According to a June 13 press release, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), is issuing guidance on how covered healthcare providers and health plans can use remote communication technologies to provide audio-only telehealth services when communications are directed in a way that is consistent with the relevant requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth is no longer applicable.
The release states that “This guidance will help individuals to continue to benefit from audio-only telehealth by clarifying how covered entities can provide these services in compliance with the HIPAA Rules and by improving public confidence that covered entities are protecting the privacy and security of their health information.”
That said, “While telehealth can significantly expand access to health care, certain populations may have difficulty accessing or be unable to access technologies used for audio-video telehealth because of various factors, including financial resources, limited English proficiency, disability, internet access, availability of sufficient broadband, and cell coverage in the geographic area. Audio-only telehealth, especially using technologies that do not require broadband availability, can help address the needs of some of these individuals.”
For example, the guidance explains that traditional landlines are being replaced with electronic communication technologies such as Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media. The HIPAA Security Rule applies when a covered entity uses electronic communication technologies. “Covered entities using telephone systems that transmit ePHI need to apply the HIPAA Security Rule safeguards to those technologies,” the guidance adds. “Note that an individual receiving telehealth services may use any telephone system they choose and is not bound by the HIPAA Rules when doing so. In addition, a covered entity is not responsible for the privacy or security of individuals’ health information once it has been received by the individual’s phone or other device.”
OCR Director Lisa J. Pino was quoted in the release saying that “Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information.”
