On June 13, the U.S. Department of Health and Human Services (HHS) issued guidance to explain how audio-only telehealth can comply with HIPAA, while also emphasizing that this mode of telehealth services can expand healthcare access to individuals who may have limited internet and broadband capabilities.

In response to the COVID-19 pandemic in March 2020, HHS’s Office for Civil Rights (OCR) published a Notification of Enforcement Discretion for Telehealth Remote Communications which permitted providers to use any available non-public facing remote technologies to provide telehealth services, even when those technologies may not fully comply with HIPAA. Notably, OCR may begin to impose penalties for non-compliant technologies once the public health emergency (PHE) declaration expires. The PHE is currently in place through mid-July.

The new HHS guidance clarifies that while HIPAA covered entities can use remote communication technologies to provide telehealth services (including audio-only services), compliance with the HIPAA Privacy Rule requires applying reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures. OCR expects covered healthcare providers to provide telehealth services in a private setting; if that is not feasible, covered providers must implement safeguards like using lowered voices and not using a speakerphone in order to limit incidental disclosures of PHI. Meanwhile, the HIPAA Security Rule—which applies to electronic PHI (ePHI)—does not apply to telehealth services provided by using a traditional landline because the information transmitted is not electronic. Covered entities using telephone systems that transmit ePHI, such as Voice over Internet Protocol (VoIP), need to apply appropriate administrative, physical, and technical safeguards to ensure confidentiality, integrity, and security of the information.

Lastly, if a telecommunications service provider is not creating, receiving, or maintaining PHI on behalf of the covered entity—and is merely acting as a conduit—a business associate agreement (BAA) is not needed. Conversely, if the vendor is more than a conduit for transmission of PHI (such as a developer of a smartphone app), it is considered a business associate and a BAA should be in place.

Sign up to receive Rivkin Rounds at www.RivkinRounds.com.