On Monday, June 14th the U.S. Department of Health and Human Services (HHS), issued guidance on how the HIPAA rules permit covered health plans to use remote communication technologies for audio-only telehealth.
The guidance is in the form of FAQs and clarifies the following:
A covered entity does not need to apply the Security Rule safeguards to telehealth services that they provide using such traditional landlines (regardless of the type of telephone technology the individual uses, because the information transmitted is not electronic.
Communication of Personal Health Information (PHI) via apps on a smart phone or other device, VoIP technology, technologies that transcribe or record a telehealth session or messaging services that store audio messages will require compliance with the Security Rule.
A covered health care provider may conduct an audio-only telehealth session with a patient using a smartphone without a Business Associate Agreement (BAA) between the covered health care provider and the telecommunication service provider where that service provider does not create, receive, or maintain any PHI from the session and is only connecting the call.
The guidance includes clarity on the triggers for expiration of HHS’ Office for Civil Rights (OCR) Notification of Enforcement Discretion for Telehealth - PDF, which permits covered health care providers to use any available non-public facing remote communication technologies for telehealth, even where those technologies, and the manner in which they are used, may not fully comply with the HIPAA Rule. “The Notification will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, including any extensions, whichever occurs first. OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based upon the latest facts and circumstances.”
Sheila Sokolowski, is a partner at Hintze Law PLLC and chairs the firm’s Health and Biotech Privacy Group. She is ranked by Chambers USA, which described her as “incredibly quick to understand complex, innovative technologies and develop practical, risk-indexed advice that clients understand and use.”
About Hintze Law Hintze Law PLLC is a boutique privacy firm that provides counseling exclusively on global data protection. The firm’s attorneys and privacy analysts support technology, health, biotech, advertising, social networking, media, gaming, ecommerce, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.