Covered health care providers and health plans (covered entities)1 can use remote communication technologies2 to provide audio-only telehealth3 services when such communications are conducted in a manner that is consistent with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules).4 The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) developed this guidance to help covered entities understand how they can use remote communication technologies for audio-only telehealth5 in compliance with the HIPAA Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth Remote Communications (Telehealth Notification)6 is no longer in effect.7
HHS is issuing this guidance on audio-only telehealth in direct response to the Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government (E.O. 14058).8 This guidance will help ensure that individuals can continue to benefit from audio-only telehealth by clarifying how covered entities can provide telehealth services and improving public confidence that covered entities are protecting the privacy and security of their health information.
In addition, while telehealth can significantly expand access to health care, certain populations may have difficulty accessing or be unable to access technologies used for audio-video telehealth because of various factors, including financial resources, limited English proficiency, disability, internet access, availability of sufficient broadband, and cell coverage in the geographic area. Audio-only telehealth, especially using technologies that do not require broadband availability, can help address the needs of some of these individuals.9 To support access to such telehealth services, this guidance addresses questions that HHS has received about whether, and in what circumstances, audio-only telehealth is permissible under the HIPAA Rules.10
OCR’s Telehealth Notification and FAQs
In March 2020, in response to the COVID-19 public health emergency (PHE), OCR issued the Telehealth Notification to assist the health care industry’s response to the PHE and to quickly expand the use of remote health care services. OCR also published a set of FAQs to support and clarify the Telehealth Notification.11
The Telehealth Notification provides that OCR will exercise its enforcement discretion and will not impose penalties on covered health care providers12 for noncompliance with the requirements of the HIPAA Rules in connection with the good faith provision of telehealth using non-public facing13 audio or video remote communication technologies during the COVID-19 PHE.14 As such, under the Telehealth Notification, covered health care providers can use any available non-public facing remote communication technologies for telehealth, even where those technologies, and the manner in which they are used, may not fully comply with the HIPAA Rules. The Telehealth Notification will remain in effect until the Secretary of HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever occurs first.
The following FAQs provide guidance to assist covered entities in complying with the HIPAA Rules when OCR’s Telehealth Notification is no longer in effect.
1. Does the HIPAA Privacy Rule permit covered health care providers and health plans to use remote communication technologies to provide audio-only telehealth services?
Yes. HIPAA covered entities can use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule.
The HIPAA Privacy Rule requires that covered entities apply reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures, including when providing telehealth services.15 For example, OCR expects covered health care providers to provide telehealth services in private settings to the extent feasible. If telehealth services cannot be provided in a private setting (e.g., where a provider shares an office with a colleague or a family member), covered health care providers still must implement reasonable safeguards, such as using lowered voices and not using speakerphone, to limit incidental uses or disclosures of PHI.16
In addition, if the individual is not known to the covered entity, the entity must verify the identity of the individual either orally or in writing (which may include using electronic methods).17 The HIPAA Rules do not mandate a specific way to verify identity. However, covered entities should be mindful that civil rights laws generally require communications with an individual with a disability to be as effective as communications with others, including by providing appropriate auxiliary aids and services where necessary.18 This requirement extends to all communications with an individual with a disability, including communications related to verifying an individual’s identity. In addition, when necessary, covered entities must verify the individual’s identity by using language assistance services to provide meaningful access for individuals with limited English proficiency.19
2. Do covered health care providers and health plans have to meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services?
Yes, in certain circumstances. The HIPAA Security Rule applies to electronic protected health information (ePHI), which is PHI transmitted by, or maintained in, electronic media.20 , 21
The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard telephone line, often described as a traditional landline,22 because the information transmitted is not electronic. Accordingly, a covered entity does not need to apply the Security Rule safeguards to telehealth services that they provide using such traditional landlines (regardless of the type of telephone technology the individual uses).
However, traditional landlines are rapidly being replaced with electronic communication technologies such as Voice over Internet Protocol (VoIP)23 and mobile technologies that use electronic media, such as the Internet, intra- and extranets, cellular, and Wi-Fi.24 The HIPAA Security Rule applies when a covered entity uses such electronic communication technologies. Covered entities using telephone systems that transmit ePHI need to apply the HIPAA Security Rule safeguards to those technologies. Note that an individual receiving telehealth services may use any telephone system they choose and is not bound by the HIPAA Rules when doing so. In addition, a covered entity is not responsible for the privacy or security of individuals’ health information once it has been received by the individual’s phone or other device.
For example, some current electronic technologies that covered entities use for remote communications that require compliance with the Security Rule, may include:
- Communication applications (apps) on a smartphone or another computing device.
- VoIP technologies.
- Technologies that electronically record or transcribe a telehealth session.
- Messaging services that electronically store audio messages.
Potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when using such technologies need to be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes, as required by the HIPAA Security Rule.25 A covered entity’s risk analysis and risk management should include considerations of whether:
- There is a risk the transmission could be intercepted by an unauthorized third party.
- The remote communication technology (e.g., mobile device, app) supports encrypted transmissions.
- There is a risk ePHI created or stored as a result of a telehealth session (e.g., session recordings or transcripts) could be accessed by an unauthorized third party, and whether encryption is available to secure recordings or transcripts of created or stored telehealth sessions.26
- Authentication is required to access the device or app where telehealth session ePHI may be stored.
- The device or app automatically terminates the session or locks after a period of inactivity.
As communication technologies (e.g., networks, devices, apps) continue to evolve at a rapid pace, a robust inventory and asset management process can help covered entities identify such technologies and the information systems that use them, to help ensure an accurate and thorough risk analysis.27 For information about implementing the HIPAA Security Rule requirements, see OCR’s Security Rule guidance webpage.28
3. Do the HIPAA Rules permit a covered health care provider or a health plan to conduct audio-only telehealth using remote communication technologies without a business associate agreement in place with the vendor?
Yes, in some circumstances. The HIPAA Rules require a covered entity to enter into a business associate agreement (BAA)29 with a telecommunication service provider30 (TSP) only when the vendor is acting as a business associate.31 As explained in previous guidance, a covered entity using a telephone to communicate with patients is not required to enter into a BAA with a TSP that has only transient access to the PHI it transmits,32 because the vendor is acting merely as a conduit for the PHI.33 If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call,34 no business associate relationship has been created. Therefore, a BAA is not needed.
- For example, a covered health care provider may conduct an audio-only telehealth session with a patient using a smartphone without a BAA between the covered health care provider and the TSP, where the TSP does not create, receive, or maintain any PHI from the session and is only connecting the call.
However, a covered entity must enter into a BAA with a vendor that is more than a mere conduit for PHI.
- For example, a covered health care provider may want to conduct audio-only telehealth sessions with patients using a smartphone app offered by a health care provider that stores PHI (e.g., recordings, transcripts) in the app developer’s cloud infrastructure for the provider’s later use. In this case, the app would not be providing mere data transmission services and would instead also be creating, receiving, and maintaining PHI. Because it is not merely a conduit for transmission of the PHI, the provider would need to enter into a BAA with the app developer before it can use the app with patients.
- Similarly, a covered health care provider would need a BAA with the developer of a smartphone app that the provider uses to translate oral communications to another language to provide meaningful access to individuals with limited English proficiency,35 because the app is creating and receiving PHI, and therefore the developer is a business associate of the provider.36
4. Do the HIPAA Rules allow covered health care providers to use remote communication technologies to provide audio-only telehealth if an individual’s health plan does not provide coverage or payment for those services?
Yes. Covered health care providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services. Health plan coverage and payment policies for health care services delivered via telehealth are separate from questions about compliance with the HIPAA Rules and are not addressed in this document.
Resources
OCR Resources
- OCR Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency
- FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency
- Guidance on the HIPAA Security Rule
- Guidance on HIPAA and Cloud Computing
- Guidance on HIPAA Business Associate Agreements
- FAQ: Use of Telecommunications Relay Service (TRS) does not require a business associate agreement with the TRS
- HHS Security Risk Assessment Tool (jointly developed by OCR and the Office of the National Coordinator for Health Information Technology (ONC))
- Filing a complaint with OCR if you believe that a HIPAA covered entity or business associate violated your (or someone else’s) health information privacy rights or committed another violation of the HIPAA Rules
HHS Resources
- Telehealth resources are available at https://telehealth.hhs.gov/ and https://www.hhs.gov/coronavirus/telehealth/index.html
- HHS information about Medicare and Medicaid coverage and billing for telehealth services is available at https://telehealth.hhs.gov/providers/billing-and-reimbursement/
- CMS Telehealth Resources about Medicare and Medicaid coverage
- SAMHSA Guidance regarding telehealth and Confidentiality of Substance Use Disorder Treatment Records regulations (42 CFR Part 2)
-
1. A HIPAA covered entity is a health plan, health care clearinghouse, or “a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” Where this guidance refers to a covered entity, the language also applies to a business associate acting on behalf of, or providing certain services to or for, a covered entity to conduct the activity. See 45 CFR 160.103 (definitions of “Covered entity” and “Business associate”).
- back to note 1 2. See OCR “FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency” for more information on what are public and non-public facing remote communication products at https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf.
- back to note 2 3. The HHS Health Resources and Services Administration (HRSA) defines telehealth as the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration. See https://www.hrsa.gov/rural-health/topics/telehealth/what-is-telehealth.
- back to note 3 4. See 45 CFR Subchapter C, parts 160 and 164.
- back to note 4 5. Except where an FAQ response addresses a specific audio-only technology, the information in this guidance is generally applicable to the provision of all telehealth services, and not just audio-only telehealth.
- back to note 5 6. See 85 FR 22024-25 (April 21, 2020), available at https://www.govinfo.gov/content/pkg/FR-2020-04-21/pdf/2020-08416.pdf.
- back to note 6 7. The Notification will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, including any extensions, whichever occurs first. See 85 FR 22024. OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based upon the latest facts and circumstances.
- back to note 7 8. See E.O. 14058, 86 FR 71357 (December 16, 2021).
- back to note 8 9. A person with limited English proficiency may need a qualified interpreter whose services are easier to coordinate over the phone. Audio-only telehealth may serve remote patients with limited access to computers or high-speed internet. While audio-only telehealth may be preferred by some individuals with disabilities, covered entities should be mindful that audio-only telehealth may not provide effective communication for other individuals with disabilities, such as individuals who are deaf.
- back to note 9 10. This guidance does not provide information about coverage or payment for health care services delivered via of telehealth. Certain health plans may have specific policies about, or limitations on, coverage and payment for health care services provided via telehealth, and these policies and limitations are not addressed in this document. See Resources below for more information. See also 45 CFR 160.103 (definition of “Health plan”).
- back to note 10 11. See https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf.
- back to note 11 12. The Telehealth Notification does not apply to health plans that provide telehealth.
- back to note 12 13. A "non-public facing" remote communication product is one that, as a default, allows only the intended parties to participate in the communication. See OCR’s HIPAA FAQ #3024 at https://www.hhs.gov/hipaa/for-professionals/faq/3024/what-is-a-non-public-facing-remote-communication-product/index.html
- back to note 13 14. See original determination of a public health emergency related to COVID-19 https://www.phe.gov/emergency/news/healthactions/phe/Pages/2019-nCoV.aspx, and April 12, 2022 Renewal https://aspr.hhs.gov/legal/PHE/Pages/COVID19-12Apr2022.aspx.
- back to note 14 15. See 45 CFR 164.530(c). See also OCR’s HIPAA FAQ #482 at https://www.hhs.gov/hipaa/for-professionals/faq/482/does-hipaa-permit-a-doctor-to-share-patient-information-for-treatment-over-the-phone/index.html.
- back to note 15 16. See 45 CFR 164.502(a)(1)(iii); see also OCR’s HIPAA FAQ #3021 at https://www.hhs.gov/hipaa/for-professionals/faq/3021/where-can-health-care-providers-conduct-telehealth/index.html.
- back to note 16 17. See 45 CFR 164.514(h). See also OCR’s HIPAA FAQ #569 at https://www.hhs.gov/hipaa/for-professionals/faq/569/how-may-hipaas-requirements-for-verification-of-identity-be-met-electronically/index.html.
- back to note 17 18. See e.g., 45 CFR 92.102; 45 CFR 84.52(c); 45 CFR 84.52(d); 28 CFR 35.160; 28 CFR 36.303(c).
- back to note 18 19. See 45 CFR 80 and 45 CFR 92.201.
- back to note 19 20. See 45 CFR 160.103 (definitions of “Electronic protected health information” and “Electronic media”).
- back to note 20 21. See the HIPAA Security Rule at 45 CFR Parts 160 and 164, Subpart C. The Security Rule also applies to a business associate, such as a technology vendor with routine access to ePHI.
- back to note 21 22. Such traditional telephones use circuit-switched voice communication service technologies through the Public Switched Telephone Network (PSTN).
- back to note 22 23. VoIP technologies convert audio into a digital signal that is then transmitted over the internet. See https://www.fcc.gov/general/voice-over-internet-protocol-voip.
- back to note 23 24. A recent report by the Federal Communications Commission (FCC) stated that the “number of fixed retail switched-access lines declined over the past three years at a compound annual rate of 13%, while interconnected VoIP subscriptions increased at a compound annual growth rate of 3%.” See Federal Communications Commission. 2020 COMMUNICATIONS MARKETPLACE REPORT, p 102. https://docs.fcc.gov/public/attachments/FCC-20-188A1.pdf.
- back to note 24 25. See 45 CFR 164.308(a)(1)(ii)(A)-(B), Risk analysis and Risk management.
- back to note 25 26. For more information about encryption, see OCR Cybersecurity Newsletter Summer 2021 at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2021/index.html.
- back to note 26 27. See OCR Cybersecurity Newsletter Summer 2020 at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2020/index.html.
- back to note 27 28. See https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html?language=es.
- back to note 28 29. See 45 CFR 164.308(b) and 45 CFR 164.502(e).Information about business associate agreements is available at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
- back to note 29 30. Telecommunication service provider means companies that provide voice and/or data transmission services, such as Internet Service Providers (ISPs), telecommunication carriers, and wireless carriers.
- back to note 30 31. See 45 CFR 160.103 (definition of “Business associate”).
- back to note 31 32. Transient access occurs when a service provider only transmits PHI (whether in electronic or paper form) and does not maintain it except on a temporary basis incident to such transmission. More information about transient versus persistent access to PHI is available at https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/.
- back to note 32 33. See OCR’s HIPAA FAQ #245 at https://www.hhs.gov/hipaa/for-professionals/faq/245/are-entities-business-associates/index.html.
- back to note 33 34. “A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.” See OCR’s HIPAA FAQ #245 at https://www.hhs.gov/hipaa/for-professionals/faq/245/are-entities-business-associates/index.html and HIPAA FAQ #2077 at https://www.hhs.gov/hipaa/for-professionals/faq/2077/can-a-csp-be-considered-to-be-a-conduit-like-the-postal-service-and-therefore-not-a-business%20associate-that-must-comply-with-the-hipaa-rules/index.html.
- back to note 34 35. OCR encourages covered entities to ensure the accuracy and quality of any language assistance service provided, whether via smartphone app or live interpretation or translation. For further guidance on the use of automatic or machine translation, including digital services and websites, visit LEP.gov.
- back to note 35 36. A covered entity would need to enter into a BAA with any language interpretation service it engages because the service is creating, receiving, maintaining, or transmitting PHI for or on behalf of the covered entity. In contrast, OCR has described when a covered entity can contact an individual using a Telecommunications Relay Service (TRS) communication assistant without having a business associate agreement in place with the TRS provider because the TRS provider is not acting for or on behalf of the covered entity. See OCR guidance at https://www.hhs.gov/hipaa/for-professionals/faq/500/is-a-relay-service-a-business-associate-of-a-doctor/index.html. Also see 86 FR 6446, 6496-6487 (January 21, 2021) for discussion of HHS’s proposals to modify the Privacy Rule to expressly permit disclosures to TRS communications assistants and to modify the definition of business associate to expressly exclude TRS providers.
- back to note 36