The Human and Health Services Department’s Office for Civil Rights has issued new guidelines regarding the use of telehealth technologies for covered health care providers and health plans. Due to the nature of the COVID-19 pandemic, in-person visits from patients to physicians were restricted to only the extremely necessary in order to stop the spread of COVID-19. Because of this, the use of telehealth technologies to deliver health care increased greatly.
While telehealth can expand the access to health care, certain groups of people may face difficulty with accessing telehealth technologies. Populations with limited English proficiency, disabilities, restricted internet access, restricted financial resources and poor cell coverage in their geographic area will struggle to use telehealth for health care. To combat this, the Office for Civil Rights advises the use of audio-only telehealth as it may help address the difficulties these populations may encounter. In March 2020, the Office for Civil Rights issued the Telehealth Notification to help the health care industry’s response to the public health emergency. Under the Telehealth Notification, the Office for Civil Rights will not impose penalties on Covered Entities for noncompliance to HIPAA Rules if they have made the violation in good faith using audio or video telehealth technologies during the public health emergency.
However, the Telehealth Notification will only continue until the public health emergency exists. The new guidelines are set to address how Covered Entities can comply with HIPAA Rules after the public health emergency is no longer in effect. The Department of Human and Health Services has maintained that the Privacy Rule enables Covered Entities to use telehealth technologies to provide telehealth services. Covered Entities must continue to implement the appropriate safeguards for the protection of Protected Health Information. For example, providing telehealth services in a confidential setting. If incapable, Covered Entities must apply reasonable safeguards, including using lowered voices and not using speakerphone. In addition, the HHS also maintains that a Covered Entity may provide audio-only telehealth services using telehealth communication technologies without an individual’s health plan coverage if they are consistent with the requirements of the HIPAA Rules.
The Human and Health Services Department also insists that, in certain circumstances, Covered Entities must meet the requirements of the HIPAA Security Rule in order to use telehealth technologies to administer audio-only telehealth services. When using a standard telephone line, Covered Entities are not required to comply with the HIPAA Security Rule as the information is not disclosed electronically. In circumstances where Covered Entities use telephone systems which transmit electronic Protected Health Information, Covered Entities must implement the necessary safeguards in order to comply with the requirements of the HIPAA Security Rule.
The HIPAA Rules require Covered Entities to obtain a Business Associate Agreement with a telecommunication service provider before conducting an audio-only teleservice if the provider encounters Protected Health Information that the Covered Entity maintains. However, a Covered Entity may provide telehealth services without previously obtaining a Business Associate Agreement in some circumstances. In the event whereby a telecommunication service provider is not creating, obtaining, or managing Protected Health Information on behalf of the Covered Entity, a Business Associate Agreement is not required.
Healthcare organizations who provide healthcare services via telehealth communication technologies must ensure that they full understand the requirements of the new guidelines in order to ensure the integrity of their patient data and to avoid disciplinary action.