Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth

Covered health care providers and health plans (covered entities)A HIPAA covered entity is a health plan, health care clearinghouse, or “a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.”  Where this guidance refers to a covered entity, the language also applies to a business associate acting on behalf of, or providing certain services to or for, a covered entity to conduct the activity. See 45 CFR 160.103, links to an external website (definitions of “Covered entity” and “Business associate”). can use remote communication technologiesSee OCR “FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency” for more information on what are public and non-public facing remote communication products at https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf, opens in a new tab [PDF, 424 KB]. to provide audio-only telehealthThe HHS Health Resources and Services Administration (HRSA) defines telehealth as the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.  See  https://www.hrsa.gov/rural-health/topics/telehealth/what-is-telehealth. services when such communications are conducted in a manner that is consistent with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules).See 45 CFR Subchapter C,, links to an external website parts 160 and 164. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) developed this guidance to help covered entities understand how they can use remote communication technologies for audio-only telehealthExcept where an FAQ response addresses a specific audio-only technology, the information in this guidance is generally applicable to the provision of all telehealth services, and not just audio-only telehealth. in compliance with the HIPAA Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth Remote Communications (Telehealth Notification) See 85 FR 22024-25 (April 21, 2020), available at https://www.govinfo.gov/content/pkg/FR-2020-04-21/pdf/2020-08416.pdf, links to an external website, opens in a new tab. is no longer in effect.The Notification will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, including any extensions, whichever occurs first. See 85 FR 22024. OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based upon the latest facts and circumstances.

HHS is issuing this guidance on audio-only telehealth in direct response to the Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government (E.O. 14058).See E.O. 14058, 86 FR 71357, links to an external website (December 16, 2021). This guidance will help ensure that individuals can continue to benefit from audio-only telehealth by clarifying how covered entities can provide telehealth services and improving public confidence that covered entities are protecting the privacy and security of their health information.

In addition, while telehealth can significantly expand access to health care, certain populations may have difficulty accessing or be unable to access technologies used for audio-video telehealth because of various factors, including financial resources, limited English proficiency, disability, internet access, availability of sufficient broadband, and cell coverage in the geographic area.  Audio-only telehealth, especially using technologies that do not require broadband availability, can help address the needs of some of these individuals.A person with limited English proficiency may need a qualified interpreter whose services are easier to coordinate over the phone.  Audio-only telehealth may serve remote patients with limited access to computers or high-speed internet. While audio-only telehealth may be preferred by some individuals with disabilities, covered entities should be mindful that audio-only telehealth may not provide effective communication for other individuals with disabilities, such as individuals who are deaf.  To support access to such telehealth services, this guidance addresses questions that HHS has received about whether, and in what circumstances, audio-only telehealth is permissible under the HIPAA Rules.This guidance does not provide information about coverage or payment for health care services delivered via of telehealth. Certain health plans may have specific policies about, or limitations on, coverage and payment for health care services provided via telehealth, and these policies and limitations are not addressed in this document. See Resources below for more information. See also 45 CFR 160.103, links to an external website (definition of “Health plan”). 

OCR’s Telehealth Notification and FAQs

In March 2020, in response to the COVID-19 public health emergency (PHE), OCR issued the Telehealth Notification to assist the health care industry’s response to the PHE and to quickly expand the use of remote health care services.  OCR also published a set of FAQs to support and clarify the Telehealth Notification.See https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf, opens in a new tab.

The Telehealth Notification provides that OCR will exercise its enforcement discretion and will not impose penalties on covered health care providersThe Telehealth Notification does not apply to health plans that provide telehealth. for noncompliance with the requirements of the HIPAA Rules in connection with the good faith provision of telehealth using non-public facingA "non-public facing" remote communication product is one that, as a default, allows only the intended parties to participate in the communication. See OCR’s HIPAA FAQ #3024 at https://www.hhs.gov/hipaa/for-professionals/faq/3024/what-is-a-non-public-facing-remote-communication-product/index.html audio or video remote communication technologies during the COVID-19 PHE.See original determination of a public health emergency related to COVID-19 https://www.phe.gov/emergency/news/healthactions/phe/Pages/2019-nCoV.aspx, and April 12, 2022 Renewal https://aspr.hhs.gov/legal/PHE/Pages/COVID19-12Apr2022.aspx.  As such, under the Telehealth Notification, covered health care providers can use any available non-public facing remote communication technologies for telehealth, even where those technologies, and the manner in which they are used, may not fully comply with the HIPAA Rules.  The Telehealth Notification will remain in effect until the Secretary of HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever occurs first.  

The following FAQs provide guidance to assist covered entities in complying with the HIPAA Rules when OCR’s Telehealth Notification is no longer in effect. 

1.  Does the HIPAA Privacy Rule permit covered health care providers and health plans to use remote communication technologies to provide audio-only telehealth services?

Yes. HIPAA covered entities can use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule.  

The HIPAA Privacy Rule requires that covered entities apply reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures, including when providing telehealth services.See 45 CFR 164.530(c).  See also OCR’s HIPAA FAQ #482 at https://www.hhs.gov/hipaa/for-professionals/faq/482/does-hipaa-permit-a-doctor-to-share-patient-information-for-treatment-over-the-phone/index.html.  For example, OCR expects covered health care providers to provide telehealth services in private settings to the extent feasible.  If telehealth services cannot be provided in a private setting (e.g., where a provider shares an office with a colleague or a family member), covered health care providers still must implement reasonable safeguards, such as using lowered voices and not using speakerphone, to limit incidental uses or disclosures of PHI.See 45 CFR 164.502(a)(1)(iii); see also OCR’s HIPAA FAQ #3021 at https://www.hhs.gov/hipaa/for-professionals/faq/3021/where-can-health-care-providers-conduct-telehealth/index.html.

In addition, if the individual is not known to the covered entity, the entity must verify the identity of the individual either orally or in writing (which may include using electronic methods).See 45 CFR 164.514(h). See also OCR’s HIPAA FAQ #569 at https://www.hhs.gov/hipaa/for-professionals/faq/569/how-may-hipaas-requirements-for-verification-of-identity-be-met-electronically/index.html.  The HIPAA Rules do not mandate a specific way to verify identity. However, covered entities should be mindful that civil rights laws generally require communications with an individual with a disability to be as effective as communications with others, including by providing appropriate auxiliary aids and services where necessary.See e.g., 45 CFR 92.102; 45 CFR 84.52(c); 45 CFR 84.52(d); 28 CFR 35.160; 28 CFR 36.303(c).  This requirement extends to all communications with an individual with a disability, including communications related to verifying an individual’s identity.  In addition, when necessary, covered entities must verify the individual’s identity by using language assistance services to provide meaningful access for individuals with limited English proficiency.See 45 CFR 80 and 45 CFR 92.201.

2.  Do covered health care providers and health plans have to meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services?

Yes, in certain circumstances. The HIPAA Security Rule applies to electronic protected health information (ePHI), which is PHI transmitted by, or maintained in, electronic media.See 45 CFR 160.103 (definitions of “Electronic protected health information” and “Electronic media”)., See the HIPAA Security Rule at 45 CFR Parts 160 and 164, Subpart C, links to an external website. The Security Rule also applies to a business associate, such as a technology vendor with routine access to ePHI.

The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard telephone line, often described as a traditional landline,Such traditional telephones use circuit-switched voice communication service technologies through the Public Switched Telephone Network (PSTN).  because the information transmitted is not electronic.  Accordingly, a covered entity does not need to apply the Security Rule safeguards to telehealth services that they provide using such traditional landlines (regardless of the type of telephone technology the individual uses).

However, traditional landlines are rapidly being replaced with electronic communication technologies such as Voice over Internet Protocol (VoIP)VoIP technologies convert audio into a digital signal that is then transmitted over the internet. See https://www.fcc.gov/general/voice-over-internet-protocol-voip, links to an external website. and mobile technologies that use electronic media, such as the Internet, intra- and extranets, cellular, and Wi-Fi. A recent report by the Federal Communications Commission (FCC) stated that the “number of fixed retail switched-access lines declined over the past three years at a compound annual rate of 13%, while interconnected VoIP subscriptions increased at a compound annual growth rate of 3%.”  See Federal Communications Commission. 2020 COMMUNICATIONS MARKETPLACE REPORT, p 102. https://docs.fcc.gov/public/attachments/FCC-20-188A1.pdf, links to an external website, opens in a new tab.  The HIPAA Security Rule applies when a covered entity uses such electronic communication technologies.  Covered entities using telephone systems that transmit ePHI need to apply the HIPAA Security Rule safeguards to those technologies.  Note that an individual receiving telehealth services may use any telephone system they choose and is not bound by the HIPAA Rules when doing so. In addition, a covered entity is not responsible for the privacy or security of individuals’ health information once it has been received by the individual’s phone or other device.   

For example, some current electronic technologies that covered entities use for remote communications that require compliance with the Security Rule, may include:

  • Communication applications (apps) on a smartphone or another computing device.
  • VoIP technologies.
  • Technologies that electronically record or transcribe a telehealth session.
  • Messaging services that electronically store audio messages. 

Potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when using such technologies need to be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes, as required by the HIPAA Security Rule.See 45 CFR 164.308(a)(1)(ii)(A)-(B), Risk analysis and Risk management.   A covered entity’s risk analysis and risk management should include considerations of whether:

  • There is a risk the transmission could be intercepted by an unauthorized third party. 
  • The remote communication technology (e.g., mobile device, app) supports encrypted transmissions.
  • There is a risk ePHI created or stored as a result of a telehealth session (e.g., session recordings or transcripts) could be accessed by an unauthorized third party, and whether encryption is available to secure recordings or transcripts of created or stored telehealth sessions.For more information about encryption, see OCR Cybersecurity Newsletter Summer 2021 at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2021/index.html.    
  • Authentication is required to access the device or app where telehealth session ePHI may be stored.
  • The device or app automatically terminates the session or locks after a period of inactivity.

As communication technologies (e.g., networks, devices, apps) continue to evolve at a rapid pace, a robust inventory and asset management process can help covered entities identify such technologies and the information systems that use them, to help ensure an accurate and thorough risk analysis.See OCR Cybersecurity Newsletter Summer 2020 at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2020/index.html.  For information about implementing the HIPAA Security Rule requirements, see OCR’s Security Rule guidance webpage.See https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html?language=es.

3.  Do the HIPAA Rules permit a covered health care provider or a health plan to conduct audio-only telehealth using remote communication technologies without a business associate agreement in place with the vendor? 

Yes, in some circumstances.  The HIPAA Rules require a covered entity to enter into a business associate agreement (BAA)See 45 CFR 164.308(b) and 45 CFR 164.502(e).Information about business associate agreements is available at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html. with a telecommunication service providerTelecommunication service provider means companies that provide voice and/or data transmission services, such as Internet Service Providers (ISPs), telecommunication carriers, and wireless carriers. (TSP) only when the vendor is acting as a business associate.See 45 CFR 160.103 (definition of “Business associate”).  As explained in previous guidance, a covered entity using a telephone to communicate with patients is not required to enter into a BAA with a TSP that has only transient access to the PHI it transmits,Transient access occurs when a service provider only transmits PHI (whether in electronic or paper form) and does not maintain it except on a temporary basis incident to such transmission. More information about transient versus persistent access to PHI is available at https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/. because the vendor is acting merely as a conduit for the PHI.See OCR’s HIPAA FAQ #245 at https://www.hhs.gov/hipaa/for-professionals/faq/245/are-entities-business-associates/index.html.  If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call,“A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.”  See OCR’s HIPAA FAQ #245 at https://www.hhs.gov/hipaa/for-professionals/faq/245/are-entities-business-associates/index.html and HIPAA FAQ #2077 at https://www.hhs.gov/hipaa/for-professionals/faq/2077/can-a-csp-be-considered-to-be-a-conduit-like-the-postal-service-and-therefore-not-a-business%20associate-that-must-comply-with-the-hipaa-rules/index.html. no business associate relationship has been created.  Therefore, a BAA is not needed.

  • For example, a covered health care provider may conduct an audio-only telehealth session with a patient using a smartphone without a BAA between the covered health care provider and the TSP, where the TSP does not create, receive, or maintain any PHI from the session and is only connecting the call. 

However, a covered entity must enter into a BAA with a vendor that is more than a mere conduit for PHI. 

  • For example, a covered health care provider may want to conduct audio-only telehealth sessions with patients using a smartphone app offered by a health care provider that stores PHI (e.g., recordings, transcripts) in the app developer’s cloud infrastructure for the provider’s later use. In this case, the app would not be providing mere data transmission services and would instead also be creating, receiving, and maintaining PHI.  Because it is not merely a conduit for transmission of the PHI, the provider would need to enter into a BAA with the app developer before it can use the app with patients.  
  • Similarly, a covered health care provider would need a BAA with the developer of a smartphone app that the provider uses to translate oral communications to another language to provide meaningful access to individuals with limited English proficiency,OCR encourages covered entities to ensure the accuracy and quality of any language assistance service provided, whether via smartphone app or live interpretation or translation. For further guidance on the use of automatic or machine translation, including digital services and websites, visit LEP.gov, links to an external website. because the app is creating and receiving PHI, and therefore the developer is a business associate of the provider.A covered entity would need to enter into a BAA with any language interpretation service it engages because the service is creating, receiving, maintaining, or transmitting PHI for or on behalf of the covered entity.  In contrast, OCR has described when a covered entity can contact an individual using a Telecommunications Relay Service (TRS) communication assistant without having a business associate agreement in place with the TRS provider because the TRS provider is not acting for or on behalf of the covered entity. See OCR guidance at https://www.hhs.gov/hipaa/for-professionals/faq/500/is-a-relay-service-a-business-associate-of-a-doctor/index.html. Also see 86 FR 6446, 6496-6487 (January 21, 2021) for discussion of HHS’s proposals to modify the Privacy Rule to expressly permit disclosures to TRS communications assistants and to modify the definition of business associate to expressly exclude TRS providers.

4.  Do the HIPAA Rules allow covered health care providers to use remote communication technologies to provide audio-only telehealth if an individual’s health plan does not provide coverage or payment for those services?

Yes.  Covered health care providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services. Health plan coverage and payment policies for health care services delivered via telehealth are separate from questions about compliance with the HIPAA Rules and are not addressed in this document.   

Resources

OCR Resources

HHS Resources

Content created by Office for Civil Rights (OCR)
Content last reviewed