Human communication

HHS Emphasizes Importance of New Health Technologies in Series of Regulatory Actions | Hogan Lovells

Recent regulatory actions from the U.S. Department of Health (HHS) underscore the role emerging technologies are playing in the delivery of healthcare, particularly as clinical innovations proliferate in response to the COVID-19 pandemic. These actions include guidance on the accessibility of telehealth services as well as proposed rules on non-discrimination in clinical algorithms and telehealth services.

Over the summer, HHS took at least three regulatory actions in as many months that may subject HIPAA-regulated entities to additional compliance obligations, including regarding their handling of protected health information (PHI ).

  • On June 13, 2022, the HHS Office for Civil Rights (OCR) released guidance on how covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services. when such services are provided in a HIPAA-compliant manner.
  • On August 4, 2022, HHS released a Proposed Rule (NPRM) that would prohibit discrimination in the use of clinical algorithms in healthcare decision-making and the provision of telehealth services. The OCR addressed similar topics in guidance released July 29, 2022 in partnership with the Civil Rights Division of the Department of Justice, which outlined federal protections to ensure telehealth services are accessible to people with disabilities and people with limited English proficiency (LEP).

HIPAA Audio-Only Telehealth Guide

In its guidance dated June 13, 2022, OCR outlined the conditions under which Covered Entities may use remote communications technologies to provide telehealth services, including audio-only services, in accordance with HIPAA. The guidelines state that covered entities providing such services must:

  • Implement reasonable safeguards to protect the confidentiality of PHI against inadmissible use or disclosure that may arise due to the nature of telehealth services.

    • For example, the OCR expects covered healthcare providers to provide telehealth services in private settings, whenever possible. Where this is not possible (for example, where a supplier is sharing an office), additional safeguards should be implemented, such as the use of lower voices.

    • OCR also expects telehealth providers to verify the identity of the people they speak with. While the OCR does not prescribe how such verification should occur, it does note that reasonable modifications and language assistance may be required to accommodate LEP disabilities and challenges.

  • Comply with the HIPAA security rule, including performing required risk assessments, unless they are not using remote communication technology that transmits PHI electronically.

    • Audio-only telehealth services delivered through technologies such as voice over internet protocol (VoIP) and other online media, including Wi-Fi, generally involve the transmission of electronic PSRs and are therefore generally covered by the rule HIPAA security.

    • HIPAA Security Risk Assessments are required to identify, assess, and address potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PSRs when using these technologies. These assessments should include, among other things, considerations as to whether the technology (i) supports encrypted transmissions; (ii) automatically terminates the session or locks itself after a period of inactivity; and (iii) may allow the interception of transmissions by an unauthorized third party.

  • Execute Business Associate Agreements (BAAs) with remote communication technology vendors, where applicable.

    • A telecommunications service provider who originates, receives, or manages PHI on behalf of the Covered Entity and requires regular access to PHI to provide the Services, is likely a business associate and a BAA is required.

    • In limited circumstances, a BAA is not required where a telecommunications service provider “has only transient access to the PHI it transmits, because the provider is merely acting as an intermediary for the PHI”.

These guidelines will not take effect until the notice of discretionary application of OCR for telehealth remote communications is rescinded. This exercise of enforcement discretion, which the OCR issued in March 2020 and remains in effect, provides that the OCR will not impose penalties on covered healthcare providers for non-compliance with HIPAA in the as part of the good faith provision of telehealth during the COVID-19 public health emergency.

Proposed rule prohibiting discrimination in the use of clinical algorithms and telehealth services

OCR’s proposals for clinical algorithms and telehealth services are part of an NPRM that aims more broadly to implement the Affordable Care Act’s non-discrimination provisions. If finalized, the proposed rule would prohibit discrimination “against any individual on the basis of color, race, national origin, sex, age or disability through the use of clinical algorithms in its decision-making”. The proposed rule also contains a similar provision prohibiting discrimination on the same grounds in a covered entity’s “delivery of its health programs and activities through telehealth services.” With respect to non-discrimination in the use of clinical algorithms, the NPRM preamble states that OCR “believes [the proposed rule] Warn Covered Entities that they may not use discriminatory clinical algorithms and that they may need to make reasonable modifications to their use of algorithms, unless it would result in a fundamental change to their program or business health. And while the OCR clarifies that “covered entities are not liable for clinical algorithms that they did not develop”, they “may be held liable under [the proposed rule] for their decisions made based on clinical algorithms. The telehealth provisions of the proposed rule seem largely consistent with the guidance outlined above. These provisions are also consistent with the July 29, 2022 guidelines, which set out the steps that providers can, and in some cases must, take to help ensure that the telehealth services they provide are accessible to everyone, including people disabilities and LEP people.

Key points to remember

Recent regulatory actions by HHS suggest that innovations in clinical technologies may come under increased scrutiny. In light of this, HIPAA-regulated entities may wish to analyze their implementation of new healthcare technologies during the COVID-19 pandemic, particularly in the areas of telehealth and clinical algorithms, to ensure they are well positioned to meet potential liabilities. under these guidelines or as may be established through HHS’s ongoing rulemaking under the Affordable Care Act. To the extent that these entities wish to weigh in on the proposed rule prohibiting discrimination in the use of clinical algorithms and telehealth services, they may submit public comments here until 11:59 p.m. EDT on October 3, 2022.

[View source.]