Advanced Search

Health Information Compliance Alert

Case Study:

Feds Offer New Guidance on the Intersection of Telehealth and HIPAA

Published on Fri Jul 08, 2022 Print Friendly and PDF PDF

Warning: Get ready for flexibilities to end post-PHE.

The COVID-19 public health emergency (PHE) is slated to end on July 15, but experts expect it to be extended again. However, even with an extension, the PHE won’t last forever — and the HHS Office for Civil Rights (OCR) is already looking ahead on how that will impact audio-only telehealth services and HIPAA.

Details: On June 13, OCR issued fresh HIPAA-related guidance for healthcare providers and health plans on the usage of remote communication technologies to provide audio-only telehealth services after the COVID-19 PHE ends.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino in a release on the notice.

Reminder: In March 2020, OCR issued a notification of enforcement discretion for healthcare providers, which allowed certain HIPAA flexibilities due to the PHE. Additionally, penalties would not be imposed for noncompliance with the regulation when covered entities (CEs) used telehealth in “good faith,” the notification indicated.

According to the notice, providers could use Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype to provide telehealth without the risk of enforcement, but they could not use public facing applications like Facebook Live, Twitch, or TikTok (see Health Information Compliance Alert, Vol. 20, No. 4).

Here’s What You Need to Know About the Update

In its new guidance, OCR aims to offer ideas on the best way to transition back after the PHE ends. The agency also provides insight on how the HIPAA Rules will apply to audio-only telehealth services.

OCR “clarifies [in the guidance] that HIPAA covered entities can use remote communication technologies to provide telehealth services including audio-only services; however, the services must be provided in private settings to the extent feasible, and the entity must verify the identity of the individual,” explains attorney Jasmine Becerra with King & Spalding LLP in online legal analysis.

OCR reminds in its guidance that the HIPAA Security Rule, which applies to electronic protected health information (ePHI), doesn’t impact audio-only telehealth offered via a traditional landline — “because the information is not transmitted electronic[ally].” However, covered healthcare providers who offer these services through the internet, intra-nets, cell, and Wi-Fi are subject to the HIPAA Rules, OCR says.

According to OCR, the reasoning is because “this could potentially expose providers to HIPAA enforcement risks when providing telehealth services through mobile devices or applications,” Becerra cautions.

Other audio-only action items in the OCR insight include:

  • HIPAA Privacy and Security Rule risks and vulnerabilities associated with telehealth
  • Business associate agreements
  • Vendor concerns
  • Plan coverage and telehealth
  • Individual health plans and clinical concerns

Resources: For a closer look at OCR’s new guidance, visit https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html. Find the notification of enforcement discretion published in the Federal Register at www.govinfo.gov/content/pkg/FR-2020- 04-21/pdf/2020-08416.pdf.

Other Articles in this issue of

Health Information Compliance Alert

View All