OCR Issues Guidance on Audio-Only Telehealth

As the Covid-19 public health emergency comes to an end, enforcement discretion related to the Health Insurance Portability and Accountability Act (HIPAA) compliance in the provision of telehealth is likewise set to expire. In light of this, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued guidance for appropriately utilizing audio-only telehealth communications while maintaining HIPAA compliance.

From OCR’s perspective, which is strictly related to HIPAA compliance, the continued utilization of audio-only telehealth services will be permissible when conducted following the requirements of the HIPAA Privacy, Security, and Breach Notification Rules. Importantly, OCR’s guidance does not supersede or in any way affect the determination of whether a permissible encounter has occurred using audio-only communications pursuant to state licensing regulations or payor reimbursement policies; these obligations will continue to apply to providers rendering virtual care.

OCR indicates that covered entities may continue to utilize remote technologies in compliance with HIPAA, including audio-only services, provided that those covered entities apply reasonable safeguards to protect the privacy of protected health information (PHI). For example, if audio-only telehealth cannot be provided in a private setting, the provider must implement reasonable safeguards such as lowered voices and not using speakerphone to limit PHI disclosures.

Further, OCR’s guidance indicates that, even though the Security Rule would not apply to audio-only telehealth services utilizing traditional landlines, it does apply to electronic communications utilizing cellular, Wi-Fi, and Voice over Internet Protocol (VoIP) technologies. OCR advises that covered entities’ regular risk assessments include an evaluation of:

1. risk of third-party interception of the transmission,
2. if the technology supports encrypted transmissions,
3. risk that the PHI created or stored can be accessed by a third party,
4. compartmentalization to restrict access to the stored PHI to authorized personnel, and
5. whether the device or application automatically terminates the session or locks after a period of inactivity.

Additionally, unlike the previous enforcement discretion which indicated that OCR would not impose penalties against covered entities for their failure to maintain an executed business associate agreement (BAA) with technology service providers, OCR reminds covered entities that when the enforcement discretion expires, OCR will enforce BAA requirements between covered entities and select vendors that store, transmit or access PHI. These vendors include telecommunication service providers.

As the Federation of State Medical Boards (FSMB) emphasized in its guidance issued earlier this month, one goal of telehealth is to improve the access to, and reduce inequities in, the delivery of healthcare, while acknowledging a shortcoming of audio-video telehealth due to financial resources, limited English proficiency, disability, internet access, availability of sufficient broadband, and cellular coverage in a geographic area. Audio-only telehealth, especially using technologies that do not require broadband availability, can help address the needs of some of these individuals. However, providers must ensure their compliance with not only HIPAA, but state telehealth requirements and reimbursement guidelines.

It is imperative to stay up to date on HIPAA compliance as well as legislation that may expand or restrict access to virtual care, particularly as applicable COVID-19 waivers continue to expire.

How can Frier Levitt Help?

Frier Levitt continues to stay abreast of new and proposed telehealth legislation.  Frier Levitt attorneys have advised providers, marketers, and technology companies on developing and restructuring telehealth business models to comply with applicable law while considering obstacles such as licensing, prescribing, and insurance reimbursement concerns that are unique to each arrangement. Providers and their business associates must also remain aware of their obligations as it relates to HIPAA, particularly as enforcement discretion expires. If you are seeking to Launch a Telemedicine Practice or Telehealth Startup or want to ensure your compliance in an existing model, contact us to speak to an experienced telehealth attorney who can comprehensively evaluate and recommend a compliant, sustainable model.