During the pandemic, covered entities were able to use, whether or not compliant with HIPAA requirements, any type of non-public-facing remote communication technology for the provision of remote audio and video healthcare. There were no HIPAA penalties in connection with the “good faith provision of telehealth” using such platforms. The exercise of enforcement discretion applied to any type of telehealth service for any reason, whether related to COVID-19 or not.
But after several years of the COVID-19 pandemic, the Secretary of HHS finally announced that the public health emergency (PHE) will terminate on May 11, 2023. While HIPAA regulations were never waived or discontinued, this action signals an end to the HIPAA enforcement discretion, including the relaxed guidance for telemedicine use.
Covered entities continuing to use telehealth, including audio-only telehealth, should consider reviewing their current policies and procedures on the use of telehealth to ensure compliance with state and federal laws. Below are some other considerations:
- The Privacy Rule requires reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures. The provision of services should be in private settings to an extent feasible with the use of reasonable safeguards, e.g., lower voice and limited individuals present.
- The Security Rule applies to electronic protected health information (ePHI), which means PHI transmitted by or maintained in electronic media. The type of technology being used for telehealth should be reviewed. Examples of electronic technology include communication applications (apps) on a smartphone or another computing device, VoIP technologies, technologies that electronically record or transcribe a telehealth session or messaging services that electronically store audio messages.
- Review telehealth policies and procedures related to business associate agreements (BAA). In some circumstances, no BAA is needed. For example, when a provider is using a standard telephone line, the telecommunication service provider (TSP) has only transient access to the PHI it transmits and is only acting as a conduit for the involved PHI. Also, the TSP is not "creating, receiving, or maintaining PHI on behalf of the covered entity." However, under the HIPAA Rules, there is a covered entity requirement to enter into a business associate agreement (BAA) with a TSP when the vendor is acting as a business associate and more than a conduit for PHI.
- While HIPAA requires covered entities to ensure that they protect the privacy and security of the patient’s data, it is important to note that an individual receiving telehealth services may use any telephone, device or system they choose for the telehealth services. They are not bound by the HIPAA rules.
The security risk analysis and policy review should highlight where a BAA is necessary. Covered entities should make arrangements to enter into a BAA as needed and transition to a HIPAA-compliant communications platform as soon as possible to ensure no interruption of telehealth services and avoid financial penalties for non-compliance.
From the HHS Office for Civil Rights (OCR):
OCR is providing a 90-calendar day transition period for covered healthcare providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. The transition period will be in effect beginning on May 12, 2023, and will expire at 11:59 p.m. on August 9, 2023. OCR will continue to exercise its enforcement discretion and will not impose penalties on covered healthcare providers for noncompliance with the HIPAA Rules that occur in connection with the good faith provision of telehealth during the 90-calendar day transition period.
Further information is available at HHS:
- HHS Office for Civil Rights Announces the Expiration of COVID-19 Public Health Emergency HIPAA Notifications of Enforcement Discretion
- Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency
- HIPAA and Telehealth: Expiration of COVID-19 Public Health Emergency HIPAA Notifications of Enforcement Discretion
- Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth
For questions, please contact the LAMMICO Risk Management and Patient Safety Department at 800.452.2120 or 504.841.5211.