New OCR Guidance Regarding HIPAA-Compliant Phones

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

HERE IS HOW

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced the latest HIPAA guidelines regarding the audio-only service for all telehealth technologies. The OCR is the enforcement arm of HHS for HIPAA. Even though this announcement promotes audio-only telehealth for people who struggle with accessing audio-video calls, it is expected to impact the overall telehealth industry.

At issue is that HIPAA-compliant phones vary significantly for analog and digital voice communications. The new OCR guidance for HIPAA telephone rules is strictly for electronically protected health information (e-PHI) transferred by digitally mediated telephones, that is, those telephone lines transmitted through the general, unprotected Internet. As most practitioners know, any digital communication containing e-PHI must comply with the HIPAA privacy rule. Most practitioners, however, may not have yet realized that a number of relatively inexpensive Internet-based telephone carriers are not HIPAA-compliant.

The concept has remained unclear, even though voice-over-internet protocol was used excessively during COVID. However, that has changed completely this time with OCR launching a complete set of guidelines for audio-only telehealth services mediated by the unprotected Internet, stressing the importance of using HIPAA-compliant phones only.

HIPAA Compliant Phones and the New Guidance

All healthcare service providers who are covered entities must comply with all HIPAA rules if they conduct audio-only services involving the transfer of e-PHI.

The new HIPAA guidance is not for the telehealth providers that conduct voice-only services using standard telephone lines. The new security rules only apply to electronically transmitted information, such as HIPAA-compliant phones. But, considering the adoption of electronic media and the extensive use of electronic devices and technologies, such as Wi-Fi, extranets, cellular, and the Internet, it goes without saying that all types of audio-based telehealth services are now covered in the new guidance. Note that the covered healthcare provider won’t be responsible for the privacy of the data they share with the patients through electronic media.

A few examples of the entities that use electronic media for remote communication and are required to comply with the HIPAA rules are:

• Communication apps
• Apps that record a telehealth session
• Messaging apps that store audio texts.

The new security rule has made it mandatory for all HIPAA-covered entities to identify and address all possible threats and risks. For instance, the authorities analyze whether the covered entities use encrypted transmission technology to ensure that all the information exchanged is secured. Most importantly, there is a chance the telehealth session recorded on provider devices might get leaked to a third party, or an unauthorized user can access this private information, thus leading to a cybersecurity breach. HIPAA phone compliance also suggests that the app is automatically closed after a brief period of inactivity.

It is recommended that all healthcare sectors follow these new OCR guidelines and prefer HIPAA-compliant phones to avoid hefty fines for security breaches. See Telehealth.org’s recent article Audio-Only Telehealth HIPAA Guidance Issued: Practitioner Update for more related information.

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Read More