.
- For example, a covered health care provider may want to conduct audio-only telehealth sessions with patients using a smartphone app offered by a health care provider that stores PHI (e.g., recordings, transcripts) in the app developer’s cloud infrastructure for the provider’s later use. In this case, the app would not provide mere data transmission services but create, receive, and maintain PHI. Because it is not merely a conduit for the transmission of the PHI, the provider would need to enter into a BAA with the app developer before it can use the app with patients.
- Similarly, a covered health care provider would need a BAA with the developer of a smartphone app that the provider uses to translate oral communications to another language to provide meaningful access to individuals with limited English proficiency because the app is creating and receiving PHI. Therefore the developer is a business associate of the provider.
- Do the HIPAA Rules allow covered health care providers to use remote communication technologies to provide audio-only telehealth if an individual’s health plan does not provide coverage or payment for those services?
Yes. Covered health care providers may offer audio-only telehealth services using remote communication technologies consistent with the HIPAA rules’ requirements, regardless of whether any health plan covers or pays for those services. Health plan coverage and payment policies for health care services delivered via telehealth are separate from questions about compliance with the HIPAA Rules and are not addressed in this document.
1 The questions and answers for the HIPAA telephone guidance above are taken verbatim from the HHS press release dated June 13, 2022. Footnotes supporting the OCR statements are also available on the HHS website.
Is It Time to Earn Your Telehealth Certificate?
Telehealth Compliance Requirements Are Returning
Enforcement is headed our way. Improve staff competency and compliance with evidence-based telehealth BCTP® certificate training. Three levels available. Manage risk and distinguish your services now.