As telehealth services surged in response to the COVID-19 pandemic, unique compliance challenges likewise developed in unexpected ways. Recognizing these challenges, the Office of Civil Rights (“OCR”) indicated that it would exercise its enforcement discretion by declining to impose penalties against covered health care providers for instances of good faith noncompliance with the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) in connection with the provision of telehealth services. In effect, a covered health care provider seeking to use audio or video communication technology to provide telehealth services during the public health emergency could do so with greater flexibility.
As the public health emergency draws to a relative close and many of the regulatory flexibilities expire or are otherwise rolled back, it is important that providers and health plans remain vigilant to the status of these measures. In an effort to facilitate a smooth transition, the OCR issued guidance (the “Guidance”) on June 13, 2022 addressing use of audio-only technology to render telehealth services in accordance with the HIPAA.
HIPAA generally governs the use, maintenance, and disclosure of protected health information (“PHI”) and specifically applies to qualifying health care providers, health plans, and clearinghouses (each a “Covered Entity”). In an effort to address the many challenges that arise in handling PHI, HIPAA is comprised of multiple components, the two most significant of which include the Privacy Rule and the Security Rule.
The Privacy Rule generally protects the confidentiality of health information by, among other items, establishing standards which restrict how covered entities may use PHI while also increasing a given patient’s right to control his/her PHI. The Security Rule creates standards for PHI that is stored or transmitted in electronic media (“ePHI”), by mandating certain administrative, physical, and technical safeguards for the protection of such PHI.
Both the Privacy Rule and Security Rule generally apply to the rendering of telehealth services.
Covered Entities may use remote communication technology to provide telehealth services, including audio-only services, in compliance with the Privacy Rule. Generally, the Privacy Rule requires that Covered Entities implement reasonable safeguards to protect the confidentiality of PHI from impermissible uses or disclosures. The Guidance specifies that, by way of an example, OCR requires Covered Entities to furnish telehealth services in a private setting, where possible. To the extent a private setting is not available, OCR requires Covered Entities to utilize reasonable safeguards to limit incidental disclosures of PHI, such as by using lowered voices or by avoiding the use of speakerphone technology.
In addition, the Guidance also provides that if an individual is not known to a Covered Entity, such Covered Entity must verify the identity of the individual either orally or in writing. HIPAA does not mandate a specific method to complete this verification. The Guidance does however stress that Covered Entities must be mindful of civil rights laws which require communication with an individual with a disability to be as effective as the means used with others, including through use of auxiliary aids and services if appropriate. In addition, the Guidance notes that a Covered Entity may need to use language assistance services in order to both appropriately verify a given patient’s identity as well as to provide meaningful access to patients with limited English proficiency.
The Security Rule generally does not apply to audio-only telehealth services provided by a Covered Entity using a standard landline. OCR considers the information conveyed via a landline as not being “electronic” for purposes of HIPAA. In contrast, the Guidance clarifies that information conveyed through Voice over Internet Protocols or mobile technologies that use such resources as the Internet, intra- and extra-nets, cellular, or WiFi services, traditionally qualify as “electronic” for purposes of HIPAA. In addition, the Guidance indicates that the Security Rule applies to information transmitted by using certain applications on smartphones or other devices, technologies that electronically record or transcribe telehealth sessions, or services which electronically store audio messages.
The Guidance further clarifies that a Covered Entity’s annual risk analysis and day-to-day management efforts should consider:
Whether the technology being used increases the risk that a transmission could be intercepted by an unauthorized third party;
Whether the remote communication technology supports encrypted transmissions which could assist in safeguarding ePHI;
Whether there is a risk that ePHI created or stored as a result of a telehealth session could be accessed by an unauthorized third party;
Whether authentication is required to access the device or application where a telehealth session’s related ePHI is stored; and
Whether the device or application automatically terminates the session or locks after inactivity.
Such considerations must be assessed and addressed, where possible, to better meet a Covered Entity’s obligations under HIPAA.
In many circumstances a Covered Entity must execute a business associate agreement (“BAA”) prior to disclosing PHI to a business associate, which is a party that carries out certain functions on behalf of a Covered Entity that involve the use or maintenance of PHI. Each BAA outlines the parties’ responsibilities under HIPAA with respect to the PHI in question, as well as other important contractual terms.
The Guidance clarifies that under certain circumstances, a Covered Entity may conduct audio-only telehealth services using a remote communication technology supplied by a vendor without executing a BAA. Specifically, a vendor who only maintains transient access to the PHI it transmits and merely serves as a conduit for the PHI would not be obligated to execute a BAA. The Guidance clarifies that if a vendor is not creating, receiving, or maintaining PHI on behalf of the Covered Entity, and if such vendor does not require access to PHI on a routine basis, no business associate relationship exists. As a result, no BAA is required. It is important to keep in mind that where a vendor relationship exceeds that of a mere conduit, a BAA would likely be required.
It is important to keep in mind that where a vendor relationship exceeds that of a mere conduit, a BAA would likely be required.
 Office of Civil Rights, Guidance: How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth | HHS.gov (last accessed June 20, 2022).
 45 C.F.R. Part 160 and Subparts A and E of Part 160.
 45 C.F.R. Part 160 and Subparts A and C of Part 160.
About this Author
Michael Sutton focuses his practice on providing comprehensive legal services to a broad array of healthcare providers. His experience spans representation of physicians, physician-owned entities, long-term care facilities, and hospitals to create effective and innovative legal solutions to regulatory and transactional matters. In addition, Michael has litigated a variety of healthcare-related disputes in both federal and state courts and has handled an expansive range of civil litigation matters.
Michael earned his J.D. from…
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521 Telephone (708) 357-3317 or toll free (877) 357-3317. If you would ike to contact us via email please click here.
Network engineers, software developers, cloud specialists, data analysts and test engineers are in high demand to support 5G deployment NEW DELHI : Hiring for tech