OCR Guidance on Audio Only Telehealth

06/21/2022

Photo by Yura Fresh on Unsplash

U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released “Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth” in June 2022, called “guidance on HIPAA and audio only telehealth” for clarity and brevity in this blog. This guidance clarifies how covered entities can provide audio only telehealth while complying with HIPAA Rules to protect the privacy and security of the participants or patients’ protected health information (PHI). An example when this would be applicable is a participant needed a remote visit but without access to fast internet, adequate cellphone coverage, appropriate equipment for videoconference, or they have a disability where videoconference is not feasible.

During the pandemic, OCR released an Enforcement Discretion for good faith use of telehealth during the crisis. In order to comply with the good faith provision, covered entities must use non-public facing communication products. The Security Rule is not suspended, but rather the penalty will not be imposed for HIPAA security rule violations in good faith. Common non-public facing communication technologies can be used even if there is no Business Associate agreement in place. A non-public facing communication product allows only the intended parties to participate in the communication, for example, by using passwords, end-to-end encryption, or log-ins. An example of a communication product that is public facing and not in good faith would be a live streaming video on social media.

The guidance is structured in a FAQ format.

Question 1: “Does the HIPAA Privacy Rule permit covered health care providers and health plans to use remote communication technologies to provide audio-only telehealth services?”

Answer summary: Covered entities may use remote communication technologies for telehealth as long as it is in compliance with HIPAA Privacy Rule, which means the covered entity needs to enact safeguards to protect the PHI from use or disclosure that is unwarranted. Safeguards would mean moving to a private location, lowering one’s voice, etc. to reduce the likelihood of being overheard. The guidance has a reminder that if audio only telehealth is used for a disability, civil rights laws that govern disabled persons’ access to communication are also applicable.

Question 2: “Do covered health care providers and health plans have to meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services?”

Answer summary: Yes, in some circumstances. The HIPAA Security Rule is applicable for electronic transfer of PHI, but does not apply for landline telephone use, since this is not considered electronic transmission. It does however apply to cellphones including voice calls and apps, Wi-Fi, Voice over Internet Protocol (VoIP), internet, message services that store voice messages, and so on. The covered entity should perform a risk analysis as part of their risk management process to determine the level of risk to PHI and to determine security measures in place such as encryption, authentication, lock out period, and measures to prevent unauthorized access.

Question 3: “Do the HIPAA Rules permit a covered health care provider or a health plan to conduct audio-only telehealth using remote communication technologies without a business associate agreement in place with the vendor?”

Question summary: Yes, in some circumstances. If the telecommunication service provider is acting as a Business Associate, then a Business Associate Agreement (BAA) is required. If the teleconference service is only temporarily accessing PHI, then no BAA is required.

Question 4: “Do the HIPAA Rules allow covered health care providers to use remote communication technologies to provide audio-only telehealth if an individual’s health plan does not provide coverage or payment for those services?”

Question summary: Yes. HIPAA Rules are separate from health plan coverage.

The guidance on HIPAA and audio only telehealth will continue to be applicable once the Enforcement Discretion is no longer in effect. If audio only telehealth is anticipated for a clinical trial, study plans, monitoring plans, and informed consent should include applicable details to explain how this would work, how PHI is protected, and what third party vendors may have access to data and for how long.

Not sure if your clinical site is a covered entity? Does your vendor need a BAA? Clinical Pathways offers an interactive eLearning course with comprehensive case scenarios: HIPAA Training for Clinical Trial Professionals

Description:

HIPAA's requirements for the use and disclosure of Protected Health Information (PHI) during the conduct of a clinical trial is not simple and depends on the situation. But there is a way to use a core set of principles and questions that provide an ability to manage and facilitate the needs of all stakeholders. The regulatory authority of HIPAA, the OCR and FDA agree that the two sets of regulations do not conflict and work well together. HIPAA does not restrict the GCP requirements of a site. Learn the answer to these questions and more in the eLearning course.

  • Did you know that not all clinical trial sites are covered entities?

  • How do you know if a clinical research site is a covered entity?

  • If a site is, do you know what they must do to follow HIPAA requirements to safeguard PHI?

 

- The Clinical Pathways Team

Enjoy this blog? Please like, comment, and share with your contacts.