Saturday, August 20, 2022
HomeHealth LawWorkplace of Civil Rights Publishes Steering on Use of Audio-Solely Telehealth Companies

Workplace of Civil Rights Publishes Steering on Use of Audio-Solely Telehealth Companies

As telehealth companies surged in response to the COVID-19 pandemic, distinctive compliance challenges likewise developed in surprising methods. Recognizing these challenges, the Workplace of Civil Rights (“OCR”) indicated that it might train its enforcement discretion by declining to impose penalties in opposition to coated well being care suppliers for situations of excellent religion noncompliance with the necessities of the Well being Insurance coverage Portability and Accountability Act (“HIPAA”) in reference to the availability of telehealth companies. In impact, a coated well being care supplier in search of to make use of audio or video communication know-how to supply telehealth companies throughout the public well being emergency may accomplish that with better flexibility.

As the general public well being emergency attracts to a relative shut and most of the regulatory flexibilities expire or are in any other case rolled again, it is crucial that suppliers and well being plans stay vigilant to the standing of those measures. In an effort to facilitate a easy transition, the OCR issued steering (the “Steering”) on June 13, 2022 addressing use of audio-only know-how to render telehealth companies in accordance with the HIPAA.[1]

1. Background of HIPAA

HIPAA typically governs the use, upkeep, and disclosure of protected well being data (“PHI”) and particularly applies to qualifying well being care suppliers, well being plans, and clearinghouses (every a “Lined Entity”). In an effort to deal with the numerous challenges that come up in dealing with PHI, HIPAA is comprised of a number of parts, the 2 most vital of which embrace the Privateness Rule[2] and the Safety Rule.[3]

The Privateness Rule typically protects the confidentiality of well being data by, amongst different objects, establishing requirements which limit how coated entities could use PHI whereas additionally growing a given affected person’s proper to regulate his/her PHI. The Safety Rule creates requirements for PHI that’s saved or transmitted in digital media (“ePHI”), by mandating sure administrative, bodily, and technical safeguards for the safety of such PHI.

Each the Privateness Rule and Safety Rule typically apply to the rendering of telehealth companies.

2. Privateness Rule Issues

Lined Entities could use distant communication know-how to supply telehealth companies, together with audio-only companies, in compliance with the Privateness Rule. Typically, the Privateness Rule requires that Lined Entities implement affordable safeguards to guard the confidentiality of PHI from impermissible makes use of or disclosures. The Steering specifies that, by means of an instance, OCR requires Lined Entities to furnish telehealth companies in a non-public setting, the place attainable. To the extent a non-public setting isn’t obtainable, OCR requires Lined Entities to make the most of affordable safeguards to restrict incidental disclosures of PHI, equivalent to by utilizing lowered voices or by avoiding using speakerphone know-how.

As well as, the Steering additionally offers that if a person isn’t identified to a Lined Entity, such Lined Entity should confirm the identification of the person both orally or in writing. HIPAA doesn’t mandate a selected technique to finish this verification. The Steering does nevertheless stress that Lined Entities should be aware of civil rights legal guidelines which require communication with a person with a incapacity to be as efficient because the means used with others, together with by way of use of auxiliary aids and companies if applicable. As well as, the Steering notes {that a} Lined Entity may have to make use of language help companies with a view to each appropriately confirm a given affected person’s identification in addition to to supply significant entry to sufferers with restricted English proficiency.

3. Safety Rule Issues

The Safety Rule typically doesn’t apply to audio-only telehealth companies offered by a Lined Entity utilizing a typical landline. OCR considers the data conveyed through a landline as not being “digital” for functions of HIPAA. In distinction, the Steering clarifies that data conveyed by way of Voice over Web Protocols or cellular applied sciences that use such sources because the Web, intra- and extra-nets, mobile, or WiFi companies, historically qualify as “digital” for functions of HIPAA. As well as, the Steering signifies that the Safety Rule applies to data transmitted by utilizing sure functions on smartphones or different gadgets, applied sciences that electronically report or transcribe telehealth classes, or companies which electronically retailer audio messages.

The Steering additional clarifies {that a} Lined Entity’s annual threat evaluation and day-to-day administration efforts ought to take into account:

  • Whether or not the know-how getting used will increase the chance {that a} transmission might be intercepted by an unauthorized third occasion; 
  • Whether or not the distant communication know-how helps encrypted transmissions which may help in safeguarding ePHI;
  • Whether or not there’s a threat that ePHI created or saved on account of a telehealth session might be accessed by an unauthorized third occasion;
  • Whether or not authentication is required to entry the system or utility the place a telehealth session’s associated ePHI is saved; and
  • Whether or not the system or utility routinely terminates the session or locks after inactivity.

Such issues should be assessed and addressed, the place attainable, to raised meet a Lined Entity’s obligations beneath HIPAA.

4. Enterprise Affiliate Agreements

In lots of circumstances a Lined Entity should execute a enterprise affiliate settlement (“BAA”) previous to disclosing PHI to a enterprise affiliate, which is a celebration that carries out sure features on behalf of a Lined Entity that contain the use or upkeep of PHI. Every BAA outlines the events’ obligations beneath HIPAA with respect to the PHI in query, in addition to different vital contractual phrases.

The Steering clarifies that beneath sure circumstances, a Lined Entity could conduct audio-only telehealth companies utilizing a distant communication know-how provided by a vendor with out executing a BAA. Particularly, a vendor who solely maintains transient entry to the PHI it transmits and merely serves as a conduit for the PHI wouldn’t be obligated to execute a BAA. The Steering clarifies that if a vendor isn’t creating, receiving, or sustaining PHI on behalf of the Lined Entity, and if such vendor doesn’t require entry to PHI on a routine foundation, no enterprise affiliate relationship exists. Because of this, no BAA is required. It is very important understand that the place a vendor relationship exceeds that of a mere conduit, a BAA would probably be required.

It is very important understand that the place a vendor relationship exceeds that of a mere conduit, a BAA would probably be required.

[1] Workplace of Civil Rights, Steering: How the HIPAA Guidelines Allow Lined Well being Care Suppliers and Well being Plans to Use Distant Communication Applied sciences for Audio-Solely Telehealth, available at, Steering: How the HIPAA Guidelines Allow Lined Well being Care Suppliers and Well being Plans to Use Distant Communication Applied sciences for Audio-Solely Telehealth | (final accessed June 20, 2022).

[2] 45 C.F.R. Half 160 and Subparts A and E of Half 160.

[3] 45 C.F.R. Half 160 and Subparts A and C of Half 160.


Most Popular

Recent Comments