On June 13, 2022, HHS OCR issued guidance on how covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services when conducted in a manner consistent with HIPAA requirements. This guidance also indicates OCR’s HIPAA enforcement discretion under its March 2020 Telehealth Notification will expire at the end of the Public Health Emergency (PHE).
In March 2020, OCR issued a Telehealth Notification informing the public that HHS would exercise discretion in how it applies the rules under HIPAA and that it would not impose penalties for noncompliance against covered providers in connection with the good faith provision of telehealth during the COVID-19 PHE. This flexibility in HIPAA enforcement was aimed at assisting the health care industry’s response to the PHE and quickly expanding the use of remote health care services. Under the flexibilities afforded by the Telehealth Notification, covered health care providers have been able to use any available non-public facing remote communication technologies for telehealth, even where those technologies, and the manner in which they are used, may not fully comply with the HIPAA Rules.
In the Telehealth Notification, OCR specifically stated that “covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” In contrast, OCR stated that “Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.”
HHS’s most recent guidance is aimed at assisting covered entities in complying with the HIPAA rules when OCR’s Telehealth Notification is no longer in effect, which could be as early as July 15, 2022. The guidance addresses questions that HHS has received about whether, and in what circumstances, audio-only telehealth is permissible under the HIPAA rules. Under this guidance, HHS clarifies that HIPAA covered entities can use remote communication technologies to provide telehealth services including audio-only services; however, the services must be provided in private settings to the extent feasible, and the entity must verify the identity of the individual. Further, the guidance notes that while HIPAA does not apply to audio-only telehealth services provided by a traditional telephone landline, electronic communications and mobile technologies such as internet, cellular, and Wi-Fi are subject to the HIPAA rules. This could potentially expose providers to HIPAA enforcement risks when providing telehealth services through mobile devices or applications. As a result, in preparation for the conclusion of the PHE, providers should identify, assess, and address the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI when using such technologies as part of its risk analysis and risk management process.
The HHS guidance can be found here.