The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights released guidance detailing how health care providers subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) can use remote communication technologies to provide audio-only telehealth services when such communications are conducted in a manner that is consistent with the HIPAA Privacy, Security, and Breach Notification Rules. Per HHS, the purpose of this guidance is to clarify how covered entities can provide telehealth services and improve public confidence that telehealth services are being provided in a manner that protects the privacy and security of protected health information (“PHI”).
HHS also noted that audio-only telehealth, especially technologies that do not require broadband availability, can help address the needs of individuals who do not have access to technologies used for audio-video telehealth because of various factors, including financial resources, limited English proficiency (“LEP”), disability, internet access, availability of sufficient broadband and cell coverage in the geographic area.
A summary of the guidance follows.
Covered Entities May Use Remote Communication Technologies to Provide Audio-Only Telehealth Services
Reasonable Safeguards
The HIPAA Privacy Rule requires covered entities to apply reasonable safeguards to protect the privacy of PHI from impermissible uses or disclosures, including when providing telehealth services. HHS expects health care providers will provide telehealth services in private settings to the extent feasible, or, if that is not possible, covered entities must implement reasonable safeguards, such as using lowered voices and not using speakerphone, to limit incidental uses or disclosures of PHI.
Identity Verification
The covered entity must verify the identity of the individual in accordance with its HIPAA policies and procedures prior to providing audio-only telehealth services. Covered entities must be mindful of civil rights laws that are potentially applicable to identity verification communications and ensure the communications are effective. This might include providing appropriate auxiliary aids and services or language assistance services for individuals with disabilities or those with LEP.
Covered Entities Must Meet the Requirements of the HIPAA Security Rule to Use Remote Communication Technologies to Provide Audio-Only Telehealth Services in Certain Circumstances
Traditional Landlines Versus New Technologies
A covered entity does not need to comply with the HIPAA Security Rule for audio-only telehealth services provided using traditional landlines, despite the technology used by the individual receiving the communication. This is because any information transmitted over a landline is not “electronic” and therefore no electronic PHI (“ePHI”) is transmitted. Covered entities may conduct audio-only telehealth services using electronic communication technologies such as Voice over Internet Protocol (“VoIP”) and mobile technologies that use electronic media, such as the Internet, intra- and extranets or cellular and Wi-Fi. The use of such technologies means that electronic transmission of ePHI is taking place, and thus the HIPAA Security Rule will apply to such transmissions. Examples of such technologies include:
- Communication applications (apps) on a smartphone or another computing device
- VoIP Technologies
- Technologies that electronically record or transcribe a telehealth session
- Messaging services that electronically store audio messages
Address Security Risks of Technology Used to Conduct Telehealth Visits
The covered entity’s risk analysis required by the HIPAA Security Rule must cover the use of these technologies. Key considerations noted by HHS include:
- The risk that a transmission could be intercepted or ePHI created or stored from the telehealth session could be accessed by an unauthorized third party;
- Whether the transmissions and any recordings or transcripts of telehealth sessions can be encrypted;
- Whether authentication is required to access the device or app where any ePHI is stored;
- Whether the device or app used to make the telehealth communication ends the session or locks if there has been a period of inactivity; and
- The importance of a robust inventory and asset management process to ensure that the risk analysis conducted by the covered entity is effective in identifying all risks as technology continues to evolve.
Finally, HHS emphasized that the methods used independently by the individual receiving the communication are not subject to or bound by HIPAA.
In Some Circumstances, a Covered Entity May Conduct Audio-Only Telehealth Using Remote Communication Technologies Without a BAA in Place
A business associate agreement (“BAA”) with a telecommunication service provider (“TSP”) is only required when the TSP vendor is acting as a business associate of the covered entity.
HHS has detailed in previous guidance that a TSP that only has transient access to the PHI it transmits is acting merely as a conduit for the PHI and is not creating, receiving or maintaining PHI for or on behalf of the covered entity, does not require access on a routine basis to the PHI it transmits on the call and is thus not considered a business associate of the covered entity.
Conduit Only, No BAA Required
A covered entity may use a smartphone to call a patient and conduct an audio-only telehealth session without entering into a BAA between the TSP and the covered entity as long as the TSP does not create, receive or maintain any PHI from the session and is only connecting the call.
More Than a Conduit, BAA Required
If the covered entity is conducting a telehealth session with a patient using the covered entity’s smartphone app, where the app stores PHI in the app developer’s cloud infrastructure for the provider’s later use, this is more than mere “conduit” activity. By storing and maintaining ePHI, such an app is providing more than just data transmission services and is not “just” a conduit. In such a situation, a BAA between the app developer and the covered entity is required.
A BAA would be required with a developer of a smartphone app used by the covered entity to translate oral communications to another language, such as may be required to provide meaningful access to individuals with LEP. This is because the developer of such a smartphone app would be considered a business associate of the covered entity because the app creates and receives PHI for the covered entity.
Covered Entities May Use Remote Communication Technologies to Provide Audio‑Only Telehealth Even if an Individual’s Health Plan Does Not Provide Coverage or Payment for Those Services
Under HIPAA, covered entities are permitted to offer audio-only telehealth services using remote communication technologies whether or not such services are covered or paid for by any health plan. Payment or coverage of such services are separate issues that must be reviewed and analyzed by the covered entity as appropriate. It is possible that a health plan could contractually obligate a covered entity or business associate to take certain specific security measures that are not required by HIPAA.
Practical Takeaways
In light of the above guidance, covered entities and their business associates should consider the following:
- Determine whether a BAA with a communications vendor is required based on the nature of services the vendor is performing and how the services are performed. Ask questions about how the services are delivered if newer technologies are used.
- Ensure that telehealth services are performed with reasonable safeguards in place.
- Incorporate new technologies into your organization’s risk analysis and assessment plan.
For additional questions, please contact:
- Charise Frazier at (317) 977-1406 or cfrazier@hallrender.com;
- Patricia Connelly at (317) 429-3654 or pconnelly@hallrender.com; or
- Your Primary Hall Render contact.
Special thanks to Undergraduate Intern, Arrianna Martinez, for her assistance with this article.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot give legal advice outside of an attorney-client relationship.
