On June 13th, U.S. Department of Health & Human Services (“HHS”) issued guidance advising that covered health care providers and health plans (covered entities) can provide audio-only telehealth services as long as they are compliant with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Breach Notification Rules (HIPAA Rules). As many individuals may not have access to technologies used for audio-video telehealth due to factors including financial limitations, disabilities, or limited English proficiency, audio-only telehealth is a good alternative that can still address these individuals’ needs. Covered health care providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services.

In March 2020, in response to the COVID-19 Public Health Emergency (“PHE”), the HHS Office for Civil Rights (“OCR”) issued a Telehealth Notification to address permitted remote health care services. The Telehealth Notification will remain in effect until the Secretary of State declares that the PHE no longer exists, or upon the expiration date of the PHE, which is currently set for July 15, 2022. Per the Telehealth Notification, OCR will exercise its enforcement discretion and will not impose penalties on covered health entities for noncompliance with the requirements of the HIPAA Rules in connection with the good faith provision of telehealth using audio/video remote communication during the PHE.  The June 13th guidance supports and clarifies the Telehealth Notification and includes new FAQs to help covered entities when the Telehealth Notification is no longer in effect.

Covered entities are required to apply reasonable safeguards to protect protected health information (“PHI”) from non-permitted uses/disclosures—this applies to telehealth services as well. For example, telehealth services should be provided in a private area, when possible. Covered entities using telephone systems that transmit electronic protected health information (“ePHI”) need to apply the HIPAA Security Rule safeguards to those technologies. An individual patient may select which telephone service they would like to use, and a covered entity is not responsible for ePHI once it has been received by the individual’s receiver device. Covered entities must also verify the identity of the individual either orally or in writing.  When necessary, the covered entity must verify the individual’s identity using language assistance services to provide access to those with limited English proficiency. 

For additional information on a wide range of topics about the HIPAA Rules and their applicability to the Telehealth Notification, please visit the OCR Privacy website at Guidance: How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth | HHS.gov.