The Department of Health and Human Services’ Office for Civil Rights has issued new guidance to healthcare providers for the use of audio-only telehealth technologies. Due to the COVID-19 pandemic’s nature, in-person clinical visits were reduced to only the absolute necessary in order to prevent the spread of COVID-19.
As a result, telehealth technologies were widely used to provide medical treatment. Telehealth offers a multitude of benefits, particularly in the COVID-19 pandemic. Telehealth technology can be used to decrease strain on the healthcare system, reduce rural barriers to care, aid patients with limited mobility, expedite timely care, and reduce costs of care.
In order to promote the adoption of telehealth technology during the pandemic, the government introduced several telehealth flexibilities within the COVID-19 Public Health Emergency (PHE). This came in the form of the Telehealth Notification, which was introduced in March 2020. Under the Telehealth Notification, the Office for Civil Rights will not impose penalties on Covered Entities for noncompliance to HIPAA Rules if they have made the violation in good faith using audio or video telehealth technologies during the public health emergency. The OCR allowed covered entities to use telehealth applications and platforms that would not have previously been recognized as compliant to HIPAA law. Covered entities were also not required to enter a Business Associate Agreement (BAA) with these service providers.
However, the Telehealth Notification is only applicable until the public health emergency is in effect. The new guidelines were issued by the OCR to address when and under what circumstances audio-only telehealth is permitted under HIPAA law. The Department of Human and Health Services has confirmed that the Privacy Rule allowsHIPAA-regulated entities to use audio-only telehealth technologies to provide telehealth services. However, these entities must continue to implement suitable safeguards to ensure the protection of their information. For example, when providing telehealth services in a confidential setting. If the telehealth provider is unable to provide care within a confidential setting, safeguards must be implemented such as lowering voices and prohibiting speakerphone.
Covered entities must meet the requirements of the HIPAA Security Rule in order to use telehealth technologies to administer audio-only telehealth services. This only applies to circumstances where covered entities use telephone systems which transmit electronic Protected Health Information. Organizations must implement the necessary safeguards to protect the integrity of their electronic information. However, in instances where entities are using a standard telephone line to administer telehealth services, the Security Rule is not applicable.
The new guidance states that HIPAA-regulated entities are required to obtain a BAA with a telecommunication service provider before conducting an audio-only teleservice if the provider encounters the sensitive patient information that the Covered Entity manages. In the instance where a telecommunication service provider is not creating, obtaining, or managing the entity’s patient information on behalf of the Covered Entity, a BAA is not required.
It is important that healthcare organizations regulated by HIPAA law understand what is required for compliance in order to avoid penalties for HIPAA violations. The OCR does not regard negligence as an adequate justification for noncompliance with HIPAA.