OCR Announces Its Position on Audio-Only Telehealth Activities and HIPAA Compliance After the Public Health Emergency

June 29, 2022
By: Grace D. Mack, Esq. and Nicolette Guarneri, Esq.

On June 13, 2022, the Office for Civil Rights (OCR) published guidance (the OCR Guidance) demonstrating how covered entities can use remote communication technologies to provide audio-only telehealth services when such communications are conducted in a manner that is consistent with the applicable requirements of HIPAA.

The OCR Guidance addresses the use of audio-only telehealth services after the expiration of the COVID-19 Nationwide Public Health Emergency (PHE) and HIPAA compliance.  In the OCR Guidance, it noted that audio-only technology is particularly useful for individuals who have limited access to the internet or sufficient broadband accessibility as audio-only technology may not always require broadband availability. According to the OCR, the ability to utilize audio-only telehealth services will have an impact in two notable ways: (i) ensuring that individuals can continue to benefit from audio-telehealth by illustrating how covered entities can provide such services; and (ii) improving public confidence that their health information will be kept private and secured.

telehealth

The OCR Guidance supports covered healthcare providers’ continued use of audio-only telehealth services once the PHE has expired, subject to certain conditions. Specifically, the OCR Guidance provides that covered entities must still ensure the proper safeguards are in place when providing such services through telehealth, such as rendering such services in fully private settings whenever feasible. For example, if services cannot be provided in a private setting, then covered entities must enact reasonable safeguards to protect the confidentiality of protected health information (PHI) such as using lowered voices and not using speaker phones, to limit inadvertent disclosures of PHI.

Additionally, the OCR Guidance discusses how covered entities should conduct interactions with unknown individuals. Specifically, the covered entity must verify the identity of the individual either orally or in writing. While the HIPAA Rules do not require an explicit way to verify identity, covered entities should note that civil rights laws typically mandate communications with a disabled individual to be as effective as communications with others, including by providing appropriate aids and services as necessary.

Furthermore, the OCR Guidance reflects when audio-only telehealth services require compliance with the HIPAA Security Rule. Because the Security Rule applies to electronic PHI (ePHI), which is PHI transmitted or maintained by electronic media, the Security Rule would not apply to audio-only telehealth services to the extent the covered entity is using a traditional landline. However, covered entities must comply with the Security Rule when utilizing electronic communications technologies, including Voice over Internet Protocol (VoIP), technologies that electronically record or transcribe a telehealth session, smartphone or other computing device communication applications, and mobile messaging services that electronically store audio messages. Covered entities who seek to use such technologies must ensure that they have the proper risk analysis and management processes in place.

Finally, the OCR Guidance provides that a covered entity using a telephone to communicate with patients may not always warrant a business associate agreement (BAA) with a telephone service provider (TSP). Under the HIPAA rules, a covered entity is required to enter into a BAA with a TSP when the vendor is acting as a business associate. However, a covered entity may use the telephone to communicate with patients without a BAA in place when the TSP serves solely as a conduit for the PHI and does not create, receive, or maintain any of the PHI. In contrast, in the event that a covered healthcare provider conducts an audio-only telehealth session utilizing a smartphone app that stores PHI (e.g., recordings, transcripts) in its cloud infrastructure, the TSP would not serve as merely a conduit for transmission of the PHI and would require a BAA.

Notably, the OCR Guidance does not address the use of two-way video platforms after the end of the PHE. In March 2020, the Office for Civil Rights (OCR) published the Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (the Telehealth Notification), which provided that platforms such as Apple FaceTime, Zoom, and Skype were all permissible video-chat networks for the provision of telehealth services during the PHE. Read a previous Health Law Alert: OCR Announces It Will Not Impose Penalties for HIPAA Non-Compliance for Use of Telehealth During COVID-19 Outbreak. Because such platforms are not typical HIPAA compliant forums, the Telehealth Notification advised covered entities that the OCR may use its enforcement discretion and not penalize such covered providers for non-compliance with the HIPAA Rules related to the good faith provision of telehealth during the PHE. The Telehealth Notification is scheduled to expire when the PHE expires on July 15, 2022 (which is expected to be extended for an additional 90 days). The recent OCR Guidance indicates that at that time or if the Secretary of HHS declares that the PHE no longer exists (whichever is sooner), OCR will issue a notice to the public that it is no longer exercising its enforcement discretion. As a result, providers' use of video-chat platforms after the PHE must be reviewed for HIPAA compliance.

The OCR Guidance also makes clear that it is not addressing payor policies for reimbursement for audio-only telehealth services as health plan coverage and payment policies for health care services delivered via telehealth are separate from questions about compliance with the HIPAA Rules. Moreover, the OCR Guidance does not address telehealth requirements under various telehealth regulations at the state level. Therefore, it is important to review these requirements prior to rendering telehealth or telemedicine services. 

If you have any questions regarding this alert or the provision of telehealth, please contact Grace Mack, Nicolette Guarneri, or any member of the Health Law Team.

Wilentz, Goldman & Spitzer, P.A.
90 Woodbridge Center Drive, Suite 900 Box 10
Woodbridge, NJ  07095-0958
732.636.8000 | www.wilentz.com
Woodbridge | Newark | New York | Philadelphia | Red Bank

Attorney Advertising © 2024 Wilentz, Goldman & Spitzer, P.A. All Rights Reserved.

Disclaimer: This Health Law Alert was created for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. Although we attempt to ensure that health law alerts are complete, accurate, and current as of the time of publication, we assume no responsibility for their completeness, accuracy, or timeliness. The information herein is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel.

You received this email because you have an existing business or personal relationship
with the law firm of Wilentz, Goldman & Spitzer, P.A. To be removed from future emails, click here.