HHS Issues New HIPAA Guidance On Audio-only Telehealth Care For Covered Providers & Health Plans | AdvancedMD

Features Navigation

Live Chat (800) 825-0224 Live Demo

← Back

HHS Issues New HIPAA Guidance on Audio-only Telehealth Care for Covered Providers & Health Plans

Telemedicine

Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.

Cloud Software | AdvancedMD Rhythm

The Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), recently issued new regulatory guidance relating to covered entities’ HIPAA-compliant use of remote communication technologies for audio-only telehealth services.

During the public health emergency due to COVID-19, HIPAA requirements for telehealth was waived to streamline access to telehealth for both patients and doctors. However, when the public health emergency is declared to be over those waivers will automatically expire and we will be required to comply with all the HIPAA regulations when providing telehealth care.

HIPAA has two rules that providers need to be concerned with when they provide telehealth service: the privacy rule and the security rule. The guidance addresses both rules. It is important to realize that both the privacy and security rules apply to digital communications. However, if the communication is over a standard phone line, then only the privacy rule applies.

If you have an internet-based phone system or a voiceover IP system, then both the security and privacy rules apply because the communication becomes digital when using this type of phone.  If you use a cell phone, that is digital also and both the privacy and security Rules apply. For the vast majority of practices, we are aware of, the type of communication, even phone calls, is digital and both the privacy and security rules apply.

The privacy rule requires that you take the following safeguards to protect patient information. This applies to all telehealth services:

  • Have the conversation in a place where your will not be overheard by other individuals. So do not take the call in a public place and if you take it at the office or at home, go to an area where you have privacy and will not be overheard.
  • When you start the phone call take appropriate steps to verify the identity of the person you are speaking with. If it is not the patient, check your records and make sure you have permission to speak with the person on the other side of the phone.

The HIPAA security rule requires that you ensure appropriate safeguards are in place to protect patient data when you are using a digital system.

  • The first step is to make sure you have a Business Associate Agreement (BAA) with any company that is providing you with the technology for the telehealth services if the service stores any patient information. If the service is only “pass through” to get the sound of the voice or picture of the patient to you, and they do not store any patient information such as a VOIP phone call, then the BAA is not as important.
  • You want to look at the technology and make sure the signal has end to end encryption, from the point of your office to the point of the patient to protect the signal (patient information) from being intercepted when it is enroute to you or to the patient. This should be covered in your service agreement or in the documentation provided to you by the telehealth technology provider.

OCR’s Telehealth Notifications & FAQs

This article published by HHS has FAQs that are helpful to understand the guidance. I will provide them here as well as a link to the full guidance article by HHS:

Does the HIPAA Privacy Rule permit covered health care providers and health plans to use remote communication technologies to provide audio-only telehealth services?

Yes. HIPAA covered entities can use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule.

Do covered health care providers and health plans have to meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services?

Yes, in certain circumstances. The HIPAA Security Rule applies to electronic protected health information (ePHI), which is PHI transmitted by, or maintained in, electronic media

Do the HIPAA Rules permit a covered health care provider or a health plan to conduct audio-only telehealth using remote communication technologies without a business associate agreement in place with the vendor?

Yes, in some circumstances.  The HIPAA Rules require a covered entity to enter into a business associate agreement (BAA) with a telecommunication service provider (TSP) only when the vendor is acting as a business associate. As explained in previous guidance, a covered entity using a telephone to communicate with patients is not required to enter into a BAA with a TSP that has only transient access to the PHI it transmits, because the vendor is acting merely as a conduit for the PHI.  If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call, no business associate relationship has been created.  Therefore, a BAA is not needed.

Do the HIPAA Rules allow covered health care providers to use remote communication technologies to provide audio-only telehealth if an individual’s health plan does not provide coverage or payment for those services?

Yes. Covered health care providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services. Health plan coverage and payment policies for health care services delivered via telehealth are separate from questions about compliance with the HIPAA Rules and are not addressed in this document

TLD Systems provides monthly security webinars.

Our September webinar will be on telehealth security.

July 6 – Password Security
August 3 – Email Security
September 7 – Telehealth Security
To register for the FREE webinar series on Security CLICK HERE



Avatar photo
Michael Brody, DPM
Dr. Brody has been actively involved in computers and medicine since the 1980s. He is a Residency Director at a VA hospital located in Long Island, NY. Notably, he was present as the VA moved from paper records to computerized records. During this time, he was exposed to the stringent rules and regulations that government employees must adhere to when protecting patient information. He co-founded TLD Systems with Warren Melnick. They wanted to create a platform for private practice doctors that provides a cost-effective method of implementing HIPAA compliance in their practices. He has served on the Health Information Technology Standards Panel (HITSP), the Standards and Interoperability Framework (S&I), as a member of the Ambulatory Care Committee at the Certification Commission on Health Information Technology (CCHIT), and numerous other organizations. He is currently a member of the Physicians Committee at the Healthcare Information and Management Systems Society (HIMSS) and a co-chair of the EHR workgroup at Health Level Seven International (HL7). He co-founded TLD Systems with Warren Melnick to create a platform that doctors who wish to work in private practice have a cost-effective method of implementing HIPAA compliance in their practices in a manner that does not interfere with their ability to practice medicine. He has served on the Health Information Technology Standards Panel (HITSP), the Standards and Interoperability Framework (S&I), as a member of the Ambulatory Care Committee at the Certification Commission on Health Information Technology (CCHIT), and numerous other organizations. He is currently a member of the Physicians Committee at the Healthcare Information and Management Systems Society (HIMSS) and a co-Chair of the EHR workgroup at Health Level Seven International (HL7)

Topic: Telemedicine


Other Resources Related to This Topic


Telemedicine

Telehealth Demo

Our revolutionary new telemedicine (telehealth) feature is seamlessly unified within our EHR, practice management, and...

Patient Experience

2-Minute Survey Telemedicine Post-pandemic Trend

  We recently reached out to our customers and a select group of prospective customers...

Telemedicine

Road Rally Through Your Telehealth Track: How Does Your Practice Stack Up?

What do road rallies, patient perception and telemedicine all have in common? Download this free...

“The money I have invested in AdvancedMD is miniscule compared to the return. I have never been more efficient – ever – in my professional life as I am now.”

Jed Shay, MD
The Pain Care Center

Read the story  ›

“[Our] patients are very well-educated and well-informed, and they want to see results quickly. The practice has to run extremely efficiently and be accessible to them. The nice thing about [AdvancedMD] is it has allowed me to be more efficient both in and out of the office. Now I don’t have to come back into the office, which is great for my family and everything else. It saves me a lot of time – probably an hour a day on the three days I work in the second office.”

Keith Berkowitz, MD
Center for Balanced Health

Read the story  ›

“The best thing I ever did in private practice was getting AdvancedMD—it has liberated me.”

Estaban Lavato, MD
La Loma Medical Center

“Having integrated practice management and EHR is absolutely wonderful, you don’t have to flip back and forth between systems—all of your information is at hand when needed.”

Raju Raval, MD

Read the story  ›