Newly released guidance from the Department of Health and Human Services Office for Civil Rights targets audio-only telehealth services in compliance with the Health Insurance Portability and Accountability Act to support covered entities caring for rural health patients and those with disabilities.
The guidance comes in direct response to the Biden administration’s executive order on transforming federal customer experience and service delivery.
Particularly during the pandemic, telehealth use greatly expanded care access across the U.S., especially for populations with existing difficulties in accessing care or even technologies used for audio-video telehealth services due to financial resources, a lack of broadband or cellphone coverage, language barriers, disabilities, and other hurdles.
The use of audio-only telehealth can greatly reduce some of these challenges, as they don’t require the availability of broadband. But with most HIPAA requirements, providers may struggle with understanding what’s allowed under the privacy and security regulation.
The guidance details the HIPAA-compliant remote communication technologies for providing audio-only telehealth services, particularly when the OCR enforcement discretion around the use of telehealth tech for COVID-19 is no longer in effect.
By clarifying possible compliance concerns, OCR explained the goal is to improve public confidence and ensure patients will continue to benefit from the use of audio-only telehealth platforms, while protecting the privacy and security of protected health information.
In its release, OCR Director Lisa J. Pino notes the new guidance explains the permitted use of audio telehealth and requirements for protecting PHI, as well as how to offer those services to patients in under-represented communities.
“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options,” Pino said in a statement.
The guide clarifies the importance of verifying that the identity of an individual prior to providing these services, the need for language assistance services when applicable, and the requirements outlined in the HIPAA Security Rule, including permissible tech and whether a business associate agreement is needed.
The release also details the potential electronic PHI security risks and vulnerabilities when using audio-only telehealth and how a HIPAA-required risk analysis and risk management can address these considerations, such as encryption needs, storing telehealth sessions, and authentication needs.
The release includes a long list of supportive resources to help covered entities securely and effectively use the important remote tech and services, as part of the ongoing effort to better support rural health populations.