Today, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance on HIPAA requirements as they relate to audio-only telehealth. Importantly, for the first time, OCR provides insights on its position on the difference between landline and VoIP telecommunication services. OCR’s guidance applies now and after its telehealth enforcement discretion is no longer in effect.
Background
At the beginning of the COVID-19 pandemic in March 2020, OCR announced that it would exercise enforcement discretion with respect to telehealth services provided in good faith using non-public facing platforms. Within days of its enforcement discretion notice, OCR issued FAQs on the same subject. That enforcement discretion will last until the declared COVID-19 public health emergency (PHE) is over.
In December 2021, the President issued Executive Order 14058 (section 4(g)), which directs DHHS/OCR to develop guidance for HIPAA-regulated entities “on providing telehealth in compliance with HIPAA rules, to improve patient experience and convenience following the end of the COVID-19 public health emergency.” In the guidance, OCR explains that “[t]his guidance will help ensure that individuals can continue to benefit from audio-only telehealth by clarifying how covered entities can provide telehealth services and improving public confidence that covered entities are protecting the privacy and security of their health information.”
Below are the notable highlights from the guidance:
- The guidance has no affect on enforcement discretion, which will remain in effect until the end of the PHE.
- The HIPAA Security Rule does not apply to audio-only telehealth that a covered entity provides through a traditional landline using circuit-switched voice communication. According to OCR, such transmission is not electronic.
- The HIPAA Security Rule does apply to audio-only telehealth provided via “Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra- and extranets, cellular, and Wi-Fi.” This includes communication apps and technologies that electronically record or transcribe a call or that store audio messages.
- HIPAA Security Rule compliance includes performing a risk analysis on all systems or applications that interact with PHI. For now, this and other HIPAA Security Rule requirements as they relate to telehealth delivery are subject to enforcement discretion. This means that lack of compliance during the PHE is not likely to lead to enforcement when the provider acts in good faith.
- The type of technology the patient uses does not drive compliance requirements.
- A business associate agreement is not required with a telecommunication service provider (TSP) when the TSP serves merely as a conduit for PHI and “has only transient access to the PHI it transmits.” For example, a call placed from a smartphone where the TSP merely connects the call, and does not record or store the call, does not require a business associate agreement with the TSP. This is DHHS/OCR’s extension of the well-known conduit exception that applies to postal carriers.
- A business associate agreement is required with a TSP when, in addition to the transmission of the call, the TSP also provides recording or storing capabilities (including voicemail services), or the TSP is an app that provides translation services.
OCR’s guidance is important for more purposes than audio-only telehealth services. It confirms that OCR will treat newer telecommunications technologies regularly used differently than the old-school landline. It also shows that DHHS/OCR are looking beyond the PHE with respect to telehealth and HIPAA compliance. All providers should prepare for the end of enforcement discretion and ensure that all telehealth systems meet HIPAA requirements.
For more information on telehealth and HIPAA compliance, see Telehealth, Privacy and The Three Little Pigs and Telehealth, Privacy, and the Three Little Pigs: A Year and a Half Later.