Over the course of the summer, HHS has taken at least three regulatory actions in as many months which may subject HIPAA-regulated entities to additional compliance obligations, including with respect to their handling of protected health information (PHI).
- On June 13, 2022, the HHS Office for Civil Rights (OCR) issued guidance on how covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services when such services are provided in a manner consistent with HIPAA.
- On August 4, 2022, HHS published a proposed rule (NPRM) which would prohibit discrimination in the use of clinical algorithms in health care decision-making and the provision of telehealth services. OCR addressed similar topics in guidance published on July 29, 2022 in partnership with the Department of Justice Civil Rights Division, which outlined federal protections to ensure accessibility of telehealth services for people with disabilities and limited English proficient (LEP) persons.
Audio-Only Telehealth HIPAA Guidance
In its June 13, 2022, guidance, OCR outlined conditions under which covered entities may use remote communication technologies to provide telehealth services, including audio-only services, in compliance with HIPAA. The guidance states that covered entities providing such services must:
Implement reasonable safeguards to protect the privacy of PHI from impermissible use or disclosure, which may occur due to the nature of telehealth services.
For instance, OCR expects covered health care providers to provide telehealth services in private settings, to the extent feasible. Where doing so is not possible (e.g., where a provider shares an office), additional safeguards should be implemented, like using lowered voices.
OCR also expects telehealth providers to verify the identities of the individuals with whom they speak. While OCR does not prescribe the manner in which such verification should occur, it notes that reasonable modifications and language assistance may need to be provided to accommodate disabilities and LEP challenges.
Comply with the HIPAA Security Rule, including by conducting required risk assessments, unless they do not use a remote communication technology that transmits PHI electronically.
Audio-only telehealth services provided through technologies such as Voice over Internet Protocol (VoIP) and other online mediums, including Wi-Fi, generally involve the transmission of electronic PHI and therefore typically are covered by the HIPAA Security Rule.
HIPAA security risk assessments are required to identify, assess, and address potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI when using such technologies. Such assessments should include, among other things, considerations of whether the technology (i) supports encrypted transmissions; (ii) automatically terminates the session or locks after a period of inactivity; and (iii) could permit the interception of transmissions by an unauthorized third party.
Execute Business Associate Agreements (BAAs) with remote communication technology vendors where required.
A telecommunication service provider that creates, receives, or maintains PHI on behalf of the covered entity and requires routine access to PHI to provide the services, likely is a Business Associate and a BAA is required.
In limited circumstances, a BAA is not required where a telecommunication service provider “has only transient access to the PHI it transmits, because the vendor is acting merely as a conduit for the PHI.”
This guidance will not enter into effect until OCR’s Notification of Enforcement Discretion for Telehealth Remote Communications is rescinded. This exercise of enforcement discretion, which OCR issued in March 2020 and remains in force, provides that OCR will not impose penalties against covered health care providers for noncompliance with HIPAA in connection with the good faith provision of telehealth during the COVID-19 public health emergency.
Proposed Rule Prohibiting Discrimination in the Use of Clinical Algorithms and Telehealth Services
OCR’s proposals regarding clinical algorithms and telehealth services is part of an NPRM that more broadly seeks to implement the nondiscrimination provisions of the Affordable Care Act. If finalized, the proposed rule would prohibit discrimination “against any individual on the basis of race color, national origin, sex, age, or disability through the use of clinical algorithms in its decision-making.” The proposed rule also contains a similar provision prohibiting discrimination on the same grounds in a covered entity’s “delivery of its health programs and activities through telehealth services.” With respect to nondiscrimination in the use of clinical algorithms, the NPRM’s preamble states that OCR “believes [the proposed rule] would put covered entities on notice that they cannot use discriminatory clinical algorithms and may need to make reasonable modifications in their use of the algorithms, unless doing so would cause a fundamental alternation to their health program or activity.” And while OCR clarifies that “covered entities are not liable for clinical algorithms that they did not develop,” they “may be held liable under [the proposed rule] for their decisions made in reliance on clinical algorithms.” The telehealth provisions of the proposed rule appear largely in line with this guidance described above. These provisions also dovetail with the July 29, 2022, guidance, which sets forth steps providers may, and in some cases must, take to help ensure telehealth services they provide are accessible to all individuals, including individuals with disabilities and LEP persons.
HHS’ recent regulatory actions suggest innovations in clinical technologies may be under increased scrutiny. In light of this, HIPAA-regulated entities may wish to analyze their implementation of new health care technologies over the course of the COVID-19 pandemic, particularly in the areas of telehealth and clinical algorithms, to ensure they are well-positioned to address potential obligations under this guidance or which may be established through HHS’ ongoing rulemaking under the Affordable Care Act. To the extent such entities wish to weigh in on the proposed rule prohibiting discrimination in the use of clinical algorithms and telehealth services, they may submit public comments here until 11:59PM EDT on October 3, 2022.
Authored by: Melissa Bianchi, Donald DePass, and Erik Lampmann.