OCR Releases Guidance on Audio-Only Telehealth
The Office for Civil Rights (OCR) recently issued guidance on how covered entities can use audio-only telehealth services in compliance with HIPAA.
“While telehealth can significantly expand access to healthcare, certain populations may have difficulty accessing or be unable to access technologies used for audio-video telehealth because of various factors, including financial resources, limited English proficiency, disability, internet access, availability of sufficient broadband, and cell coverage in the geographic area,” HHS stated in announcing the guidance. “Audio-only telehealth, especially using technologies that do not require broadband availability, can help address the needs of some of these individuals.”1
The guidance serves as a clarification or reinforcement of the existing requirements, says Brad Rostolsky, JD, partner with Reed Smith in Philadelphia. In line with what is referred to as the common carrier exception, OCR clarified the Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard landline.
“In other words, a covered entity provider does not need to enter into a business associate agreement with the company through which a standard telephone line is provided, and the covered entity’s Security Rule risk assessment would not need to assess the security of the standard telephone line,” Rostolsky explains.
As telemedicine has become more prevalent, Rostolsky says it is understandable why OCR decided to highlight this aspect of HIPAA compliance. The guidance reaffirms the Security Rule applies to audio-only treatment that is provided through or supported by electronic communication technologies such as Voice over Internet Protocol (VoIP), and mobile technologies that use electronic media, such as the internet, intra- and extranets, cellular, and wi-fi.
“The guidance serves as a reminder of what was already permitted, but importantly re-contextualizes those rules for a post-pandemic world,” Rostolsky says.
The guidance also is a warning to covered entities, says Jody Erdfarb, JD, partner with Wiggin and Dana in Stamford, CT. By issuing the guidance, OCR is indicating it will sunset the enforcement discretion at the end of the public health emergency (PHE).
“The purpose of the guidance is to remind covered entities that when that discretion does sunset, all the regular HIPAA rules are going to be in effect for the provision of telehealth. That’s the most important piece,” Erdfarb says. “If you are a healthcare provider relying on the enforcement discretion, you need to start looking at the technologies and vendors you are using to provide telehealth and ensure you are in compliance, because you are going to need to be at the end of the public health emergency.”
The guidance reminds covered entities that when using audio-only telehealth, HIPAA requires them to verify the identity of the person they are talking to, Erdfarb notes. OCR does not specify how that must be handled, but often, the patient is asked to confirm name, date of birth, and other information as a way of confirming the identity.
“OCR also reminds covered entities that there are civil rights laws [that state] if they are communicating with a person with a disability, those communications must be just as effective as communications with others,” Erdfarb says. “If you need an auxiliary aid or an interpreter, you have to use that.”
The recent guidance is consistent with previous statements from OCR but emphasizes points that may be helpful to providers who only adopted or expanded their use of telehealth during the pandemic, says W. Reece Hirsch, JD, partner with Morgan Lewis in San Francisco.
“It also suggests we are going to receive further guidance on the use of video telehealth after the public health emergency has ended,” Hirsch says. “OCR indicated when the pandemic began that it would use its enforcement discretion to allow greater use of telehealth during the emergency, but we don’t know yet how it will view telehealth as it relates to privacy after the emergency ends.”
Hirsch says possibly the most important takeaway from the guidance is providers can use standard landline communications with only common-sense precautions rather than the more involved compliance efforts required with other technology that would constitute electronic transmissions of PHI.
OCR is assuring covered entities that audio-only telehealth services can be consistent with HIPAA regulations, says Donald DePass, JD, senior associate with Hogan Lovells in Washington, DC. Use of these technologies proliferated during the COVID-19 pandemic. In March 2020, HHS announced it would exercise its enforcement discretion and not impose penalties against HIPAA-covered providers for noncompliance with the HIPAA rules in cases of the good faith provision of certain telehealth services.
“HHS stated that this enforcement discretion would apply while the federal government’s public health emergency remained in force,” DePass says. “This allowed HIPAA-covered providers to provide care using certain audio and video technologies that may not fully comply with HIPAA regulations.”
In July, HHS stated it was extending the COVID-19 PHE through October. The enforcement discretion will end when the PHE terminates. The guidance offers FAQs based on questions the agency has received, to help clarify whether — and in what circumstances — the provision of audio-only telehealth is permissible.
“Audio-only telehealth services are here to stay. It’s anticipated that post-PHE, these services will continue to address needs of certain groups based on factors like financial resources, limited English proficiency, disability, internet access, and cell coverage,” DePass says. “In light of that, HIPAA-covered entities need to develop a compliance plan to help confirm that continued use of these services is permissible under HIPAA.”
DePass underscores these key points highlighted in the guidance:
- Covered entities must use appropriate safeguards when providing audio-only telehealth services. This includes providing these services in private settings and taking measures to avoid being overheard by unauthorized persons.
- Covered entities must verify the identity of patients receiving audio-only telehealth services. Although HIPAA provides flexibility in how such verification can occur, DePass notes HHS emphasizes methods also must be consistent with civil rights laws that provide accommodations for individuals with disabilities as well as expectations around language assistance services for individuals with limited English proficiency.
- Whether the HIPAA security regulations apply, or a business associate relationship exists with a telehealth services vendor, depends on the nature of the services. For example, the HIPAA security regulations do not apply to services provided using a traditional landline because the information transmitted is not electronic. The HIPAA security regulations apply only to electronic PHI, DePass explains.
- Audio-only telehealth services may leverage various technologies, including mobile applications, messaging services, transcription services, and VoIP technologies. HIPAA security risk analyses and corresponding risk management plans should account for the unique risks involved in using the specific services deployed, DePass advises.
- Generally, covered entities must enter into business associate agreements (BAAs) with audio-only telehealth vendors that create, receive, maintain, or transmit PHI on their behalf. There is a limited exception to this requirement for vendors whose services qualify for the HIPAA conduit exception.
“The guidance addresses the conduit exception, which provides that a BAA is not required with an audio-only telehealth vendor that is a conduit, meaning it provides transmission-only services and has only transient access to the PHI it transmits,” DePass explains. “A conduit does not create, receive, or maintain PHI on behalf of the covered entity, and does not require access on a routine basis to the PHI it transmits. The conduit exception is fairly narrow, and analysis of whether it applies is nuanced and fact-specific.”
Covered entities that believe the exception may apply must perform careful analysis, noting the capabilities of the technology involved and the configurations deployed, DePass says. Misidentifying a business associate as a conduit can lead to compliance issues and, potentially, HHS enforcement.
An important challenge highlighted by the guidance is the need to keep pace with the evolution and use of these technologies to effectively manage risk under HIPAA.
“Covered entities should devote attention toward developing strong inventory and asset management processes, which are cornerstones of effective HIPAA security programs,” DePass says. “The PHE eventually will end, and perhaps in the not-too-distant future. Covered entities that use, or are considering use of, audio-only telehealth services should start planning now to facilitate compliance when HHS’s enforcement discretion ends.”
That preparation includes auditing the use of these services, determining whether a BAA is in place with vendors where required, and confirming measures are in place to meet the entity’s HIPAA compliance obligations.
The guidance should be reassuring to both covered entities and consumers, says Susan Kimble, JD, senior corporate counsel at 98point6, a national telehealth company based in Seattle.
“HHS’s recognition that audio-only communication has a place in healthcare is spot-on. Many people struggle to access healthcare for a litany of reasons,” Kimble says. “All of these factors mean that some people in our country go without healthcare for chronic and acute conditions. This new guidance solidifies our nation’s recognition of these challenges and offers some help to folks in need.”
Any expansion in terms of access and breaking down barriers to care, particularly at the federal level, will improve overall health for many communities, Kimble says. As the cost of healthcare increases, the ability to access more frequent, basic healthcare will build healthier communities and ensure higher-cost services are available when needed.
Some discretion is needed when using audio-only telehealth, says Meran Liu, head of clinical operations at Clearing, a telehealth platform based in New York City. Providers should take care to protect patient privacy by communicating PHI in a private setting, using lowered voices, and not using speakerphone.
“They should also conduct a risk analysis when deciding to use electronic communication technologies such as cellular, VoIP, and wi-fi to transmit PHI. Additionally, a business associate agreement may be required if the provider uses a telecommunication service provider [TSP], which acts as a business associate,” Liu says. “A BAA is not necessary if the TSP has only transient access to the PHI it transmits. However, if the TSP does not offer a BAA, providers should do their due diligence to ensure that the access to PHI is truly transient and is not routinely accessed or stored.”
- Department of Health and Human Services. HHS issues guidance on HIPAA and audio-only telehealth. June 13, 2022.
The Office for Civil Rights (OCR) recently issued guidance on how covered entities can use audio-only telehealth services in compliance with HIPAA. In line with what is referred to as the common carrier exception, OCR clarified the Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard landline.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.