Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. Special Topics
  5. HIPAA and Telehealth
  • HIPAA for Professionals
  • Regulatory Initiatives
  • Privacy
    • Summary of the Privacy Rule
    • Guidance
    • Combined Text of All Rules
    • HIPAA Related Links
  • Security
    • Security Rule NPRM
    • Summary of the Security Rule
    • Security Guidance
    • Cyber Security Guidance
  • Breach Notification
    • Breach Reporting
    • Guidance
    • Reports to Congress
    • Regulation History
  • Compliance & Enforcement
    • Enforcement Rule
    • Enforcement Process
    • Enforcement Data
    • Resolution Agreements
    • Case Examples
    • Audit
    • Reports to Congress
    • State Attorneys General
  • Special Topics
    • HIPAA and Part 2
    • Change Healthcare Cybersecurity Incident FAQs
    • HIPAA and COVID-19
    • HIPAA and Reproductive Health
      • HIPAA and Final Rule Notice
    • HIPAA and Telehealth
    • HIPAA and FERPA
    • Research
    • Public Health
    • Emergency Response
    • Health Information Technology
    • Health Apps
  • Patient Safety
  • Covered Entities & Business Associates
    • Business Associate Contracts
    • Business Associates
  • Training & Resources
  • FAQs for Professionals
  • Other Administrative Simplification Rules

HIPAA and Telehealth

Telehealth Privacy and Security

OCR issued two resource documents to help explain to patients the privacy and security risks to their protected health information (PHI) when using telehealth services and ways to reduce these risks.

  • Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth
  • Privacy and Security Tips for Patients

Expiration of COVID-19 Public Health Emergency HIPAA Notifications of Enforcement Discretion

On April 12, 2023, OCR announced that the Notifications of Enforcement Discretion issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency will expire at 11:59 pm on May 11, 2023, due to the expiration of the COVID-19 public health emergency. OCR is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. The transition period will be in effect beginning on May 12, 2023 and will expire at 11:59 p.m. on August 9, 2023. OCR will continue to exercise its enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA Rules that occurs in connection with the good faith provision of telehealth during the 90-calendar day transition period.

  • Read the Press Release
  • Read the Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency

Guidance on HIPAA and Audio-Only Telehealth

OCR has issued guidance on how covered health care providers and health plans can provide audio-only telehealth consistent with the requirements of the HIPAA Privacy, Security, and Breach Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth is no longer in effect.

  • Read the guidance
  • Read the press release

FAQs on HIPAA and Telehealth During the COVID-19 Public Health Emergency

OCR issued guidance related to its Notification of Enforcement Discretion for Telehealth during the COVID-19 nationwide public health emergency. The Notification announced that OCR would be exercising its enforcement discretion to not impose penalties for HIPAA violations against covered health care providers in connection with their good faith provision of telehealth using non-public facing remote communication technologies during the public health emergency. The guidance is in the form of frequently asked questions (FAQs) and clarifies how OCR applies the Notification to support the good faith provision of telehealth.

  • FAQs on HIPAA and Telehealth
  • Preguntas frecuentes sobre telemedicina y HIPAA
  • Read the press release 
  • Read the Notification of Enforcement Discretion
  • Notificación de discreción para telemedicina
Content created by Office for Civil Rights (OCR)
Content last reviewed October 18, 2023
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy