The U.S. Department of Health and Human Services has issued guidance on HIPAA and Telehealth to help healthcare organizations ensure compliance when the COVID-19 Public Health Emergency (PHE) comes to an end.
The Health Insurance Portability and Accountability Act (HIPAA) does not prevent healthcare organizations from providing telehealth services, although it does place certain restrictions on the technologies that can be used, and the HIPAA Security Rule does apply to electronic protected health information (ePHI) that is transmitted electronically when providing telehealth services.
In March 2020, the HHS’ Office for Civil Rights issued a Telehealth Notification and announced that it would be exercising enforcement discretion and would not be imposing financial penalties for HIPAA violations related to the good faith provision of telehealth services for the duration of the COVID-19 PHE. However, when the Secretary of the HHS declares that the PHE has terminated, or when the PHE expires (whichever is sooner), any HIPAA compliance violations related to telehealth will be subject to enforcement actions, even if the HIPAA Rules have been violated while providing telehealth services in good faith.
Ahead of the end of the PHE, OCR has provided clarification on how the HIPAA Rules apply to telehealth and the circumstances under which the HIPAA Security Rule applies. “Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.
OCR explained that HIPAA permits healthcare organizations to provide telehealth services, and remote communication technologies can be used in a manner compliant with the HIPAA Privacy Rule. HIPA-regulated entities must apply reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures. That means providing the services, as far as is possible, should be provided in a private setting, using lowered voices, and not using speaker phones, to limit the potential for incidental uses and disclosures of PHI.
The HIPAA Security Rule applies in certain circumstances. It does not apply when telehealth services are provided by a covered entity that is using a standard telephone line – a landline – but does apply if electronic communication technologies such as Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra- and extranets, cellular, and Wi-Fi are used.
That means that safeguards must be implemented to protect ePHI, and risks and vulnerabilities to ePHI must be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes. Having a robust inventory and asset management process will help to ensure that all technologies and the information systems that use them are included in the risk analysis.
OCR also explained that business associate agreements (BAAs) may be required. HIPAA-regulated entities do not need to obtain a signed BAA from a telecommunication service provider that only has transient access to the PHI it transmits, because the vendor is acting as a conduit for the PHI. A BAA is required if the vendor creates, receives, or maintains ePHI.
“A covered health care provider may want to conduct audio-only telehealth sessions with patients using a smartphone app offered by a health care provider that stores PHI (e.g., recordings, transcripts) in the app developer’s cloud infrastructure for the provider’s later use,” explained OCR. “In this case, the app would not be providing mere data transmission services and would instead also be creating, receiving, and maintaining PHI.” A BAA would also be required with the developers of smartphone apps that either create or receive ePHI.