The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued new guidance (Guidance) on the use of remote communication technologies to deliver audio-only telehealth in accordance with HIPAA. Per OCR, the Guidance is intended to ensure continued access for patients to audio-only telehealth in a secure and compliant manner, particularly once OCR’s notification of enforcement discretion (previously discussed here) tied to the COVID-19 pandemic is rescinded (i.e., once the HHS-declared COVID-19 public health emergency is ended).

The Guidance is presented via a series of FAQs with responses from OCR, and notes the important role audio-only telehealth can serve for patients experiencing barriers to in-person care and to video-enabled technologies necessary to access face-to-face telehealth services. First, OCR affirms that HIPAA allows providers (and health plans) to utilize remote communications technologies to deliver audio-only telehealth, and reminds providers that they are expected to deliver “telehealth services in private settings to the extent feasible.” OCR also indicates that covered entities are obligated to verify the identities of individuals not otherwise known to the entities, either orally or in writing.

Interestingly, in the Guidance OCR states that HIPAA’s security rule does not apply to audio-only telehealth via a ‘landline’ telephone because the information transmitted is not electronic, but it does apply to electronic communication technologies (e.g., those which utilize internet, cellular, and WiFi technologies), and therefore HIPAA security rule safeguards must be utilized for such technologies. OCR also reminds covered entities that a business associate agreement may be required with a communications vendor if, under the arrangement, the vendor is more than a mere conduit of PHI between the entity and the patient. Finally, OCR also confirms that HIPAA permits a provider to utilize remote communication technologies to deliver telehealth services even if the services are not covered or reimbursed by the patient’s health plan.

As providers and regulators prepare to transition out of the COVID-19 public health emergency, this Guidance provides a helpful reminder of HIPAA obligations related to audio-only telehealth, and a confirmation that providers can deliver patient audio-only services to patients in a compliant manner. We expect additional guidance to be forthcoming related to HIPAA and other practice matters significantly affected by COVID-19, and will share thoughts on such guidance as it is released.

Photo of Conor Duffy Conor Duffy

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy + Security Team. Mr. Duffy advises hospitals, physician groups, accountable care organizations, community providers, post-acute care providers, and other health care entities on general corporate matters and health…

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy + Security Team. Mr. Duffy advises hospitals, physician groups, accountable care organizations, community providers, post-acute care providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on a full range of transactional and regulatory health law issues, including contracting, licensure, mergers and acquisitions, the False Claims Act, the Stark Law, Medicare and Medicaid fraud and abuse laws and regulations, HIPAA compliance, state breach notification requirements, and other health care regulatory matters. Read his full rc.com bio here.