HHS issued new guidance June 13 regarding how HIPAA-covered healthcare providers and health plans can comply with privacy, security and breach notification requirements when using remote communication technologies to provide audio-only telehealth services, including after the COVID-19 public health emergency.
In April 2020, the HHS Office of Civil Rights issued a notification of enforcement discretion for telehealth amid the COVID-19 public health crisis. The notification stated that the OCR would not impose penalties for HIPAA noncompliance on covered healthcare providers and that it would not penalize covered entities for using non-public facing remote products to communicate with patients, even when the technology and its use do not fully comply with HIPAA rules.
But the OCR enforcement only remains in effect until HHS declares the public health emergency over.
Four things to know:
- The HIPAA Security Rule does not apply to audio-only telehealth services provided using a standard telephone line because the information transmitted is not electronic.
- The security rule applies when a covered entity uses electronic communication technologies, such as Voice over Internet Protocol or mobile devices that use electronic media, like the internet, intra- and extranets, cellular, and Wi-Fi networks.
- A covered entity communicating with patients via the telephone is not required to enter into a business associate agreement with a telecommunication service provider.
- A business associate agreement is required if the service provider has a hand in creating, receiving or maintaining the information on behalf of the covered entity.