Preparation for operations after the end of the public health emergency (PHE) has begun. HHS released tips on the use of remote communication technologies for audio-only telehealth services in accordance with HIPAA. In March 2020, HHS declared it would exercise its discretion in the event of non-compliance with HIPAA in connection with the good faith provision of telehealth services using non-public remote audio or video communication technologies during PHE. This application discretion will end at the end of the PHE.
In these latest guidelines, HHS noted that due to various barriers, such as disability, finances, or language, not all patients are able to access audio-video telehealth technologies and that telehealth only audio helps meet the needs of these patients. Here are four key FAQs based on advice that telehealth providers and platform vendors, covered by HIPAA, should consider when implementing an audio-only telehealth offering:
2. Is it possible to comply with the HIPAA security rule when providing telehealth services over the phone or through a mobile application? Yes. Technologies covered by the HIPAA security rule include smartphone applications, VoIP technologies, technologies that record or transcribe telehealth sessions, and messaging services that electronically store audio messages. One aspect of complying with the HIPAA security rule is that a security risk analysis on potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PSRs should be conducted when using these technologies. The security risk analysis should then be used to assist in the development of a risk management plan to address the identified risks and vulnerabilities.
3. Does a telehealth provider need a Business Association Agreement (BAA) with the telephone company and/or mobile operator? Maybe. Telecommunications Service Providers (TSPs) are companies that provide voice and/or data transmission services, such as the telephone company, wireless carrier, and/or, in some cases, a telephone service provider. mobile apps. Telehealth providers must enter into a BAA with a TSP that creates, receives, maintains or transmits PHI for or on behalf of the telehealth provider. However, telehealth providers do not need to enter into a BAA with a TSP when the TSP: (i) has only transient access to transmitted RPS; (ii) create, receive or maintain PHI on behalf of the telehealth provider; and (iii) does not require routine access to the PHI transmitted during the call. TSPs that meet all of these specifications are called “conduits”. HHS has provided the following examples of scenarios where a BAA is or is not required with a TSP:
|TSP only connects a call between the telehealth provider and the patient, and does not create, receive, or manage any session PHI.||Nope|
|The telehealth provider wants to conduct audio-only telehealth sessions with patients using a smartphone application that stores PHI (e.g., recordings, transcripts) in the application developer’s cloud infrastructure for a further use by the telehealth provider.||Yes, BAA required with smartphone app developer|
|The telehealth provider uses a smartphone app to translate spoken communications into another language to provide meaningful access to people with limited English proficiency.||Yes, BAA required with smartphone app developer|
Additionally, since the HIPAA security rule only applies to electronic PSRs, it does not apply to services using a standard phone line (i.e., landline). In general, telehealth providers should be cautious when relying on TSPs that do not sign a BAA and should exercise due diligence to ensure that the TSP does not access any transmitted RPS during the call. or do not keep them.
Planning and transitioning from PHE to post-PHE processes should begin now for telehealth providers. Conducting risk and due diligence assessments on existing vendors and their compliance with privacy and security laws should take place immediately. If a provider that accesses, views, or manages PHI refuses to sign a BAA, telehealth providers should immediately seek to terminate the relationship with that provider and consider other providers who will sign a BAA. Developing a HIPAA compliance strategy now, before the PHE ends, will pay dividends in the future.
You want to know more ?
For more information on telemedicine, telehealth, virtual care, remote patient monitoring, digital health, and other healthcare innovations, including the team, publications, and rep experience , visit Foley’s Telemedicine and Digital Health Industry Team.