HHS Issues New HIPAA Guidance on Audio-Only Telehealth Services

July 14, 2022

Executive Summary

  • During the pandemic, audio-only telehealth was a critical tool to provide care to populations that did not use video during telehealth sessions, frequently due to factors such as lack of financial resources, disability or lack of sufficient broadband coverage.
  • New HHS guidance outlines steps covered entities can take to ensure that their audio-only telehealth practices are compliant with HIPAA following the expiration of the PHE, which is set to expire July 15, 2022, but will likely be extended until October 2022.
  • Covered entities should assess now whether their audio-only telehealth is compliant with HIPAA and consider the recent expansion of reimbursement for audio-only telehealth.

On June 13, 2022, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) released guidance on the application of the Health Insurance Portability and Accountability Act of 1996 to audio-only telehealth. The new guidance addresses how audio-only telehealth can be provided after the expiration of COVID-19 era policies. The guidance is in response to Executive Order 14058, which called upon HHS to develop guidance for telehealth services after the public health emergency (PHE) expires. Covered entities providing audio-only telehealth and their business associates should review their policies and agreements to ensure compliance with the new guidance.

At the beginning of the PHE, the OCR issued a notice of enforcement discretion stating that it would not impose penalties for noncompliance with HIPAA against providers if providing telehealth during the PHE in good faith (the HIPAA waiver). The HIPAA waiver allows healthcare providers to use nonpublic facing audio and remote communications technologies that are not in strict compliance with HIPAA, such as Apple FaceTime, Zoom and Skype, to conduct telehealth visits with patients. The waiver will expire on the expiration of the PHE. The COVID-19 PHE continues through July 15, 2022; however, Biden administration officials have said the administration plans to continue the PHE declaration for up to another 90 days until October 2022 and will give 60 days’ notice if it plans to expire the PHE at that time.

During the PHE, telehealth services have been critical to address gaps in care, but certain populations continue to have difficulty accessing or are reluctant to use video during telehealth sessions, due to factors such as financial resources, disability, limited English proficiency and lack of sufficient broadband coverage. For example, some elderly patients are reluctant to use video, in addition to audio, given lack of familiarity with an app or difficultly troubleshooting issues. Audio-only telehealth helps address these otherwise unmet needs.

The guidance describes how providers can ensure compliance with HIPAA when providing audio-only telehealth. For example:

  1. Covered entities must apply reasonable safeguards when providing audio-only telehealth services. Generally, reasonable safeguards include providing services in private settings; however, when a private setting is not available, reasonable safeguards may include using lowered voices and providers refraining from using speakerphones. The goal of these safeguards is to limit incidental disclosure of protected health information (PHI) while providing telehealth services.
  1. When providing audio-only telehealth, covered entities are still required to verify the identity of the patient. If the individual is not known to the covered entity, it must verify the identity of the individual. The HIPAA rules do not mandate a specific way to verify identity. Covered entities must ensure that verification methods for individuals with disabilities are as effective as communication with others, including providing auxiliary aids and services. Additionally, the verification method should, when necessary, use language assistance services to provide meaningful access for individuals with limited English proficiency.
  1. The HIPAA Security Rule may apply depending on the technology used to provide audio-only telehealth services and a business associate agreement (BAA) may be required. The Security Rule does not apply to audio-only telehealth provided by a covered entity that is using a standard telephone line. However, the Security Rule does apply to audio-only services that are provided over electronic communication technologies that transmit electronic-PHI, such as voice over internet protocol (VoIP) and mobile technologies that use electronic media, including the internet, cellular and Wi-Fi.

    A BAA is not required when the telecommunications provider is only acting as a conduit for the information transmitted. However, when the telecommunications provider creates, receives or maintains PHI on behalf of a covered entity, a business associate relationship may be created and a BAA may be required. Covered entities should audit whether their phone systems need to be compliant with HIPAA and whether BAAs are in place.
  1. Covered entities must develop a risk analysis and management process posed by the technology that implicates the Security Rule. Covered entities’ risk analyses should include, among other things, considerations of whether unauthorized third parties may intercept audio-only transmissions, whether its audio-only technology supports encrypted transmissions and whether there are additional authentication procedures for accessing the audio-only technology.

Notably, on Nov. 2, 2021, CMS announced its 2022 Physician Fee Schedule final rule that permanently expanded Medicare reimbursement for certain mental and behavioral health services via audio-only telephone calls, including counseling and therapy services and treatment of substance use disorders. The audio-only calls are reimbursable if the patient doesn’t have the technical capacity or the availability of real-time audio and visual interactive telecommunications, or doesn’t consent to the use of real-time video technology.

The COVID-19 PHE served as a catalyst to accelerate the acceptance and expansion of audio-only telehealth services. All covered entities providing audio-only telehealth services should ensure their services comply with the guidance, including applying reasonable safeguards to protect PHI, identifying whether the Security Rule applies, and implementing or reviewing BAAs.

McGuireWoods attorneys track updates in digital health and healthcare privacy. For more information on how this new guidance may apply to you and the potential implications, please contact the authors of this article.

McGuireWoods has published additional thought leadership analyzing how companies across industries can address crucial business and legal issues related to COVID-19.