As the frequency of telehealth has risen during the global pandemic, so have concerns over patient privacy. To keep up with the technology and to ensure those using telehealth have the same HIPAA safeguards as they do with traditional visits, the US Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR) has issued new privacy guidelines for “audio-only” telehealth services.
The focus on audio-only is necessary, OCR notes, because many populations have limited or no access to technology for video telehealth due to many factors, such as financial status, language barriers, disability, or insufficient broadband and cellular coverage.
Healthcare providers and health plans, the guidance says, should ensure that they can continue to provide telehealth while safeguarding the privacy and security of individual protected health information (PHI).
Sean Sullivan, partner at Alston & Bird
OCR outlines its guidance by answering four FAQs related to HIPPA compliance during audio-only telehealth visits.
Frist, the guidance clarifies that the HIPAA privacy rule permits covered health care providers and plans to use remote communication technologies for audio-only services so long as they apply “reasonable safeguards” to protect patient health information from impermissible uses or disclosures. For example, if telehealth services cannot occur in a private setting, OCR suggests using lowered voices and avoid speakerphones.
Secondly, OCR clarifies that HIPAA does not apply to audio-only services provided using a traditional landline as the information transmitted is not done so electronically. However, HIPAA rules do apply when using a communication app on a smartphone, computing device, or other technology that electronically records or transcribes the session.
Third, the guidance clarifies in certain cases HIPAA rules permit a covered health care provider or plan to conduct audio-only telehealth without business associate agreement in place with the vendor.
And fourth, HIPPA rules do allow for audio-only telehealth regardless of whether the patient’s health plan provides coverage or payment for those services – meaning coverage from government or private plans is not guaranteed. “Coverage and reimbursement questions for any type of telehealth are beyond OCR’s authority,” the guidance states.
Medtech Insight asked Sullivan for his thoughts on the OCR’s guidance and the explosion of telehealth during the pandemic.
Do you see the rapid expansion of telehealth during the pandemic continuing? And do you believe there are other factors contributing to the enormous growth of telehealth other than the logistical practicalities related to lockdowns and quarantines?
The expansion of telehealth will absolutely continue, but as we’ve seen after the first year of the pandemic, it’s not going to be “rapid” as a lot of people had hoped. While there is broad support for telehealth among lawmakers and policymakers, there is still reluctance at the federal level to keep reimbursing telehealth under the expanded regulatory flexibilities and waivers that have been in place since the beginning of the pandemic.
“The key flexibilities that have driven the rapid expansion of telehealth during the pandemic – namely being able to provide telehealth to patients in their homes and in non-rural areas – will require another act of Congress to be made permanent.” – Sean Sullivan
Why the reluctance?
It’s largely driven by concerns that care provided virtually is not as effective as in-person care, and that it can lead to overutilization. In my opinion, many of those concerns have been alleviated as telehealth usage has largely leveled off over the last year of the pandemic. As a compromise, in the 2022 Consolidated Appropriations Act passed last March, Congress extended many of the telehealth flexibilities for 151 days after the expiration of the COVID-19 Public Health Emergency, which will give policymakers an opportunity to study telehealth usage during a non-emergency period.
What do you see happening when that period ends?
At that point, Congress could kick the can down the road, temporarily extending the flexibilities again to gather more data, or may make some, but perhaps not all, of the Medicare telehealth flexibilities permanent. But the key flexibilities that have driven the rapid expansion of telehealth during the pandemic – namely being able to provide telehealth to patients in their homes and in non-rural areas – will require another act of Congress to be made permanent.
Do you see other obstacles in the way?
One of the other main inhibitors of telehealth is the patchwork of state professional licensing boards. Each state medical board regulates the practice of medicine within the state’s borders, and doctors using telemedicine are generally considered to be practicing medicine in the state where the patient is located, so typically must be licensed in that state. State medical licenses can include lengthy application processes and can be difficult to keep up with, so obtaining a license in every state is not exactly an easy solution. And although many states waived some licensure requirements at the beginning of the pandemic, most of those waivers have been dialed back, and medical boards have generally been reluctant to give up much, if any, of their authority.
The Interstate Medical Licensure Compact has provided some help to streamline the application process, but providers still have to apply and be approved for a license in each state. A national license would be optimal, but we are a long way from something like that.
In addition to the logistical practicalities related to the pandemic—namely efforts to slow the spread of COVID-19 by limiting in-person interactions—the other key factors that have and will continue to drive telehealth growth are technology and broadband access. Technology has come a long way over the last few years, and many telehealth interactions involve much more than an audio-video interaction, but can also involve relatively detailed examinations of patients, including taking vitals and other diagnostic tools. And there are still many places in this country that do not have reliable access to the high-speed internet connections needed to meaningfully provide care via telehealth.
Concerning OCR issuing this new guidance, do you see that as a sign that telehealth is here to stay as a complement to overall health care and traditional visits?
Absolutely. OCR acknowledges that telehealth is not going anywhere and has issued this guidance in recognition that providers and technology vendors are only going to increase their use of telehealth, and audio-only telehealth, and must remain focused on patient privacy and security. Health care providers, who are considered “covered entities” under HIPAA, should assess risks and vulnerabilities in their telehealth platform, and should document that assessment and any risk management actions they take.
And because these guidelines focus on “audio-only” – do you see this as recognition of telehealth as a viable option for mental health, and in some cases a preferable option to in-office visits for various behavioral treatments?
That is a great point. These guidelines, plus the recent broadening of Medicare telehealth coverage for mental health and CMS’s expansion of audio-only telehealth services, clearly point to the fact that telehealth can be not only a complement to in-person care, but sometimes can be the primary form of treatment for patients that need mental and behavioral health care.
And regarding the guidance itself – do you think it addresses HIPAA privacy concerns for audio-only telehealth?
It does. I view the guidance as a reminder that covered entities do not get a pass when it comes to patient privacy, even over audio-only methods of communication. They should still consider risks and implement reasonable safeguards, like ensuring the technology is secure, lowering voices, not providing telehealth in public settings, and verifying the patient’s identity.
And more specifically, can you offer one example of where you think the guidance gets it right in terms of the OCR’s goals?
The guidance does a good job of emphasizing that HIPAA privacy and security concerns apply, even on audio-only platforms – except for true landlines – and that providers need to consider this and conduct their own assessments to mitigate risks.
And what about where the guidance falls short?
The guidance does not necessarily do a great job of reconciling this with guidance for telehealth provided over videoconferencing platforms. Most experts in the area have long understood that when telehealth is provided over videoconferencing technology, to be HIPAA-compliant, the provider should have a business associate agreement signed with the technology vendor, and the connection should be secure and encrypted.
In this guidance, OCR has indicated that a business associate agreement may not necessarily be required for audio-only technology vendors, when the vendor is merely a conduit and does not create, receive, or maintain any protected health information from the session, and does not maintain recordings or transcripts, or processes patient information.
Is it possible for a videoconferencing technology vendor to also be considered merely a conduit, such that a business associate agreement is unnecessary? That remains somewhat unclear, but the safest approach for providers is certainly still to ensure they have business associate agreements with all telecommunications service providers and telehealth vendors that could potentially have access to or process patient information.
“Broadband is not just about access to data, but it’s about access to health care.” – Sean Sullivan
And lastly, the guidance mentions that many Americans must rely on audio-only for lack of sufficient broadband, cell coverage, internet access, and other factors. Perhaps this is outside of the scope of the guidance and your focus, but do you think more could be done to address these problems so that reliance on audio-only telehealth wouldn’t be as necessary?
As I mentioned at the beginning, broadband access is and will continue to be one of the biggest limiting factors for telehealth in certain areas of the country. The federal government has done much in the last few years to encourage and pay for broadband expansion but making that expansion a reality has been slow. Stakeholders at all levels – not just the federal government but state and local governments, hospitals, and health systems, broadband and telecommunications providers, and technology companies – all need to get behind this effort. Broadband is not just about access to data, but it’s about access to health care.
