When the Covid pandemic began, many health care providers wanted to make use of telehealth to continue providing care while limiting exposure. However, providers worried that remote communications technologies could violate the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. In March 2020, the Office for Civil Rights (OCR) notified health care providers that it would use enforcement discretion in applying HIPAA so that care could be furnished remotely as long as reasonable precautions were taken to protect confidentiality. However, this notification will expire when the Covid public health emergency (PHE) is no longer in effect.
On June 13, 2022, OCR published guidance on how providers may continue to use audio-only telehealth once the PHE expires. OCR notes that health care providers must use reasonable safeguards to limit incidental disclosures of protected health information (PHI), by using a private office if available, or if not, by avoiding use of a speakerphone. OCR also states that if the patient is not known to the provider, the provider must verify the identity of the patient, either orally or in writing (which could include using electronic methods).
OCR notes that the HIPAA Security Rule does not apply to audio-only telehealth services if the provider is using a landline, because the information transmitted is not electronic. However, electronic communication technologies do require compliance with HIPAA Security. This would include smartphone apps, Voice over Internet Protocol (VoIP) technologies, and messaging services that electronically store audio messages. Providers using these technologies should address the vulnerabilities in their security risk analysis, including whether risks can be mitigated with use of encryption. OCR points out that the HIPAA rules apply only to the health care provider end of the communication: the patient may use any telephone system they choose.
Finally, OCR addressed when a provider must have a business associate agreement (BAA) with a vendor providing telecommunications services (TSP). If the TSP has only transient access to PHI being transmitted, no BAA is required because the TSP is merely a conduit. However, if the service provided by the TSP includes storing recordings or transcripts, then a BAA is needed.