This article addresses how to track telehealth policies while addressing HIPAA compliance and mobile device management as the United States enters a post-pandemic era. The information is an overview and should not be used as legal or consulting advice. Healthcare providers need to look toward long-term telehealth policies, ensure compliance, and realize there is remaining work to be done. 

More than two-thirds of providers utilizing telehealth use audio-only, according to a recent Telehealth Survey conducted November 2021 through December 2021 by the American Medical Association (AMA).  According to this survey, 85% of physician respondents indicate they currently use telehealth. Those reporting a decrease in use since first offering it, now indicate doing a mix of in-person and virtual care. Of physicians using telehealth, the trend indicates 93% are conducting live, interactive video visits with patients and 69% are doing audio-only visits.  

Considering this survey and other reports on audio-video services, concerns seem to focus on potential overutilization, equity, and quality of care.  

A concern expressed to AIHC, by our Compliance and HIPAA Officer members, surrounds mobile devices used by providers and practice managers and the organization's responsibility to comply with applicable rules, regulations, and mobile device policies.

If your providers use a mobile device to access an organization's internal network or system, the owner of that network or system's policies and procedures apply to your use of the mobile device to gain such access. It is your organization's responsibility to understand and follow the organization's policies and procedures.

If an organization allows providers and professionals to use mobile devices for work, the organization should have reasonable and appropriate mobile device policies and procedures. The policies and procedures should describe any configuration requirements for mobile devices used by providers and professionals for work. It is your responsibility to understand and follow your organization's mobile device policies and procedures. 

"Bring Your Own Device" or BYOD refers to using a personally owned mobile device for work. Providers should be reminded to let their organization know when they want to use a personally owned mobile device. Many organizations have centralized security management to make sure mobile devices accessing their internal networks or resources are compliant with their security policies. 

It is the provider's responsibility to understand and follow the organization's mobile device policies and procedures. Registering the provider's mobile device with the organization allows the organization to control who has access to its network or system and will keep unauthorized persons from accessing its network or systems. 

Registering these mobile devices with your organization may also help the organization or law enforcement find your mobile device if it is lost or stolen. Providers should be directed to contact their organization's Privacy Officer or Security Officer to register their mobile device. 

Training is always a challenge, but if your organization cannot achieve effective training and compliance, you may need to reconsider how telehealth is delivered to your patient population.

Covered entities must comply with HIPAA Privacy and Security Rules to protect and secure health information, even when using mobile devices as described above. Taking it a step further, healthcare leaders are responsible to ensure that mobile device procedures and policies have been developed and properly implemented to protect the health information that patients entrust to you.

A great resource is utilizing the National Telehealth Policy Resource Center called "CCHP," short for Center for Connected Health Policy. CCHP has been tracking audio-only policies across the country and offers access to state audio-only policies via CCHP's Policy Finder Tool.

As AIHC advises, another resource is legal advice through your malpractice insurance company. At no additional charge, a risk attorney can be made available to help review which policies impact your type of practice and organization.

Another reliable resource is found at HealthIT.gov, the official website of the Office of the National Coordinator for Health Information Technology, otherwise known as "ONC." ONC offers basic guidance in these five steps: 1) Decide; 2) Assess; 3) Identify; 4) Develop, Document, and Implement; and 5) Train entitled "five steps organizations can take to manage mobile devices used by health care providers and professionals."

Your HIPAA Compliance Officer can serve as the best resource to help your organization navigate the telehealth and mobile device compliance issues facing your providers today. AIHC offers an online course covering both privacy and security with the option of certification (proctored and administered online).  The cost of certification is covered in the tuition price. Learn more at https://aihc-assn.org/courses/hipaa-compliance-officer/.  

It is highly recommended that mobile health app developers and Managed Service Providers (MSPs) have an in-house HIPAA Compliance Officer contributing input to ensure technology is compliant.

Integrating protections into your technology to create HIPAA compliant products is necessary for your company to succeed. Healthcare providers are subject to the HIPAA rules as covered entities to protect identifiable health information when it is created, received, maintained, and/or transmitted. These protections are required under Federal and State Privacy, Security, and Breach Notification Rules. A few basic resources to reference are:

The Office for Civil Rights (OCR) HIPAA website devotes a webpage under Special Topics entitled "Resources for Mobile Health Apps Developers."

The Federal Trade Commission (FTC) offers a webpage entitled "Mobile Health Apps Interactive Tool" to help you locate federal laws to follow.

Telehealth is also referred to as Telemedicine. It is the use of telecommunications technology to provide healthcare services to persons who are at some distance from the provider. This type of patient encounter involves a spectrum of technologies. 

Coverage and payment for telehealth can include consultation, office visits, individual psychotherapy, pharmacologic management, and other services delivered via an interactive audio and video telecommunications system.  

Provider at the distant site - As stated above, providers are at the "distant site," referring to where the provider is at the time of service. The provider can communicate with the patient using an interactive audio and video telecommunication system that permits real-time communication with the beneficiary.

When telehealth is used, it is rendered at the physical location of the patient, and therefore a provider typically needs to be licensed in the patient's state. During the COVID-19 public health emergency (PHE), many states waived this requirement or provided specific exceptions. See https://www.cchpca.org/topic/cross-state-licensing-covid-19/ for more information. 

Medicaid programs often restrict the type of providers that can be reimbursed when delivering services via telehealth. During the COVID-19 PHE, the list of providers in Medicare and many state Medicaid programs expanded to include professionals such as occupational and physical therapists and speech-language pathologists. Federally Qualified Healthcare Centers (FQHCs) and Rural Health Clinics (RHCs) were also allowed to provide services in some cases. These policies are temporary, and most will expire at the end of the PHE.

I also recommend utilizing the Telehealth.HHS.gov website for providers: "Getting Started with Telehealth." This webpage provides many additional links to more resources your organization can use to navigate this complex topic.

Temporary telehealth policies during the PHE were implemented to provide improved access to healthcare during the COVID-19 pandemic. The federal government has been encouraging providers to use telehealth to conduct virtual appointments and has made the telehealth "rules" more flexible. For instance, audio-only delivery of care has rarely been reimbursed historically. But due to COVID and the PHE, temporary policies allow this modality to deliver some services.

The PHE is reviewed and potentially extended every 90 days. When the PHE ends, coverage for telehealth may change. Monitor these updates by using the CCPH website referenced earlier in this article found at https://www.cchpca.org/.

Joanne Byron, BS, LPN, CCA, CHA, CHCO, CHBS, CHCM, CIFHA, CMDP, COCAS, CORCM, OHCC, ICDCT-CM/PCS, is CEO and Board Chair of the American Institute of Healthcare Compliance (AIHC), Joanne brings over 35 years of clinical and executive healthcare experience in areas of compliance, coding, documentation improvement, auditing, privacy, security, consulting, and administration. www.aihc-assn.org