HHS Issues Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth
The Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), recently issued new regulatory guidance relating to covered entities’ HIPAA-compliant use of remote communication technologies for audio-only telehealth services.
During the Public Health Emergency due to COVID the HIPAA requirement for Telehealth were waived to streamline access to Telehealth form both patients and doctors. Once the Public Health Emergency is declared to be over those waivers will automatically expire and we are required to comply with all of the HIPAA regulations when providing Telehealh
HIPAA has two rules that we need to be concerned with when we provide Telehealth Service, the Privacy Rule and the Security Rule. The guidance addresses both rules. It is important to realize that both the Privacy Rule and the Security Rule only applies to digital communications. If the communication is over a standard phone line, then only the Privacy Rule applies.
If you have an internet-based phone system or a Voice over IP system, then both the Security and Privacy Rule apply because the communication becomes digital when using this type of phone. If you use a Cell phone, that is digital also and both the Privacy and Security Rules apply. For the vast majority of practices, we are aware of, the type of communication, even phone calls, is digital and both the Privacy and Security Rules apply.
The Privacy Rule requires that you take the following safeguards to protect patient information. This applies to all Telehealth Services
Have the conversation in a place where your will not be overheard by other individuals. So do not take the call in a public place and if you take it at the office or at home go to an area where you have privacy and will not be overheard.
When you start the phone call take appropriate steps to verify the identity of the person you are speaking with. If it is not the patient, check your records and make sure you have permission to speak with the person on the other side of the phone.
The HIPAA Security Rule requires that you ensure appropriate safeguards are in place to protect patient data when you are using a digital system.
The first step is to make sure you have a Business Associate Agreement (BAA) with any company that is providing you with the technology for the Telehealth Services if the Service stores any patient information. If the service is only “Pass Through” to get the sound of the voice or picture of the patient to you, and they do not store any patient information such as a VOIP phone call then the BAA is not as important.
You want to look at the technology and make sure the signal is encrypted from the point of your office to the point of the patient to protect the signal (patient information) from being intercepted when it is on route to you or to the patient. This should be covered in your service agreement or in the documentation provided to you by the Telehealth technology provider.
The article published by HHS has some FAQ’s that are helpful to understand the guidance I will provide them here as well as a link to the full guidance article by HHS
1. Does the HIPAA Privacy Rule permit covered health care providers and health plans to use remote communication technologies to provide audio-only telehealth services?
Yes. HIPAA covered entities can use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule.
2. Do covered health care providers and health plans have to meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services?
Yes, in certain circumstances. The HIPAA Security Rule applies to electronic protected health information (ePHI), which is PHI transmitted by, or maintained in, electronic media
3. Do the HIPAA Rules permit a covered health care provider or a health plan to conduct audio-only telehealth using remote communication technologies without a business associate agreement in place with the vendor?
Yes, in some circumstances. The HIPAA Rules require a covered entity to enter into a business associate agreement (BAA) with a telecommunication service provider (TSP) only when the vendor is acting as a business associate. As explained in previous guidance, a covered entity using a telephone to communicate with patients is not required to enter into a BAA with a TSP that has only transient access to the PHI it transmits, because the vendor is acting merely as a conduit for the PHI. If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call, no business associate relationship has been created. Therefore, a BAA is not needed.
4. Do the HIPAA Rules allow covered health care providers to use remote communication technologies to provide audio-only telehealth if an individual’s health plan does not provide coverage or payment for those services?
Yes. Covered health care providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services. Health plan coverage and payment policies for health care services delivered via telehealth are separate from questions about compliance with the HIPAA Rules and are not addressed in this document
TLD Systems provides monthly security webinars. Our September webinar will be on Telehealth Security.
July 6 – Password Security
August 3 – Email Security
September 7 – Telehealth Security
To register for the FREE webinar series on Security CLICK HERE