OCR Issues HIPAA Guidance on Audio-Only Telehealth and Seeks Questions on “Recognized Security Practices”

HHS’s Office for Civil Rights (OCR) has issued guidance to help health care providers and health plans understand how they can use remote communication technologies to deliver audio-only telehealth services in compliance with the HIPAA privacy and security rules. The guidance focuses on audio-only telehealth services because these services can expand access to health care for populations with limited financial resources, English-language proficiency, internet access, or cell coverage. However, the guidance generally applies to all telehealth services. This guidance will continue after the expiration of OCR’s existing enforcement discretion on providing telehealth services, which was announced near the beginning of the COVID-19 pandemic (see our Checkpoint article). Under that enforcement discretion, which applies only to health care providers, OCR will not impose certain HIPAA penalties against health care providers using telehealth communications in good faith during the COVID-19 public health emergency.

This guidance emphasizes that the HIPAA privacy rule permits health care providers and health plans to use remote communication technologies to provide audio-only telehealth services, so long as reasonable safeguards are adopted to protect the privacy of protected health information (PHI). For example, providers and plans must verify an individual’s identity before disclosing PHI, using auxiliary aids and services to accommodate individuals with disabilities or limited English proficiency. Providers and plans must also be cognizant of security rule requirements, particularly when using communication apps on smartphones, Voice over Internet Protocol technologies, electronic recording or transcription services, or message-storage services. A complete and current inventory of technologies and information systems can help providers and plans conduct the accurate and thorough risk analysis mandated by the security rule. The guidance reiterates, however, that traditional telephone landlines are not subject to the security rule because they do not transmit PHI electronically. Similarly, individuals receiving telehealth services may use any telephone system they choose, and providers and plans are not responsible for the privacy or security of health information once the individual has received it. As explained in previous guidance (see our Checkpoint article), providers and plans must consider whether a telecommunications service provider (TSP) acts as a HIPAA business associate—a determination that hinges on whether the TSP has more than transient access to PHI and is not a mere conduit for PHI. The guidance concludes by noting that it is limited to HIPAA compliance and does not address health plan coverage and payment for telehealth services.

Separately, through its privacy rule listserv, OCR has requested that questions about “recognized security practices” be submitted by email to OCRPresents@hhs.gov by June 17, 2022, for an upcoming video presentation. A recent amendment to the HITECH Act requires OCR to take recognized security practices into consideration in certain security rule enforcement and audit activities. Topics covered in the video will include how covered entities can demonstrate that recognized security practices are in place, how OCR requests evidence of recognized security practices, information resources, and OCR’s request for information in anticipation of future guidance (see our Checkpoint article).

EBIA Comment: The COVID-19 pandemic has intensified interest in telehealth services among health care providers and health plans. Telehealth raises numerous legal issues, and OCR’s proactive approach to HIPAA guidance has provided welcome clarity to providers and plans. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXIII.O (“HIPAA Privacy and Security Issues for Health Plans Incorporating Telemedicine”). See also EBIA’s Self-Insured Health Plans manual at Section XI.E.5 (“Trends in Self-Insured Health Plan Design: Telemedicine”) and EBIA’s Consumer-Driven Health Care manual at Section IV.G.6 (“Other Cost-Cutting Measures: Telemedicine”).

Contributing Editors: EBIA Staff.