Jun 14, 2022

New Guidance Addresses HIPAA and Audio-Only Telehealth

By Deborah A. Cmielewski, Esq. 

On June 13, 2022, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) released guidance concerning the use of remote communications to provide audio-only telehealth services by health care providers and health plans (the “Guidance”). The Guidance addresses numerous inquiries regarding the permissibility of audio-only services under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and directly responds to the Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government (E.O. 14058). 

The Guidance notes that in March of 2020, as a result of the COVID-19 pandemic and resultant public health emergency, OCR issued a Telehealth Notification expanding the use of remote health care services (the “Notification”). The Notification provided that, pursuant to its enforcement discretion, the OCR would not impose penalties on covered health care providers for failing to comply with HIPAA, if they engaged in the good faith rendering of telehealth services using non-public facing audio or video remote communications during the public health emergency (“PHE”). The Notification remains in effect until the earlier of a declaration by the Secretary of HHS that the PHE is over or the expiration date of the PHE. The Guidance includes critical FAQs intended to assist covered entities in delivering compliant services once the Notification is no longer in effect.

Citing challenges such as scarce financial resources, limited English proficiency, difficulties with internet access and insufficient broadband, the Guidance recognizes that certain populations may be unable to access telehealth through video remote communications. In particular, patients with disabilities and those who reside in rural areas may face unique technical challenges. HHS is hopeful that the audio-only option will assist these individuals in accessing telehealth services, and further, that the requirement for HIPAA compliance will increase public confidence in telehealth generally.  

The Guidance addresses the following issues:

  • The HIPAA Privacy Rule allows covered health care providers and health plans to use remote communication technologies to render audio-only telehealth services, so long as they apply safeguards and adhere to particular standards;

  • In certain circumstances, covered health care providers and health plans must meet the HIPAA Security Rule requirements to use remote communication technologies to provide audio-only telehealth services;

  • HIPAA permits covered health care providers and health plans to conduct audio-only telehealth using remote communication technologies without a business associate agreement with the vendor in place in certain cases; and

  • HIPAA allows covered health care providers to use remote communication technologies to deliver audio-only telehealth, even if the patient’s health plan does not provide payment or insurance coverage for the services.

Schenck Price assists entities subject to HIPAA in developing, implementing and refining their HIPAA compliance plans.  

For more information, contact Deborah A. Cmielewski, Esq. at dac@spsk.com or 973-540-7327.

 DISCLAIMER: This Alert is designed to keep you aware of recent developments in the law. It is not intended to be legal advice, which can only be given after the attorney understands the facts of a particular matter and the goals of the client.