August 19, 2022

Volume XII, Number 231

Advertisement
Advertisement

August 18, 2022

Subscribe to Latest Legal News and Analysis

August 17, 2022

Subscribe to Latest Legal News and Analysis

August 16, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

HHS Issues HIPAA Guidance to Support Audio-Only Telehealth Services

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued new guidance (Guidance) on the use of remote communication technologies to deliver audio-only telehealth in accordance with HIPAA. Per OCR, the Guidance is intended to ensure continued access for patients to audio-only telehealth in a secure and compliant manner, particularly once OCR’s notification of enforcement discretion (previously discussed here) tied to the COVID-19 pandemic is rescinded (i.e., once the HHS-declared COVID-19 public health emergency is ended).

The Guidance is presented via a series of FAQs with responses from OCR, and notes the important role audio-only telehealth can serve for patients experiencing barriers to in-person care and to video-enabled technologies necessary to access face-to-face telehealth services. First, OCR affirms that HIPAA allows providers (and health plans) to utilize remote communications technologies to deliver audio-only telehealth, and reminds providers that they are expected to deliver “telehealth services in private settings to the extent feasible.” OCR also indicates that covered entities are obligated to verify the identities of individuals not otherwise known to the entities, either orally or in writing.

Interestingly, in the Guidance OCR states that HIPAA’s security rule does not apply to audio-only telehealth via a ‘landline’ telephone because the information transmitted is not electronic, but it does apply to electronic communication technologies (e.g., those which utilize internet, cellular, and WiFi technologies), and therefore HIPAA security rule safeguards must be utilized for such technologies. OCR also reminds covered entities that a business associate agreement may be required with a communications vendor if, under the arrangement, the vendor is more than a mere conduit of PHI between the entity and the patient. Finally, OCR also confirms that HIPAA permits a provider to utilize remote communication technologies to deliver telehealth services even if the services are not covered or reimbursed by the patient’s health plan.

As providers and regulators prepare to transition out of the COVID-19 public health emergency, this Guidance provides a helpful reminder of HIPAA obligations related to audio-only telehealth, and a confirmation that providers can deliver patient audio-only services to patients in a compliant manner. We expect additional guidance to be forthcoming related to HIPAA and other practice matters significantly affected by COVID-19, and will share thoughts on such guidance as it is released.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XII, Number 179
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Conor Duffy Cybersecurity Attorney
Associate

Conor Duffy is a member of the firm's Health Law Group and its Data Privacy + Cybersecurity Team. He advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health law issues. He also counsels clients on what measures are needed to safeguard data and patient information.

Regulatory

Conor provides legal counsel to health care clients on various regulatory matters, such as Medicare and Medicaid program compliance, federal fraud and abuse laws, and the Emergency Medical Treatment & Labor Act...

860.275.8342
Advertisement
Advertisement
Advertisement