HHS recently issued guidance to clarify how health plan and health care provider covered entities under HIPAA (each, a "Covered Entity") may use remote communication technologies to deliver audio-only telehealth services ("Audio Services") in accordance with HIPAA's privacy and security rules. Audio Services may be offered by a Covered Entity in order to expand access to health care by individuals who are unable to use video telehealth services due to disability, limited English proficiency, lack of internet availability, or other factors.
Topics addressed by the guidance include:
- Reasonable safeguards that must be implemented by a Covered Entity that is providing Audio Services, including verifying the identity of the individual who is being provided the Audio Services before any PHI is disclosed;
- The application of the HIPAA security rule, which imposes requirements on the use and disclosure of electronic PHI, to various forms of communication technologies that may be used to deliver Audio Services (such as traditional landline telephones, "Voice over Internet Protocol", and communication applications on a smartphone); and
- Circumstances in which a Covered Entity must have a HIPAA business associate agreement in effect with the telecommunication service provider of the Audio Services.
The guidance also applies to a HIPAA business associate that is acting on behalf of, or providing certain services to or for, a Covered Entity with respect to the Audio Services.
The HHS guidance is available here.