OCR Issues New Guidance Applying Security Rule to Digital

On June 13, 2022, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced new guidance on using remote communication technologies to provide audio-only telehealth services in compliance with HIPAA. Although this guidance is intended to encourage telehealth use, including audio-only telehealth for populations that may not have the resources to benefit from audio-video telehealth, it also includes a clarification that may have a substantial impact on the telecommunications industry.

Specifically, OCR draws a distinction between how HIPAA applies to analog versus digital voice communications, applying the Security Rule to digital voice communications. This represents something of a departure from prior guidance. Based on this guidance, covered entities and business associates may wish to reassess how their HIPAA compliance programs apply to digital voice communications.

Past OCR Guidance on the Security Rule and Voice Data

While the HIPAA Privacy Rule applies to all forms of protected health information (PHI), the Security Rule applies only to electronic protected health information (ePHI), defined as protected health information that is transmitted or maintained in electronic media. In turn, “electronic media” is defined with the following carve-out: “Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.”

This definitional quirk of electronic media has led to past OCR guidance that generally excludes voice data from the Security Rule’s scope. For example, the 2003 preamble to the final Security Rule states:

Copy machines, fax machines, and telephones, even those that contain memory and can produce multiple copies for multiple people are not intended to be included in the term “computer.” Therefore, because “paper-to-paper” faxes, person-to-person telephone calls, video teleconferencing, or messages left on voice-mail were not in electronic form before the transmission, those activities are not covered by this rule.

The OCR website includes the following longstanding FAQ:

Does the Security Rule apply to written and oral communications?

Answer:

No. The standards and specifications of the Security Rule are specific to electronic protected health information (e-PHI). It should be noted however that e-PHI also includes telephone voice response and fax back systems because they can be used as input and output devices for electronic information systems. E-PHI does not include paper-to-paper faxes or video teleconferencing or messages left on voice mail, because the information being exchanged did not exist in electronic form before the transmission. In contrast, the requirements of the Privacy Rule apply to all forms of PHI, including written and oral.

Accordingly, voice communications containing PHI have been subject to the Privacy Rule when handled by HIPAA covered entities and business associates, including the Privacy Rule’s requirements for business associate agreements (unless the conduit exception applies) and reasonable safeguards, but historically have been excluded from the Security Rule’s more detailed requirements governing administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI.

We are not aware of OCR’s prior guidance drawing a distinction between analog communications and digital communications technologies with respect to Security Rule applicability, despite digital voice technologies such as Voice over Internet Protocol (VoIP) being in wide use at the time. That seemingly changed this month with OCR’s new guidance on HIPAA’s applicability to audio-only telehealth services.

OCR’s New Telehealth Guidance

In its audio-only telehealth guidance, OCR provided the following FAQ:

2. Do covered health care providers and health plans have to meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services?

Yes, in certain circumstances. The HIPAA Security Rule applies to electronic protected health information (ePHI), which is PHI transmitted by, or maintained in, electronic media.

The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard telephone line, often described as a traditional landline, because the information transmitted is not electronic. Accordingly, a covered entity does not need to apply the Security Rule safeguards to telehealth services that they provide using such traditional landlines (regardless of the type of telephone technology the individual uses).

However, traditional landlines are rapidly being replaced with electronic communication technologies such as Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra- and extranets, cellular, and Wi-Fi. The HIPAA Security Rule applies when a covered entity uses such electronic communication technologies. Covered entities using telephone systems that transmit ePHI need to apply the HIPAA Security Rule safeguards to those technologies. Note that an individual receiving telehealth services may use any telephone system they choose and is not bound by the HIPAA Rules when doing so. In addition, a covered entity is not responsible for the privacy or security of individuals’ health information once it has been received by the individual’s phone or other device.

For example, some current electronic technologies that covered entities use for remote communications that require compliance with the Security Rule, may include:

  • Communication applications (apps) on a smartphone or another computing device.
  • VoIP technologies.
  • Technologies that electronically record or transcribe a telehealth session.
  • Messaging services that electronically store audio messages.

Potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when using such technologies need to be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes, as required by the HIPAA Security Rule. A covered entity’s risk analysis and risk management should include considerations of whether:

  • There is a risk the transmission could be intercepted by an unauthorized third party.
  • The remote communication technology (e.g., mobile device, app) supports encrypted transmissions.
  • There is a risk ePHI created or stored as a result of a telehealth session (e.g., session recordings or transcripts) could be accessed by an unauthorized third party, and whether encryption is available to secure recordings or transcripts of created or stored telehealth sessions.
  • Authentication is required to access the device or app where telehealth session ePHI may be stored.
  • The device or app automatically terminates the session or locks after a period of inactivity.

As communication technologies (e.g., networks, devices, apps) continue to evolve at a rapid pace, a robust inventory and asset management process can help covered entities identify such technologies and the information systems that use them, to help ensure an accurate and thorough risk analysis. For information about implementing the HIPAA Security Rule requirements, see OCR’s Security Rule guidance webpage.

OCR’s new guidance, which represents the agency’s interpretation but does not have the force of law, contravenes earlier guidance and expand the Security Rule’s scope to digital voice communications. This shift does not seem related to a change in technology—VOIP and digitally-recorded and stored voice mails were well established when the Security Rule was finalized in 2003. Rather, this shift appears to be a change of interpretation of the Security Rule. Because the regulations themselves are unchanged, the basis for this change in interpretation is unclear, although OCR says that the guidance “will help ensure that individuals can continue to benefit from audio-only telehealth by: clarifying how covered entities can provide telehealth services; and improving public confidence that covered entities are protecting the privacy and security of their health information.”

Impacts of the New Guidance

First, it’s always worth remembering that the original commentary and this new guidance represent OCR’s interpretation of its regulations and may not receive complete deference in a court of law. But if a covered entity chooses to adhere to this guidance, then it may want to check that its most recent HIPAA risk analysis fully addresses transmitted and stored digital voice communications, that its information security policies and procedures address this type of ePHI, and that there are appropriate controls in place (e.g., reasonable access authentication) surrounding this data.

For business associates, especially those providing telecommunications services, the impact may be bigger. To the extent that a business associate is solely transmitting digital voice communications, the conduit exception still may apply. But if a business associate is storing digital voice data containing PHI, then it previously could take the position that this data was not ePHI and only the Privacy Rule applied to it. A covered entity needed to have a business associate agreement (BAA) in place and the business associate needed to employ reasonable safeguards pursuant to the BAA but did not have to maintain a Security Rule compliance program. If a business associate that maintains digital voice data with PHI chooses to follow the new OCR guidance, however, then it now would need to treat this data as ePHI and establish a robust Security Rule program applicable to the stored data. Such an endeavor would involve a significant undertaking, including a comprehensive risk analysis and extensive policies and procedures, among other requirements.

We recognize that many organizations previously were unaware of the guidance on the Security Rule and voice transmissions and have long treated this data as subject to the Security Rule. But for those who were relying on the prior guidance to exclude voice communication PHI from the Security Rule, now is a good time to reassess your position.