//WebSights Header HTML Script Skip to Main Content
Blog

Application of the HIPAA Rules to Audio-only Telehealth


The Department of Health and Human Services (HHS) issued guidance to help providers and health plans understand how they can use remote communication technologies for audio-only telehealth in compliance with the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (HIPAA).

Background

In March 2020, HHS issued enforcement discretion stating it will not impose certain HIPAA penalties against health care providers using audio-only telehealth communications in good faith during the COVID-19 public health emergency (PHE). This enforcement discretion remains in effect until the PHE no longer exists. However, HHS’ recent guidance clarifies that audio-only telehealth services may continue to be used even after this expiration date.

HIGHLIGHTS

  • The HIPAA Security Rule does not apply to services provided using traditional landlines, but does apply when a covered entity uses electronic communication technologies to provide remote telehealth services.
  • Current technologies that may be used for remote communication and require compliance with the HIPAA Security Rule include communication applications on a smartphone or Voice over Internet Protocol (VoIP) technologies.

Remote telehealth services may continue to be used in compliance with the HIPAA rules even after the COVID-19 public health emergency ends.

HHS Guidance

This guidance was issued in the form of FAQs addressing the following topics:

  • The HIPAA Privacy Rule allows covered entities to use remote communication technologies to provide audio-only telehealth services as long as reasonable safeguards are adopted to protect the privacy of protected health information (PHI).
  • The HIPAA Security Rule applies to electronic PHI but does not apply to audio-only telehealth services using a standard telephone line or landline because the information transmitted is not electronic.
  • In some circumstances, the HIPAA Rules allow a covered health care provider or a health plan to conduct audio-only telehealth using remote communication technologies without a business associate agreement in place with the vendor.
  • Covered providers may offer audio-only telehealth services consistent with the HIPAA Rules, regardless of whether any health plan covers or pays for those services.