COVID-19 continues to change the way health care is delivered. The closure of offices and physical meeting spaces has forced many healthcare providers to quickly shift to delivering services via telehealth options. The Centers for Medicare and Medicaid (CMS) Office for Civil Rights (OCR) facilitated this transition by granting a waiver of potential penalties for HIPAA violations related to the use of telehealth, which is still in effect.
In June 2022, the OCR released additional guidance on the use of audio-only calls for health service delivery in response to the Executive Order on Transforming Federal Customer Experience and Service Delivery to Restore Health Service Delivery. trust in government. The guidance also aims to facilitate improved health care for segments of the population who may not have access to the audio-video technology used to provide telehealth services. The OCR information will also help covered entities stay in compliance with HIPAA regulations after the waiver expires.
The boards highlighted the following issues that could impact your operations:
- Entities covered by HIPAA may use both audio-video and audio-only technology to deliver telehealth. Covered Entities are expected to apply reasonable safeguards to reduce the risk of unauthorized uses and/or disclosures. Covered Entities must also make reasonable efforts to verify the patient’s identity.
- Covered Entities must apply HIPAA Security Rule requirements to the use of remote technologies. However, the guidelines specifically state that if the Covered Entity uses a standard telephone line or a traditional landline, the information would not be considered an electronic transmission and therefore would not be covered by the security rule.
- Most Covered Entities no longer use traditional landlines, but instead use voice over internet protocol or other mobile technology services. Covered Entities should verify that they are using the traditional landline to deliver audio-only telehealth.
- The covered entity is not considered responsible for the protection of data on the patient’s device, regardless of the technology the patient may use to communicate during a telehealth service.
- Covered entities do not need a Business Associate Agreement (BAA) for audio-only telehealth if the service provider only performs PHI but does not create, receive, or manage PHI for the entity.
- If your provider provides services such as retaining call records or providing translation services, you will need to obtain a BAA.
As OCR continues to leave the HIPAA enforcement waiver for telehealth in place, these guidelines demonstrate that they are aware that telehealth will remain a part of the healthcare system and that they will eventually begin to implement it. ‘to apply. Now is a good time to prepare for this reality.