The Department of Health and Human Services (“HHS”) recently announced guidelines for the application of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to audio-only telehealth encounters following the end of the declaration of the COVID-19 public health emergency (“PHE”).
As reported here at the beginning of the Covid-19 pandemic, the HHS Office of Civil Rights (“OCR”) announced that it would exercise discretion in enforcing HIPAA regulations so long as a covered entity was acting in good faith in its compliance efforts during the course of the PHE. Recommended minimum good faith efforts included use of non-public facing audio-video technology, notifying patients of the potential privacy risks, use of encrypted technology, and provision of services through HIPAA-compliant technology vendors, using HIPAA-compliant Business Associate Agreements (“BAA”).
As a brief refresher on some of HIPAA’s key protections, HIPAA encompasses “privacy rules,” which protect against unauthorized use or disclosure of a patient’s private health information (“PHI”); as well as “security rules,” which impose administrative, physical, and technical safeguards to protect electronically stored and transmitted PHI (“ePHI”).
Now that all signs point toward the end of the formal PHE declaration (finally), HHS has provided the following go-forward guidance.
- How Does HIPAA’s Privacy Rule Apply to Audio-only Telehealth?
Covered entities must apply reasonable safeguards to protect PHI in an audio-only telehealth encounter. Factors to consider include the privacy (or lack thereof) of an office setting and confirming the patient’s identity. For example, if a provider is sharing office space or if others are present during a telehealth encounter, OCR recommends using lower voices or moving away from others. When confirming a patient’s identity, a provider should consider using both verbal and electronic options to accommodate a patient’s disability, if necessary.
- How Does HIPAA’s Security Rule Apply to Audio-only Telehealth?
For telehealth encounters over a landline phone, no information is transmitted electronically, so HIPAA’s Security Rule does not apply.
However, many covered entities use communication systems based on voice over internet protocol (VoIP) cellular, extranet, or WiFi connections. In such scenarios involving electronic transmission of ePHI, the covered entity should determine whether the following steps may be appropriate or necessary to comply with HIPAA’s Security Rule:
- Encrypted transmission to prevent unauthorized interception of information;
- User authentication for access of the device or app used to transmit information;
- Automatic termination of an app session, or locking of a device once the telehealth encounter is complete
- Do I Need a BAA with My Telecommunication Service Provider?
The answer depends in part on whether your vendor creates, receives or maintains the patient’s information, as opposed to simply acting as a conduit for the PHI. So long as the vendor has only transient access to the information transmitted, no BAA is needed.
On the other hand, if PHI is being transmitted via a smartphone app and stored in a cloud format, a BAA may be necessary. Similarly, if a patient’s information is translated by an app from one language to another, likely a BAA would be required.
- What If Insurance Does Not Cover Audio-Only Telehealth?
OCR explains that audio-only telehealth is consistent with HIPAA even if an insurance carrier or healthcare plan does not provide coverage for that type of treatment.
In March 2022, President Biden signed into law the Consolidated Appropriations Act which allows federally funded reimbursement of audio-only telehealth services to continue for 151 days after the end of the pandemic, extending the Centers for Medicare and Medicaid Services’ waivers which are currently in effect. It remains to be seen how private carriers and plans will react after the end of the PHE.
For assistance in remaining compliant and up-to-date with the rapidly changing state and federal rules on telehealth or implementing a telehealth program with your business, reach out to your Dickinson Wright healthcare law attorney.
Would you or your health care entity like to stay informed on health law updates? Click here and enter your email address under Newsletter Subscription to receive our blog posts directly to your inbox.
About the Author:
Kimberly Ruppel is Co-Chair of Dickinson Wright PLLC’s Healthcare Litigation Task Force in the firm’s Troy, Michigan office. She has over 20 years’ experience as a commercial litigator who represents healthcare providers, insurers and benefit plans in matters related to healthcare litigation, licensing and regulatory disputes, governmental fraud and abuse investigations, HIPAA compliance, ERISA and insurance claims, coverage and fiduciary disputes, and class actions in state and Federal courts. She can be reached at 248-433-7291 or firstname.lastname@example.org and her firm bio can be found here.