HIPAA and Telehealth: FAQs from HHS Guidance on Audio-Only Telehealth | Blogs | Health law today


Preparation for operations after the end of the public health emergency (PHE) has begun. HHS released tips on the use of remote communication technologies for audio-only telehealth services in accordance with HIPAA. In March 2020, HHS declared it would exercise its discretion in the event of non-compliance with HIPAA in connection with the good faith provision of telehealth services using non-public remote audio or video communication technologies during PHE. This application discretion will end at the end of the PHE.

In these latest guidelines, HHS noted that due to various barriers, such as disability, finances, or language, not all patients are able to access audio-video telehealth technologies and that telehealth only audio helps meet the needs of these patients. Here are four key FAQs based on advice that telehealth providers and platform vendors, covered by HIPAA, should consider when implementing an audio-only telehealth offering:

1. Can audio-only telehealth services be provided under the HIPAA Privacy Rule when the PHE ends? Yes. Telehealth providers should implement reasonable safeguards to protect the confidentiality of protected health information (PHI), such as communicating in a private setting, or using lower voices and not using a loudspeaker when a private setting is not possible in order to comply with the HIPAA Privacy Policy. Telehealth providers must also verify the identity of any patient not known to the telehealth provider.

2. Is it possible to comply with the HIPAA security rule when providing telehealth services over the phone or through a mobile application? Yes. Technologies covered by the HIPAA security rule include smartphone applications, VoIP technologies, technologies that record or transcribe telehealth sessions, and messaging services that electronically store audio messages. One aspect of complying with the HIPAA security rule is that a security risk analysis on potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PSRs should be conducted when using these technologies. The security risk analysis should then be used to assist in the development of a risk management plan to address the identified risks and vulnerabilities.

3. Does a telehealth provider need a Business Association Agreement (BAA) with the telephone company and/or mobile operator? Maybe. Telecommunications Service Providers (TSPs) are companies that provide voice and/or data transmission services, such as the telephone company, wireless carrier, and/or, in some cases, a telephone service provider. mobile apps. Telehealth providers must enter into a BAA with a TSP that creates, receives, maintains or transmits PHI for or on behalf of the telehealth provider. However, telehealth providers do not need to enter into a BAA with a TSP when the TSP: (i) has only transient access to transmitted RPS; (ii) create, receive or maintain PHI on behalf of the telehealth provider; and (iii) does not require routine access to the PHI transmitted during the call. TSPs that meet all of these specifications are called “conduits”. HHS has provided the following examples of scenarios where a BAA is or is not required with a TSP:

Script BAA required?
TSP only connects a call between the telehealth provider and the patient, and does not create, receive, or manage any session PHI. Nope
The telehealth provider wants to conduct audio-only telehealth sessions with patients using a smartphone application that stores PHI (e.g., recordings, transcripts) in the application developer’s cloud infrastructure for a further use by the telehealth provider. Yes, BAA required with smartphone app developer
The telehealth provider uses a smartphone app to translate spoken communications into another language to provide meaningful access to people with limited English proficiency. Yes, BAA required with smartphone app developer

Additionally, since the HIPAA security rule only applies to electronic PSRs, it does not apply to services using a standard phone line (i.e., landline). In general, telehealth providers should be cautious when relying on TSPs that do not sign a BAA and should exercise due diligence to ensure that the TSP does not access any transmitted RPS during the call. or do not keep them.

4. Does a telehealth provider need to ensure their patients are HIPAA compliant? HHS notes that patients can use any phone system they choose and that telehealth providers are not responsible for the privacy or security of patient information. once it has been received by the patient’s phone or other device. However, telehealth providers should note that if they provide a mobile application to the patient for use either to access telehealth services or to store medical information, the mobile application must comply with the privacy policy and HIPAA security.

Planning and transitioning from PHE to post-PHE processes should begin now for telehealth providers. Conducting risk and due diligence assessments on existing vendors and their compliance with privacy and security laws should take place immediately. If a provider that accesses, views, or manages PHI refuses to sign a BAA, telehealth providers should immediately seek to terminate the relationship with that provider and consider other providers who will sign a BAA. Developing a HIPAA compliance strategy now, before the PHE ends, will pay dividends in the future.

You want to know more ?

For more information on telemedicine, telehealth, virtual care, remote patient monitoring, digital health, and other healthcare innovations, including the team, publications, and rep experience , visit Foley’s Telemedicine and Digital Health Industry Team.


About Author

Comments are closed.