About two-thirds of Unity Health Care’s telehealth visits during the pandemic were audio-only, according to Robie. For other organizations, such as FQHCs and community health centers in California, audio-only telehealth made up more than 90% of all virtual visits.
Multiple bills introduced in Congress, such as the CONNECT for Health Act of 2021 and the Ensuring Parity in MA and PACE for Audio-Only Telehealth Act of 2021, aim to remove barriers to providing telehealth services and receiving insurance reimbursement at the federal level. In addition, several U.S. states are looking to make permanent the temporary allowances for audio-only telehealth that were enacted during the COVID-19 public health emergency.
A Window into Fraud and Identity Risk
Generally speaking, audio-only telehealth poses a low privacy and security risk to healthcare organizations.
Telephone calls between providers and patients are compliant with HIPAA as long as they meet two conditions: First, the provider cannot allow the phone carrier or internet service provider to access or store protected health information discussed during the call. Second, the provider cannot share PHI that already existed in an electronic form immediately prior to the call (in other words, information unrelated to the specific reason for the call).
What’s more, the Office for Civil Rights within the Department of Health and Human Services has indicated that it will not impose penalties for HIPAA noncompliance “in connection with the good faith provision of telehealth” during the COVID-19 public health emergency.
Common security best practices can be applied to audio-only visits. For example, secure Wi-Fi networks, virtual private networks and Transport Layer Security will keep encrypted call data secure in transit. Disabling features such as automatic voicemail transcription can ensure that electronic PHI is not shared with the wrong person. In addition, any device that stores patient contact information — especially a smartphone — should be secured to prevent the disclosure of electronic PHI in case it is lost or stolen.
While single visits could be subject to targeted social engineering attacks — for example, by someone trying to steal an individual patient’s identity — audio-only visits don’t represent a large-scale threat, according to Jeremy Grant of the Better Identity Coalition.