During the pandemic, telehealth has become an important tool to reach patients in rural communities and individuals who have limited access to devices or internet to support other means of telehealth. In March 2020, the Department of Health and Human Services (HHS) issued a Notification of Enforcement Discretion as part of the COVID-19 Public Health Emergency (PHE). The notification stated that the HHS Office for Civil Rights (OCR) would not impose penalties for noncompliance with regulatory requirements under Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, and Breach Rules when covered health care providers connected to patients with good faith provision using telehealth.  

As the Administration takes steps to winddown the PHE, OCR issued guidance in the form of an FAQ on how covered health care providers and health plans can continue to use remote communication technologies to provide audio-only telehealth services after the end of the PHE and remain compliant with HIPAA.

• Covered Entity
• Business Associate Definition

FAQs on Post-PHE Audio-Only Telehealth HIPAA Compliance

1.  Does the HIPAA Privacy Rule permit covered health care providers and health plans to use remote communication technologies to provide audio-only telehealth services?

Yes. HIPAA covered entities can use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule, if they apply reasonable safeguards to protect the privacy of protected health information (PHI) including:

• Providing telehealth services in private settings to the extent feasible. 
• If telehealth services cannot be provided in a private setting (e.g., where a provider shares an office with a colleague or a family member), providers must use reasonable safeguards, such as using lowered voices and not using speakerphone, to limit incidental uses or disclosures of PHI.
• If the individual is not known to the provider, they must verify the identity of the individual either orally, in writing, or electronically (HIPAA Rules do not mandate a specific way to verify identity).
• Providing appropriate auxiliary aids and services where necessary for individuals with a disability for all communications including identity verification.
• Verify individual’s identity using language assistance services to provide meaningful access for individuals with limited English proficiency.

2.  Do covered health care providers and health plans have to meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services?

Yes, in certain circumstances. The HIPAA Security Rule applies to electronic protected health information (ePHI), which is PHI transmitted by, or maintained in, electronic media like an email. The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered provider that is using a traditional landline, because the information transmitted is not electronic.  Electronic technologies that used for remote communications that require compliance include:

• Communication applications (apps) on a smartphone or another computing device.
• Voice over Internet Protocol (VoIP) technologies.
• Technologies that electronically record or transcribe a telehealth session.
• Messaging services that electronically store audio messages.

Note: an individual receiving telehealth services may use any telephone system they choose and is not bound by the HIPAA rules and covered providers are not responsible for the privacy or security of individuals’ health information once it has been received by the individual’s phone or other device.  

Covered providers have a responsibility to identify, assess, and address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when using such technologies and should conduct a risk analysis and risk management including the following considerations:

• Risks that the transmission could be intercepted by an unauthorized third party.
• Whether the remote communication technology (e.g., mobile device, app) supports encrypted transmissions.
• Risks that ePHI created or stored as a result of a telehealth session (e.g., session recordings or transcripts) could be accessed by an unauthorized third party, and whether encryption is available to secure recordings or transcripts of created or stored telehealth sessions.
• Whether authentication is required to access the device or app where telehealth session ePHI may be stored.
• Whether the device or app will automatically terminates the session or locks after a period of inactivity.

3.  Do the HIPAA Rules permit a covered health care provider or a health plan to conduct audio-only telehealth using remote communication technologies without a business associate agreement in place with the vendor?

Yes, in some circumstances.  A covered provider using a telephone to communicate with patients is not required to enter into a business associate agreement (BAA) with a telecommunication service provider (TSP) that has only passing access to the PHI, because the vendor is acting merely as a conduit for the PHI.  The HIPAA Rules require a covered providers to enter a BAA with a TSP only when the vendor is acting as a business associate under HIPAA definitions. If the TSP is also creating, receiving, or maintaining PHI on behalf of the covered provider, and the TSP requires access on a routine basis to the PHI it transmits in the call, a business associate relationship is created. 

• Scenario 1: A nurse conducts an audio-only telehealth session with a patient using a Verizon smartphone. Verizon does not create, receive, or maintain any PHI from the session and is only connecting the call. Therefore, a BAA is not needed.
• Scenario 2: A physical therapist conducts an audio-only telehealth sessions with a patient using a smartphone app offered by a health care provider’s electronic health record company that stores PHI (e.g., recordings, transcripts) in the app developer’s cloud infrastructure for the provider’s later use. In this case, the app is creating, receiving, and maintaining PHI and it is not merely a conduit for transmission of the PHI. The provider would need to enter a BAA with the app developer before it can use the app with patients. 
• Scenario 3: A health care provider uses a smartphone app to translate oral communications to another language for an individual with limited English proficiency. The app is creating and receiving PHI by translating the provider’s oral communication, and therefore the developer is a business associate of the provider.

4.  Do the HIPAA Rules allow covered health care providers to use remote communication technologies to provide audio-only telehealth if an individual’s health plan does not provide coverage or payment for those services?

Yes. Covered health care providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services. Health plan coverage and payment policies for health care services delivered via telehealth are separate from questions about compliance with the HIPAA Rules.  

LeadingAge continues to advocate for expanded telehealth policies to remain in place post PHE and will monitor Congressional and regulatory action in this space and keep members updated.