OCR Releases New Guidelines Applying Security Rule to Digital Voice Transmissions and Storage | Davis Wright Tremaine LLP
On June 13, 2022, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services announcement New tips on the use of remote communication technologies to provide audio-only telehealth services in accordance with HIPAA. While these guidelines are intended to encourage the use of telehealth, including audio-only telehealth for populations who may not have the resources to benefit from audio-video telehealth, they also include clarification that may have a substantial impact on the telecommunications industry.
Specifically, OCR distinguishes between how HIPAA applies to analog and digital voice communications, by applying the security rule to digital voice communications. This represents something of a departure from previous advice. Based on these guidelines, Covered Entities and Business Associates may wish to reassess how their HIPAA compliance programs apply to digital voice communications.
Earlier OCR Guide to Security Rule and Voice Data
While the HIPAA Privacy Rule applies to all forms of Protected Health Information (PHI), the Security Rule only applies to electronic Protected Health Information (ePHI), defined as protected health information that are transmitted or stored on electronic media. In turn, “electronic media” is defined with the following exception: “Certain transmissions, including paper, facsimile, and voice, telephone, are not considered electronic media transmissions if the information exchanged did not exist in electronic form immediately prior to transmission.”
This definitional quirk of electronic media has led to past OCR guidelines that generally exclude voice data from the scope of the security rule. For example, the 2003 preamble to the final safety rule states:
Photocopiers, fax machines and telephones, even those that contain memory and can produce multiple copies for multiple people, are not intended to be included in the term “computer”. Therefore, since “paper-to-paper” faxes, person-to-person telephone calls, video conference calls, or messages left on voicemail were not in electronic form prior to transmission, these activities are not covered. by this rule.
The OCR website includes the following long-standing elements FAQs:
Does the security rule apply to written and oral communications?
No. The security rule standards and specifications are specific to electronic protected health information (e-PHI). It should be noted, however, that e-PHI also includes telephone voice response and fax return systems, as they can be used as input and output devices for electronic information systems. E-PHI does not include paper-to-paper faxes, video conference calls, or messages left on voicemail, as the information exchanged did not exist in electronic form prior to transmission. In contrast, the requirements of the confidentiality rule apply to all forms of PSR, including written and oral.
As a result, voice communications containing PSR have been subject to the Privacy Rule when handled by HIPAA-covered entities and business associates, including the Privacy Rule requirements for business associate agreements. (unless the conduit exception applies) and reasonable safeguards, but have historically been excluded from the more detailed security rule requirements governing administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI.
We are not aware of previous OCR guidelines distinguishing between analog communications and digital communications technologies with respect to the applicability of security rules, although digital voice technologies such as voice over protocol Internet (VoIP) were widely used at the time. That apparently changed this month with new OCR guidance on HIPAA’s applicability to audio-only telehealth services.
New Telehealth Tips from OCR
In its audio-only advice on telehealth, OCR provided the following FAQ:
2. Do covered healthcare providers and health plans have to meet HIPAA security rule requirements in order to use remote communication technologies to provide audio-only telehealth services?
Yes, under certain circumstances. The HIPAA security rule applies to electronic protected health information (ePHI), which is PHI transmitted or stored in electronic media.
The HIPAA Security Rule does not apply to audio-only telehealth services provided by a Covered Entity that uses a standard telephone line, often described as a traditional landline, because the information transmitted is not electronic. Therefore, a covered entity does not need to apply security rule safeguards to the telehealth services it provides using these traditional landlines (regardless of the type of telephone technology that the person used).
However, traditional landlines are rapidly being replaced by electronic communication technologies such as Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intranets and extranets, cellular and Wi-Fi. The HIPAA Security Rule applies when a Covered Entity uses these electronic communication technologies. Covered Entities using telephone systems that transmit ePHI must apply HIPAA security measures to such technologies. Note that a person receiving telehealth services can use any phone system they choose and is not bound by HIPAA rules when doing so. Further, a Covered Entity is not responsible for the privacy or security of individuals’ health information once it is received by the individual’s phone or other device.
For example, some current electronic technologies that covered entities used for remote communications requiring compliance with the security rule may include:
Communication applications (apps) on a smartphone or other computing device.
Technologies that electronically record or transcribe a telehealth session.
Messaging services that electronically store audio messages.
Potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI when using these technologies should be identified, assessed and addressed as part of a company’s risk analysis and management processes. Covered Entity, as required by the HIPAA Security Rule. The risk analysis and risk management of a covered entity must take into account the following elements:
There is a risk that the transmission will be intercepted by an unauthorized third party.
Remote communication technology (eg, mobile device, app) supports encrypted transmissions.
There is a risk that ePHI created or stored as a result of a telehealth session (for example, session recordings or transcripts) may be accessed by an unauthorized third party, and if encryption is available to secure the recordings or Transcripts of telehealth sessions created or stored.
Authentication is required to access the device or application where the telehealth session ePHIs may be stored.
The device or application automatically ends the session or locks itself after a period of inactivity.
As communications technologies (e.g., networks, devices, applications) continue to evolve at a rapid pace, a robust asset inventory and management process can help Covered Entities identify these technologies and information systems that use them, to ensure accurate and thorough risk assessment. analysis. For more information on implementing HIPAA security policy requirements, see the OCR Security Policy Guidance webpage.
The new OCR guidelines, which represent the agency’s interpretation but do not have the force of law, contravene previous guidelines and extend the scope of the security rule to digital voice communications. This change does not appear to be related to a change in technology – voice over IP and digitally recorded and stored voice messages were well established when the security rule was finalized in 2003. Rather, this change appears to be a change in interpretation of the security rules. Given that the regulations themselves are unchanged, the basis for this change in interpretation is unclear, although the OCR says the guidelines “will help ensure individuals can continue to benefit from audio-only telehealth.” by: clarifying how covered entities can provide telehealth services; and improve public confidence that Covered Entities protect the privacy and security of their health information. »
Impacts of the new orientation
First, it is always helpful to remember that the original commentary and these new guidelines represent OCR’s interpretation of its rules and may not be given full deference in court. But if a covered entity chooses to comply with these guidelines, it may want to verify that its most recent HIPAA risk analysis fully addresses transmitted and stored digital voice communications, that its information security policies and procedures address such ePHI, and that there are appropriate controls in place (eg, reasonable access authentication) around such data.
For business associates, particularly those providing telecommunications services, the impact may be greater. To the extent that a business associate transmits only digital voice communications, the conduit exception may still apply. But if a business associate stores digital voice data containing PHI, they could previously consider that data not to be ePHI and only the confidentiality rule applied to it. A Covered Entity was required to have a Business Associate Agreement (BAA) in place and the Business Associate was required to use reasonable safeguards in accordance with the BAA, but was not required to maintain a security compliance program. If a business associate storing digital voice data with PHI chooses to follow the new OCR guidelines, then they will need to treat that data as ePHI and establish a robust security rules program applicable to the stored data. Such an undertaking would involve a significant undertaking, including a comprehensive risk analysis and detailed policies and procedures, among other requirements.
We recognize that many organizations were previously unaware of the security rule guidelines and voice transmissions and have long treated this data as subject to the security rule. But for those who relied on previous advice to exclude voice communication PHI from the security rule, now is a good time to reevaluate your position.