HHS Issues Guidance on Provider Use of Audio-Only Telehealth

Mary Aperance
Rivkin Radler LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Rivkin Radler LLP

On June 13, the U.S. Department of Health and Human Services (HHS) issued guidance to explain how audio-only telehealth can comply with HIPAA, while also emphasizing that this mode of telehealth services can expand healthcare access to individuals who may have limited internet and broadband capabilities.

In response to the COVID-19 pandemic in March 2020, HHS’s Office for Civil Rights (OCR) published a Notification of Enforcement Discretion for Telehealth Remote Communications which permitted providers to use any available non-public facing remote technologies to provide telehealth services, even when those technologies may not fully comply with HIPAA. Notably, OCR may begin to impose penalties for non-compliant technologies once the public health emergency (PHE) declaration expires. The PHE is currently in place through mid-July.

The new HHS guidance clarifies that while HIPAA covered entities can use remote communication technologies to provide telehealth services (including audio-only services), compliance with the HIPAA Privacy Rule requires applying reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures. OCR expects covered healthcare providers to provide telehealth services in a private setting; if that is not feasible, covered providers must implement safeguards like using lowered voices and not using a speakerphone in order to limit incidental disclosures of PHI. Meanwhile, the HIPAA Security Rule—which applies to electronic PHI (ePHI)—does not apply to telehealth services provided by using a traditional landline because the information transmitted is not electronic. Covered entities using telephone systems that transmit ePHI, such as Voice over Internet Protocol (VoIP), need to apply appropriate administrative, physical, and technical safeguards to ensure confidentiality, integrity, and security of the information.

Lastly, if a telecommunications service provider is not creating, receiving, or maintaining PHI on behalf of the covered entity—and is merely acting as a conduit—a business associate agreement (BAA) is not needed. Conversely, if the vendor is more than a conduit for transmission of PHI (such as a developer of a smartphone app), it is considered a business associate and a BAA should be in place.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Rivkin Radler LLP | Attorney Advertising

Written by:

Rivkin Radler LLP
Rivkin Radler LLP
Contact
more
less

Rivkin Radler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide