OCR Issues Remote Communication Technologies HIPAA Guidance for Audio-Only Telehealth Services

Susan Freed
Dentons
Contact
LinkedIn
Facebook
X
Send
Embed

Dentons

The use of telehealth and remote communication technologies has skyrocketed since the start of the COVID-19 pandemic. At the beginning of the pandemic, the Office of Civil Rights for Health and Human Services (“OCR”) notified health care providers during the public health emergency it would not penalize them for good faith use of remote communication technologies that do not strictly comply with the HIPAA privacy and security regulations.

As the end of the public health emergency declaration approaches, OCR has issued new guidance on how providers can continue to use remote communication technologies for audio-only telehealth services in compliance with HIPAA after its enforcement discretion notice expires.

Remote communication technologies

According to the new guidance, the HIPAA security regulations will apply when the provider uses remote communication technologies that use electronic media, such as smartphone applications, VoIP technologies, technologies that electronically record or transcribe a telehealth session, and messaging services that electronically store audio messages.

New guidance

The HIPAA security regulation requires the provider to conduct a risk assessment to identify, assess, and address the potential risks and vulnerabilities to the confidentiality, integrity, and availability of patient health information when using the technologies. The new guidance outlines the types of risks providers should address.

In addition, the guidance makes clear that providers are not required to enter into business associate agreements with telecommunication service providers who have only transient access to the patient’s health information because the vendor is acting only as a conduit. However, if the vendor is storing or creating patient health information on behalf of the provider, a business associate agreement is required.

Bottom line

As communication technologies continue to evolve, providers should ensure they have processes in place to update their HIPAA risk assessments to address new products and service offerings. Additionally, as the end of the public health emergency approaches, providers should review their telehealth and remote communication offerings and their relationships with the vendors who support these services to ensure they comply with HIPAA.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:

Dentons
Dentons
Contact
more
less

Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide