HHS releases new HIPAA guidelines on audio-only telehealth services | McGuireWoods LLP


  • During the pandemic, audio-only telehealth was an essential tool for providing care to populations who did not use video during telehealth sessions, often due to factors such as lack of financial resources, disability, or lack of sufficient broadband coverage.
  • New HHS guidance outlines steps covered entities can take to ensure their audio-only telehealth practices are HIPAA-compliant after PHE expires July 15, 2022, but will likely be extended. until October 2022.
  • Covered entities should now assess whether their audio-only telehealth is HIPAA-compliant and consider the recent expansion of audio-only telehealth reimbursement.

On June 13, 2022, the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) released tips on the application of the Health Insurance Portability and Accountability Act 1996 to audio-only telehealth. The new guidelines outline how audio-only telehealth can be provided after COVID-19 era policies expire. Advice responds to Executive Order 14058, which asked HHS to develop guidelines for telehealth services after the public health emergency (PHE) expires. Covered entities providing audio-only telehealth and their business associates should review their policies and agreements to ensure compliance with the new guidelines.

At the start of the PHE, the OCR issued a discretionary enforcement notice stating that it would not impose HIPAA non-compliance penalties against providers if they provided telehealth in good faith during the PHE ( the HIPAA waiver). The HIPAA waiver allows health care providers to use non-public remote communication and audio technologies that are not strictly HIPAA compliant, such as Apple FaceTime, Zoom, and Skype, to conduct telehealth visits with patients . The waiver will expire when the PHE expires. The COVID-19 PHE continues until July 15, 2022; however, Biden administration officials have said the administration plans to continue the PHE declaration for up to an additional 90 days through October 2022 and will provide 60 days’ notice if it plans to expire the PHE at that time. -the.

During the PHE, telehealth services have been critical in closing gaps in care, but some populations continue to have difficulty accessing or are reluctant to use video during telehealth sessions, due to factors such as financial resources, disability, limited English proficiency and lack of sufficient knowledge. broadband coverage. For example, some elderly patients are hesitant to use video in addition to audio due to unfamiliarity with an application or difficult troubleshooting issues. Audio-only telehealth helps address these otherwise unmet needs.

The guidelines describe how providers can ensure HIPAA compliance when providing audio-only telehealth. For instance:

  1. Covered Entities must apply reasonable safeguards when providing audio-only telehealth services. Generally, reasonable safeguards include the provision of services in a private setting; however, where a private setting is not available, reasonable safeguards may include the use of lower voices and providers refraining from using loudspeakers. The purpose of these safeguards is to limit the inadvertent disclosure of protected health information (PHI) when providing telehealth services.
  1. When providing audio-only telehealth, covered entities are still required to verify the patient’s identity. If the person is not known to the covered entity, the covered entity must verify the identity of the person. HIPAA rules do not mandate a specific method for verifying identity. Covered Entities must ensure that verification methods for persons with disabilities are as effective as communication with others, including the provision of ancillary aids and services. In addition, the verification method should, if necessary, use language support services to provide meaningful access to those with limited English proficiency.
  1. HIPAA security rule may apply depending on the technology used to provide audio-only telehealth services and a Business Associate Agreement (BAA) may be required. The security rule does not apply to audio-only telehealth provided by a covered entity using a standard telephone line. However, the security rule applies to audio-only services that are provided through electronic communication technologies that transmit electronic PHI, such as voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, including Internet, cellular and Wi-Fi. Fi.

    A BAA is not required where the telecommunications provider acts only as leads for the information transmitted. However, when the telecommunications provider creates, receives or maintains PHI on behalf of a covered entity, an associate relationship may be created and a BAA may be required. Covered Entities should verify if their phone systems are required to be HIPAA compliant and if BAAs are in place.

  1. Covered Entities must develop a process for analyzing and managing the risks posed by the technology that involves the security rule. Covered Entities’ risk analyzes should include, among other things, considerations to determine whether unauthorized third parties can intercept audio-only transmissions, whether its audio-only technology supports encrypted transmissions, and whether there are additional authentication to access audio-only technology.

In particular, on November 2, 2021, CMS announcement its 2022 Physician Fee Schedule Final Rule that permanently expanded Medicare reimbursement for certain mental and behavioral health services via audio-only phone calls, including counseling and therapy services and treatment of disorders related to substance use. Audio-only calls are reimbursable if the patient does not have the technical capability or availability of interactive real-time audio and visual telecommunications, or does not consent to the use of real-time video technology.

COVID-19 PHE has served as a catalyst to accelerate the acceptance and expansion of audio-only telehealth services. All covered entities providing audio-only telehealth services must ensure that their services comply with the guidelines, including applying reasonable safeguards to protect PHI, identifying if the safety rule applies, and implementing or by reviewing the BAAs.

The authors thank Renee Kumon and Jonathan Wrobel, summer partners at McGuireWoods, for their assistance in preparing this Legal Alert. They are not allowed to practice law.

Previous New iMessage "unsend" feature not working on iOS 15
Next The Over The Top (OTT) Media Delivery Services Market Is Booming