Paubox blog: HIPAA compliant email made easy

Audio-only telehealth services and HIPAA compliance

Written by Kirsten Peremore | September 29, 2023

Telehealth services offer increased accessibility, cost-effectiveness, and convenience for patients and providers. It often provides a rare and crucial opportunity for disadvantaged individuals to access necessary healthcare. Therefore, healthcare organizations utilizing this method should ensure that all interactions remain HIPAA compliant. 

 

What is audio-only telehealth?

Audio-only telehealth, as described in the information provided, refers to the remote delivery of healthcare services using technology where communication between a healthcare provider and a patient occurs solely through audio, such as phone calls. In this mode of telehealth, patients and healthcare professionals interact and exchange health-related information without face-to-face meetings. During audio-only telehealth sessions, patient privacy and the security of protected health information (PHI) should remain a prominent concern within healthcare organizations.

 

How is it utilized in healthcare?

  • Medical consultations
  • Counseling and therapy
  • Follow up appointments
  • Prescription refills
  • Remote monitoring
  • Health education
  • Crisis intervention
  • Language Translation 

 

HIPAA compliance in audio-only telehealth consultations

HIPAA compliance in audio-only telehealth consultations involves ensuring the privacy and security of patients' PHI during remote healthcare interactions conducted solely through audio, such as phone calls. Healthcare providers must adhere to the HIPAA Privacy Rule, which entails using and disclosing electronic PHI (ePHI) only for authorized purposes, obtaining patient consent for certain disclosures, and providing patients with a clear Notice of Privacy Practices (NPP) outlining their privacy rights. Moreover, providers need to implement administrative, physical, and technical safeguards, such as secure communication channels and encryption, to protect ePHI from unauthorized access or disclosure. Handling data breaches appropriately, including prompt notification of affected individuals and reporting to the HHS Office for Civil Rights (OCR), is also required to maintain HIPAA compliance in audio-only telehealth consultations.

 

How to select HIPAA compliant telehealth platforms and Vendors

Telehealth providers should carefully evaluate potential platforms and vendors to ensure they meet the necessary security and privacy standards.

Key considerations are

  1. HIPAA compliance: Verify that the platform or vendor has a history of maintaining HIPAA compliance and has the safeguards to protect ePHI.
  2. Business associate agreement (BAA): Ensure the vendor is willing to sign a BAA. Without a BAA, the platform can not be considered HIPAA compliant.
  3. Security features: Evaluate the platform's security features, such as encryption, access controls, and secure communication channels, to ensure they meet HIPAA requirements.
  4. User experience: Consider the platform's ease of use for patients and healthcare providers. A user-friendly platform can help minimize errors and enhance the overall telemedicine experience.
  5. Integration capabilities: Assess whether the platform can easily integrate with your existing systems, such as electronic health records (EHRs) or practice management software.

See also: How does HIPAA apply to telehealth?

 

Are business associate agreements with telehealth platforms always needed?

Based on the information provided, a business associate agreement (BAA) is necessary for a telecommunication service provider (TSP) in some circumstances. 

Specifically, a BAA is required when the TSP goes beyond acting as a mere conduit for transmitting PHI. If the TSP only provides transient access to PHI and does not create, receive, or maintain PHI on behalf of the covered entity, and if the TSP does not require routine access to the PHI transmitted during the call, then a BAA may not be needed.

However, if the TSP is involved in activities that involve creating, receiving, or maintaining PHI, it is considered a business associate, and a BAA must be in place between the covered entity and the TSP to ensure HIPAA compliance. The specific determination of whether a BAA is required depends on the nature of the services provided by the TSP and whether they involve handling PHI beyond transient access.

 

Assistive methods of communicating to use alongside audio-only telehealth 

  1. HIPAA compliant email: Utilize HIPAA compliant email services that adhere to the requirements for sending and receiving electronic PHI (ePHI). These services typically include encryption and other security features.
  2. Secure messaging platforms: Implement secure messaging platforms designed for healthcare that allow providers and patients to exchange text messages, images, and documents while maintaining privacy and security.
  3. Video conferencing (if available): If video capabilities are available and patients are comfortable with it, consider incorporating video into telehealth consultations while ensuring HIPAA compliant video conferencing tools are used.
  4. Mobile apps: Explore mobile applications that are designed for secure healthcare communication, including text messaging and video chat options, to enhance patient-provider interactions.
  5. Patient education portals: Provide patients with access to online educational resources and information related to their healthcare needs through secure, HIPAA compliant email.
  6. Medical transcription services: If audio recordings are used during telehealth consultations, employ secure medical transcription services that can transcribe audio notes while safeguarding patient privacy.

See also: Do you need patient opt-in for educational emails?