What New Guidance for Healthcare Audio Calls Means to Your Business

COVID-19 continues to change the way health care is delivered. The closure of offices and physical meeting spaces forced many healthcare providers to quickly pivot to providing services via telehealth options. The Centers for Medicare and Medicaid (CMS) Office of Civil Rights (OCR) facilitated that transition by issuing a waiver of potential penalties for HIPAA violations related to telehealth use, which is still in effect.

In June of 2022, the OCR issued additional guidance on the use of audio-only calls for the delivery of healthcare services in response to the Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust In Government. The guidance is also intended to help facilitate better healthcare for segments of the population that may not have access to audio-video technology used to provide telehealth services. The information from the OCR will also help covered entities stay in compliance with HIPAA regulations once the waiver expires.

The guidance pointed out the following issues that could impact your operations:

• HIPAA-covered entities can use both audio-video and audio-only technology to provide telehealth. Covered entities are expected to apply reasonable safeguards to reduce the risk of impermissible uses and/or disclosures. Covered entities should also make reasonable efforts to verify the identity of the patient.

• Covered entities should apply the requirements of the HIPAA Security Rule to the use of remote technologies. However, the guidance specifically points out that if the covered entity is using a standard telephone line or traditional landline, the information would not be considered an electronic transmission and therefore would not be covered by the security rule.
  
• Most covered entities no longer use traditional landlines, but instead use a Voice over Internet Protocol or other mobile technology services. Covered entities need to verify that they are indeed using the traditional landline to deliver audio-only telehealth.
  
• The covered entity is not considered responsible for the protection of data on the patient’s device no matter what technology the patient may be using to communicate during a telehealth service.

• Covered entities do not need a Business Associate Agreement (BAA) for audio-only telehealth if the service provider only conducts the PHI but does not create, receive, or maintain the PHI for the entity.
  
• If your provider performs services such as maintaining recordings of calls or providing translation services, you will need to obtain a BAA.

While the OCR continues to leave in place the waiver on HIPAA enforcement for telehealth, this guidance demonstrates they are aware telehealth will remain a part of the healthcare system, and eventually they will begin enforcement.  Now is a good time to prepare for that reality.

CompliancePoint has a team of experienced assessors who can help you implement an effective HIPAA program and cyber security practices. Contact us at connect@compliancepoint.com to learn how we can help your organization.