HIPAA and Telehealth

Telehealth Privacy and Security

OCR issued two resource documents to help explain to patients the privacy and security risks to their protected health information (PHI) when using telehealth services and ways to reduce these risks.

• Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth
• Privacy and Security Tips for Patients

Expiration of COVID-19 Public Health Emergency HIPAA Notifications of Enforcement Discretion

On April 12, 2023, OCR announced that the Notifications of Enforcement Discretion issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency will expire at 11:59 pm on May 11, 2023, due to the expiration of the COVID-19 public health emergency. OCR is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. The transition period will be in effect beginning on May 12, 2023 and will expire at 11:59 p.m. on August 9, 2023. OCR will continue to exercise its enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA Rules that occurs in connection with the good faith provision of telehealth during the 90-calendar day transition period.

• Read the Press Release
• Read the Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency

Guidance on HIPAA and Audio-Only Telehealth

OCR has issued guidance on how covered health care providers and health plans can provide audio-only telehealth consistent with the requirements of the HIPAA Privacy, Security, and Breach Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth is no longer in effect.

• Read the guidance
• Read the press release

FAQs on HIPAA and Telehealth During the COVID-19 Public Health Emergency

OCR issued guidance related to its Notification of Enforcement Discretion for Telehealth during the COVID-19 nationwide public health emergency. The Notification announced that OCR would be exercising its enforcement discretion to not impose penalties for HIPAA violations against covered health care providers in connection with their good faith provision of telehealth using non-public facing remote communication technologies during the public health emergency. The guidance is in the form of frequently asked questions (FAQs) and clarifies how OCR applies the Notification to support the good faith provision of telehealth.

• FAQs on HIPAA and Telehealth
• Preguntas frecuentes sobre telemedicina y HIPAA
• Read the press release 
• Read the Notification of Enforcement Discretion
• Notificación de discreción para telemedicina