The Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), recently issued new regulatory guidance relating to covered entities’ HIPAA-compliant use of remote communication technologies for audio-only telehealth services. This guidance is a direct response to a December 2021 Executive Order that tasked HHS with developing HIPAA guidance for telehealth services, with the stated goals of improving “patient experience and convenience” as the COVID-19 public health emergency subsides. HHS has issued this guidance in anticipation of the national public health emergency ending, at which time OCR’s Telehealth Notification loses effect.
The new HIPAA guidance affects covered entities in four key ways.
First, the HIPAA Privacy Rule allows covered health care providers and health plans to provide audio-only telehealth services via the use of remote communication technologies. This includes devices that are only equipped for voice-only calls, such as traditional landline phones. However, providers must take reasonable steps to protect the privacy of protected health information (more commonly referred to as “PHI”). For example, if providers are delivering telehealth services from their home, they are directed to take reasonable steps to prevent other people in the house from overhearing conversations with patients. Furthermore, at the onset of the clinical encounter, providers must verify the patient’s identity either orally or in writing if they are unfamiliar with the patient.
Second, while the HIPAA Security Rule does not apply to audio-only telehealth services delivered over a standard telephone line, it applies to other voice-transmitting technologies including Voice over Internet Protocol (“VoIP”), communication apps on smartphones, and technologies that record, transcribe, or store records of the voice-only clinical encounter. Consequently, covered entities must assess the potential risks and vulnerabilities of using such technologies to ensure compliance with HIPAA Security Rule Requirements. Providers must inquire about the specific telephonic technology employed in their respective practice, as many phones in offices and hospitals appear to be “landline” phones yet employ VoIP technology, especially if the phones were manufactured within the last five years. In such instances, providers may be unwittingly violating the HIPAA Security Rule, placing them at risk of investigation and/or enforcement action by the Department of Justice (“DOJ”). Risk of investigations related to privacy and cybersecurity misrepresentations and violations is particularly elevated now because of recent DOJ initiatives. In October 2021, DOJ launched the Civil Cyber-Fraud Initiative, which leverages the False Claims Act to prosecute cybersecurity violations, including related HIPAA violations. The first settlement under the Civil Cyber-Fraud Initiative occurred in March 2022—against a health care entity.
Third, covered providers or health plans may conduct audio-only telehealth via remote communication technologies in the absence of a business associate agreement (more commonly referred to as a “BAA”) with the telecommunication service provider (“TSP”). This is acceptable under HIPAA Rules only if the TSP has only transient access to the protected health information it transmits. Under the new guidance, a conventional audio-only call between providers and patients is HIPAA-compliant if the call is made on a smartphone without the use of a third-party smartphone app, translation service, or internet connection (via Wi-Fi).
Finally, covered health care providers may deliver audio-only telehealth services via remote communication technologies even if the patient’s health insurance does not provide coverage for or pay for the telehealth services. HHS has emphasized that a patient’s insurance status or health plan coverage does not affect the HIPAA-compliance status of audio-only telehealth services.
This HHS guidance has the potential to address longstanding equality concerns relating to telehealth access. Low socioeconomic status (“SES”) populations access telehealth services at lower rates then higher SES peers due to lower levels of technological literacy and decreased access to technology resources, including camera-equipped computers and internet connectivity. Consequently, while this guidance helps covered entities maintain HIPAA compliance in an increasingly virtual healthcare delivery environment, it simultaneously has the potential to increase telehealth access for especially vulnerable populations.