The Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), recently issued new regulatory guidance relating to covered entities’ HIPAA-compliant use of remote communication technologies for audio-only telehealth services. This guidance is a direct response to a December 2021 Executive Order that tasked HHS with developing HIPAA guidance for telehealth services, with the stated goals of improving “patient experience and convenience” as the COVID-19 public health emergency subsides. HHS has issued this guidance in anticipation of the national public health emergency ending, at which time OCR’s Telehealth Notification loses effect.

The new HIPAA guidance affects covered entities in four key ways.

First, the HIPAA Privacy Rule allows covered health care providers and health plans to provide audio-only telehealth services via the use of remote communication technologies. This includes devices that are only equipped for voice-only calls, such as traditional landline phones. However, providers must take reasonable steps to protect the privacy of protected health information (more commonly referred to as “PHI”). For example, if providers are delivering telehealth services from their home, they are directed to take reasonable steps to prevent other people in the house from overhearing conversations with patients. Furthermore, at the onset of the clinical encounter, providers must verify the patient’s identity either orally or in writing if they are unfamiliar with the patient.

Second, while the HIPAA Security Rule does not apply to audio-only telehealth services delivered over a standard telephone line, it applies to other voice-transmitting technologies including Voice over Internet Protocol (“VoIP”), communication apps on smartphones, and technologies that record, transcribe, or store records of the voice-only clinical encounter. Consequently, covered entities must assess the potential risks and vulnerabilities of using such technologies to ensure compliance with HIPAA Security Rule Requirements. Providers must inquire about the specific telephonic technology employed in their respective practice, as many phones in offices and hospitals appear to be “landline” phones yet employ VoIP technology, especially if the phones were manufactured within the last five years. In such instances, providers may be unwittingly violating the HIPAA Security Rule, placing them at risk of investigation and/or enforcement action by the Department of Justice (“DOJ”). Risk of investigations related to privacy and cybersecurity misrepresentations and violations is particularly elevated now because of recent DOJ initiatives. In October 2021, DOJ launched the Civil Cyber-Fraud Initiative, which leverages the False Claims Act to prosecute cybersecurity violations, including related HIPAA violations. The first settlement under the Civil Cyber-Fraud Initiative occurred in March 2022—against a health care entity.

Third, covered providers or health plans may conduct audio-only telehealth via remote communication technologies in the absence of a business associate agreement (more commonly referred to as a “BAA”) with the telecommunication service provider (“TSP”). This is acceptable under HIPAA Rules only if the TSP has only transient access to the protected health information it transmits. Under the new guidance, a conventional audio-only call between providers and patients is HIPAA-compliant if the call is made on a smartphone without the use of a third-party smartphone app, translation service, or internet connection (via Wi-Fi).

Finally, covered health care providers may deliver audio-only telehealth services via remote communication technologies even if the patient’s health insurance does not provide coverage for or pay for the telehealth services. HHS has emphasized that a patient’s insurance status or health plan coverage does not affect the HIPAA-compliance status of audio-only telehealth services.

This HHS guidance has the potential to address longstanding equality concerns relating to telehealth access. Low socioeconomic status (“SES”) populations access telehealth services at lower rates then higher SES peers due to lower levels of technological literacy and decreased access to technology resources, including camera-equipped computers and internet connectivity. Consequently, while this guidance helps covered entities maintain HIPAA compliance in an increasingly virtual healthcare delivery environment, it simultaneously has the potential to increase telehealth access for especially vulnerable populations.

Special thanks to summer associate, Michael J. Menconi, for his contribution to this post.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ryan P. Blaney Ryan P. Blaney

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a…

Ryan Blaney represents health care, life science, and technology clients in a range of regulatory, enforcement, internal investigative and transactional matters, with particular expertise in privacy law, life sciences and digital health. He also has expertise in regulatory compliance, counseling clients on a range of matters, including health care fraud and abuse, third party reimbursement, data breach issues, data privacy and security, and FDA regulatory matters. He has substantial experience in pharmaceutical lifecycle management and competition issues, including the Hatch- Waxman Act and Biosimilars Price Competition and Innovations Act.

Ryan serves information technology companies, public and private health care companies, hospitals and physician organizations, manufacturers, medical device companies, and health plans. He guides venture capital groups, private equity funds, investment banks, and other investors on health care regulatory issues in connection with financing, mergers and acquisitions, and restructuring.

Ryan’s work is greatly informed by his experience as a teacher. Prior to attending law school, Ryan earned a master’s degree in education and taught at an under-resourced Catholic middle school. He is known for his ability to communicate clearly and to coordinate large teams working on complex matters. Outside of his health law practice, Ryan has been repeatedly recognized for his public service and pro bono work. He has successfully handled numerous education-related cases, helped establish three nonprofit organizations and defended qualified recipients of disability benefits.

Read more about Ryan P. Blaney
Show more Show less
Related Posts
Another Resolution by DOJ Pursuant to its Civil Cyber-Fraud Initiative Highlights Continued Efforts to Hold Companies Accountable for Ensuring Data are Secured
June 5, 2023
FTC’s One-Two Punch on Data Tracking and Health Privacy
March 6, 2023
FTC Blog Post Highlights Regulatory Focus on Collection of Location and Health Data
July 19, 2022