The COVID-19 pandemic accelerated the evolution of the role of technology in medical care, giving rise to novel issues in the absence of formal governmental guidance. Responding to certain challenges brought on by the pandemic, the government provided a level of comfort to providers and patients by issuing appropriate authorizations, such as the U.S. Department of Health and Human Services’ (“HHS”) Notification of Enforcement Discretion for Telehealth Remote Communications (the “Emergency Notice”) to allow telehealth services during the pandemic.
However, given that the Emergency Notice will end at the expiration of the public health emergency, providers are beginning to consider whether telehealth services would be permitted on a robust level on a continuing basis. Fortunately for patients and providers alike, HHS recently issued guidance on telehealth services through audio-only mediums (the “Guidance”) that clarifies how covered entities can provide services through audio-only telehealth appointments provided that such services are performed in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Pursuant to the Guidance, covered entities can provide audio-only telehealth services subject to applying reasonable safeguards to maintain protected health information (“PHI”) in accordance with HIPAA. For instance, the Guidance discusses the following measures that covered entities must undertake to assure that audio-only telehealth services are performed in compliance with HIPAA:
- The covered entity must verify the identity of the patient (using language assistance tools, as appropriate).
- The provider should use lower voice tones and avoid the use of speaker phone capabilities when discussing PHI.
- A covered entity must undertake a risk analysis to consider potential vulnerabilities in its use of ePHI, including risk of interception by third-parties, levels of encryption, storage of ePHI, and accessibility to devices that store ePHI from such telehealth services.
- With respect to the latter two issues mentioned in item number three above, covered entities must also consider the need to enter into a Business Associate Agreement (“BAA”) with the technology service vendor that may store ePHI. Specifically, although there is not a need for a BAA with a technology service vendor that merely acts as a conduit for the telehealth services, a service vendor that creates or stores ePHI requires a BAA.
Further, it is important to note that while the HIPAA Security Rule applicable to electronic PHI (“ePHI”) covers cell phone audio-only telehealth services, the HIPAA Security Rule does not apply to traditional landline audio-only telehealth services. This is of limited significance, however, as a substantial number of telehealth services are provided through means that are subject to the HIPAA Security Rule, such as voice over internet protocol (or VOIP), cellular messaging services, internet and Wi-Fi, rather than over a traditional telephone. Accordingly, it is advisable for covered entities to shape their policies and procedures with an eye toward the diminishing role that the landline telephone plays in modern telehealth services.
While the Guidance may seem straightforward and “common sense” in a number of respects, covered entities should carefully consider the Guidance in providing audio-only telehealth services, as HHS has expressly urged providers to proceed with great caution in providing telehealth services given that fraudulent practices in connection with telehealth have been a focus of HHS scrutiny.