On June 13, 2022, the U.S. Division of Well being and Human Companies, Workplace for Civil Rights (“OCR”), issued steering on how lined entities and enterprise associates can use distant communication applied sciences for audio-only telehealth in a HIPAA-compliant method following the top of the nationwide COVID-19 public well being emergency (“PHE”). OCR had beforehand issued steering in 2020 informing the general public that it could not impose penalties in opposition to well being care suppliers for noncompliance with the HIPAA guidelines in reference to the great religion provision of telehealth companies through the COVID-19 PHE. The brand new steering is issued to assist the continuation of expanded entry to care by way of audio-only telehealth companies.
The brand new steering consists of responses to 4 incessantly requested questions (“FAQs”) concerning compliance with the HIPAA privateness and safety guidelines in reference to audio-only telehealth companies. These FAQs cowl the next subjects:
- Whether or not the HIPAA Privateness Rule permits well being care suppliers and well being plans to make use of distant communication applied sciences to supply audio-only telehealth companies?
- The OCR clarified that such follow is permissible supplied that affordable safeguards for shielding the privateness of protected well being info (“PHI”) from impermissible makes use of or disclosures are utilized when offering telehealth companies. Examples of such safeguards embody the availability of telehealth companies in non-public settings, not utilizing speakerphone and utilizing lowered voices to restrict incidental makes use of or disclosures of PHI. As well as, verification of the affected person’s id is required, which can be carried out both orally or in writing (together with utilizing digital strategies).
- Whether or not well being care suppliers and well being plans have to satisfy HIPAA Safety Rule necessities to make use of distant communication applied sciences to supply audio-only telehealth companies?
- The OCR clarified that the HIPAA Safety Rule doesn’t apply to audio-only telehealth companies supplied utilizing a phone landline as a result of the knowledge transmitted isn’t digital. Nonetheless, the HIPAA Safety Rule does apply to the usage of digital communication applied sciences, corresponding to communication apps on a smartphone or different computing gadget, Voice over Web Protocol (VoIP) applied sciences, applied sciences that electronically document or transcribe a telehealth session, and messaging companies that electronically retailer audio messages. Thus, lined entities want to handle safety dangers and vulnerabilities to digital PHI when utilizing these applied sciences as a part of the danger evaluation and danger administration processes.
- Whether or not a well being care supplier or a well being plan might conduct audio-only telehealth utilizing distant communication applied sciences with out a enterprise affiliate settlement (“BAA”) with the seller?
- According to its prior place on the problem, the OCR said that HIPAA doesn’t require a BAA between a supplier and vendor the place the seller solely has transient entry to PHI it transmits throughout a name as a result of the seller is merely performing as a conduit for the PHI and isn’t creating, receiving, or sustaining PHI on behalf of the supplier. For example, a BAA isn’t required the place a supplier conducts an audio-only telehealth session with a affected person utilizing a smartphone and the seller’s sole function is connecting the decision. Nonetheless, a supplier must enter right into a BAA with a vendor that’s greater than a mere conduit for PHI. For instance, a BAA is required the place the seller’s smartphone app shops PHI (e.g., recordings, transcripts) or interprets oral communications to a different language (and subsequently creates and receives PHI) to supply significant entry to people with restricted English proficiency.
- Whether or not well being care suppliers might use distant communication applied sciences to supply audio-only telehealth if a person’s well being plan doesn’t present protection for these companies?
- OCR famous that suppliers might provide audio-only telehealth companies utilizing distant communication applied sciences in keeping with the necessities of the HIPAA Guidelines, no matter whether or not any well being plan covers or pays for these service.
OCR’s new HIPAA steering on utilizing distant communication applied sciences for audio-only telehealth might be discovered right here.
Milada Goturi and Kevin Kifer are members of Thompson Coburn’s well being care follow.
