Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth

Covered health care providers and health plans (covered entities)1 can use remote communication technologies2 to provide audio-only telehealth3 services when such communications are conducted in a manner that is consistent with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules).4 The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) developed this guidance to help covered entities understand how they can use remote communication technologies for audio-only telehealth5 in compliance with the HIPAA Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth Remote Communications (Telehealth Notification)6 is no longer in effect.7

HHS is issuing this guidance on audio-only telehealth in direct response to the Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government (E.O. 14058).8 This guidance will help ensure that individuals can continue to benefit from audio-only telehealth by clarifying how covered entities can provide telehealth services and improving public confidence that covered entities are protecting the privacy and security of their health information.

In addition, while telehealth can significantly expand access to health care, certain populations may have difficulty accessing or be unable to access technologies used for audio-video telehealth because of various factors, including financial resources, limited English proficiency, disability, internet access, availability of sufficient broadband, and cell coverage in the geographic area.  Audio-only telehealth, especially using technologies that do not require broadband availability, can help address the needs of some of these individuals.9  To support access to such telehealth services, this guidance addresses questions that HHS has received about whether, and in what circumstances, audio-only telehealth is permissible under the HIPAA Rules.10  

OCR’s Telehealth Notification and FAQs

In March 2020, in response to the COVID-19 public health emergency (PHE), OCR issued the Telehealth Notification to assist the health care industry’s response to the PHE and to quickly expand the use of remote health care services.  OCR also published a set of FAQs to support and clarify the Telehealth Notification.11

The Telehealth Notification provides that OCR will exercise its enforcement discretion and will not impose penalties on covered health care providers12 for noncompliance with the requirements of the HIPAA Rules in connection with the good faith provision of telehealth using non-public facing13 audio or video remote communication technologies during the COVID-19 PHE.14  As such, under the Telehealth Notification, covered health care providers can use any available non-public facing remote communication technologies for telehealth, even where those technologies, and the manner in which they are used, may not fully comply with the HIPAA Rules.  The Telehealth Notification will remain in effect until the Secretary of HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever occurs first.  

The following FAQs provide guidance to assist covered entities in complying with the HIPAA Rules when OCR’s Telehealth Notification is no longer in effect. 

1.  Does the HIPAA Privacy Rule permit covered health care providers and health plans to use remote communication technologies to provide audio-only telehealth services?

Yes. HIPAA covered entities can use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule.  

The HIPAA Privacy Rule requires that covered entities apply reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures, including when providing telehealth services.15   For example, OCR expects covered health care providers to provide telehealth services in private settings to the extent feasible.  If telehealth services cannot be provided in a private setting (e.g., where a provider shares an office with a colleague or a family member), covered health care providers still must implement reasonable safeguards, such as using lowered voices and not using speakerphone, to limit incidental uses or disclosures of PHI.16

In addition, if the individual is not known to the covered entity, the entity must verify the identity of the individual either orally or in writing (which may include using electronic methods).17  The HIPAA Rules do not mandate a specific way to verify identity. However, covered entities should be mindful that civil rights laws generally require communications with an individual with a disability to be as effective as communications with others, including by providing appropriate auxiliary aids and services where necessary.18   This requirement extends to all communications with an individual with a disability, including communications related to verifying an individual’s identity.  In addition, when necessary, covered entities must verify the individual’s identity by using language assistance services to provide meaningful access for individuals with limited English proficiency.19

2.  Do covered health care providers and health plans have to meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services?

Yes, in certain circumstances. The HIPAA Security Rule applies to electronic protected health information (ePHI), which is PHI transmitted by, or maintained in, electronic media.20 , 21

The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard telephone line, often described as a traditional landline,22  because the information transmitted is not electronic.  Accordingly, a covered entity does not need to apply the Security Rule safeguards to telehealth services that they provide using such traditional landlines (regardless of the type of telephone technology the individual uses).

However, traditional landlines are rapidly being replaced with electronic communication technologies such as Voice over Internet Protocol (VoIP)23 and mobile technologies that use electronic media, such as the Internet, intra- and extranets, cellular, and Wi-Fi.24   The HIPAA Security Rule applies when a covered entity uses such electronic communication technologies.  Covered entities using telephone systems that transmit ePHI need to apply the HIPAA Security Rule safeguards to those technologies.  Note that an individual receiving telehealth services may use any telephone system they choose and is not bound by the HIPAA Rules when doing so. In addition, a covered entity is not responsible for the privacy or security of individuals’ health information once it has been received by the individual’s phone or other device.   

For example, some current electronic technologies that covered entities use for remote communications that require compliance with the Security Rule, may include:

  • Communication applications (apps) on a smartphone or another computing device.
  • VoIP technologies.
  • Technologies that electronically record or transcribe a telehealth session.
  • Messaging services that electronically store audio messages. 

Potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when using such technologies need to be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes, as required by the HIPAA Security Rule.25    A covered entity’s risk analysis and risk management should include considerations of whether:

  • There is a risk the transmission could be intercepted by an unauthorized third party. 
  • The remote communication technology (e.g., mobile device, app) supports encrypted transmissions.
  • There is a risk ePHI created or stored as a result of a telehealth session (e.g., session recordings or transcripts) could be accessed by an unauthorized third party, and whether encryption is available to secure recordings or transcripts of created or stored telehealth sessions.26    
  • Authentication is required to access the device or app where telehealth session ePHI may be stored.
  • The device or app automatically terminates the session or locks after a period of inactivity.

As communication technologies (e.g., networks, devices, apps) continue to evolve at a rapid pace, a robust inventory and asset management process can help covered entities identify such technologies and the information systems that use them, to help ensure an accurate and thorough risk analysis.27  For information about implementing the HIPAA Security Rule requirements, see OCR’s Security Rule guidance webpage.28

3.  Do the HIPAA Rules permit a covered health care provider or a health plan to conduct audio-only telehealth using remote communication technologies without a business associate agreement in place with the vendor? 

Yes, in some circumstances.  The HIPAA Rules require a covered entity to enter into a business associate agreement (BAA)29 with a telecommunication service provider30 (TSP) only when the vendor is acting as a business associate.31  As explained in previous guidance, a covered entity using a telephone to communicate with patients is not required to enter into a BAA with a TSP that has only transient access to the PHI it transmits,32 because the vendor is acting merely as a conduit for the PHI.33  If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call,34 no business associate relationship has been created.  Therefore, a BAA is not needed.

  • For example, a covered health care provider may conduct an audio-only telehealth session with a patient using a smartphone without a BAA between the covered health care provider and the TSP, where the TSP does not create, receive, or maintain any PHI from the session and is only connecting the call. 

However, a covered entity must enter into a BAA with a vendor that is more than a mere conduit for PHI. 

  • For example, a covered health care provider may want to conduct audio-only telehealth sessions with patients using a smartphone app offered by a health care provider that stores PHI (e.g., recordings, transcripts) in the app developer’s cloud infrastructure for the provider’s later use. In this case, the app would not be providing mere data transmission services and would instead also be creating, receiving, and maintaining PHI.  Because it is not merely a conduit for transmission of the PHI, the provider would need to enter into a BAA with the app developer before it can use the app with patients.  
  • Similarly, a covered health care provider would need a BAA with the developer of a smartphone app that the provider uses to translate oral communications to another language to provide meaningful access to individuals with limited English proficiency,35 because the app is creating and receiving PHI, and therefore the developer is a business associate of the provider.36

4.  Do the HIPAA Rules allow covered health care providers to use remote communication technologies to provide audio-only telehealth if an individual’s health plan does not provide coverage or payment for those services?

Yes.  Covered health care providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services. Health plan coverage and payment policies for health care services delivered via telehealth are separate from questions about compliance with the HIPAA Rules and are not addressed in this document.   


OCR Resources

HHS Resources

Content created by Office for Civil Rights (OCR)
Content last reviewed