Providing phone-only or audio-only services is a great way to help patients access care when video telehealth isn’t an option. But psychologists should take steps to ensure they are protecting their patient’s private health care information while offering these services.
The Office of Civil Rights (OCR) under the U.S. Department of Health and Human Services (HHS) recently released guidance and an FAQ on how psychologists and others may provide audio-only telehealth services consistent with HIPAA requirements. Together, the guidance and FAQ create a single resource that includes information previously released by OCR on HIPAA compliance for audio-only telehealth services.
Temporary policies under the Covid-19 public health emergency (PHE) declaration expanded coverage for telehealth, including audio-only services, to make it easier for patients to access health care. In addition to the expansion of coverage for such telehealth services, in March 2020 the OCR maintained it would waive penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth while the PHE is still in effect (HIPAA Waiver). (For more details on the Waiver and APA’s recommendations in response, see the first question in FAQs psychologists have about practicing telehealth.)
In 2021, the Centers for Medicare and Medicaid Services (CMS) issued regulations to make coverage for audio-only services permanent after the PHE ends. However, other temporary policies related to telehealth are set to expire when the PHE ends later this year. Without further action from OCR, one such policy is the HIPAA Waiver described above. As a result, providers could be penalized for HIPAA noncompliance while providing telehealth services.
To help psychologists deliver services consistent with HIPAA requirements, here are the main points outlined in the OCR guidance and FAQ:
- HIPAA’s Privacy Rule permits the use of audio-only services (without a video component) as long as psychologists verify the patient’s identity orally or in writing (including using electronic methods). It is important to note that nondiscrimination laws require that when working with a patient with a disability, communication be equally as effective as communication with an individual without a disability. This may impose additional requirements such as providing auxiliary aid, to assist with the communication, including when verifying the patient’s identity.
- During audio-only telehealth sessions, you should take steps to ensure the privacy of the Protected Health Information (PHI) from impermissible uses or disclosures. (For the explanation of PHI and other HIPAA terms, see APA’s Privacy Rule resource [PDF, 1.5MB].) For example, you and your patient should be in a private setting, avoid using speaker phone, or speak in lowered voices to keep outsiders from overhearing the conversation.
- The HIPAA Security Rule (PDF, 245KB) does not apply to audio-only phone communications when using a landline phone because no information is transmitted electronically. The Security Rule will likely apply when using electronic communication technologies like VoIP, cell phones or other digital-based audio-only communications (see the OCR guidance for examples).
- Where the Security Rule applies, you must advise the patient of the potential security risks in using electronic communication methods and ensure that those communications are not accessed by unauthorized third parties. Use encryption where available. Implement authentication measures in accessing your device and relevant telehealth software. Set the device to lock or the app to end the call after a specific period of inactivity.
- OCR explains the circumstances where providers will need to have a business associate agreement (BAA) with a vendor providing audio-only phone services. (For APA’s overview of BAAs and when to use one, read The Nuts and Bolts of Business Association Agreements [PDF, 282KB].) If the phone service vendor is merely facilitating the transmission (the vendor cannot access the conversation between the provider and patient), then it is not a business associate. But if the vendor stores recordings or transcripts of the audio-only session in its cloud or offers translation or transcription services (OCR views those services as creating and/or receiving PHI), then it will likely be deemed a business associate, and you would need to have a BAA with the vendor.
The guidance given by OCR serves as a reminder to providers that OCR’s enforcement discretion regarding HIPAA telehealth regulations (about BAAs with telehealth vendors) ends when the PHE ends. Psychologists and other telehealth providers should work to ensure they are complying with HIPAA requirements to avoid being penalized.