Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

June 22, 2022

HHS OCR Issues Guidance on the Use of Remote Communication Technologies for Audio-Only Telehealth Services

On June 13, 2022, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance on the use of remote communication technologies for audio-only telehealth services by covered health care providers. The guidance clarifies how covered entities can provide audio-only telehealth in compliance with the Health Insurance Portability and Accountability Act of 1996’s (HIPAA) Privacy, Security, and Breach Notification Rules. Covered health care providers should take note of this guidance from OCR, as it will continue to apply even after OCR’s Notice of Enforcement Discretion for Telehealth is no longer in effect. The following is a summary of the guidance’s key takeaways. 

HIPAA Privacy Rule Compliance

OCR’s guidance clarifies that the HIPAA Privacy Rule permits covered health care providers to use remote communication technologies to provide audio-only telehealth services (not video) so long as the technology’s use complies with the Rule’s requirements. In order to use remote communication technologies, the covered health care provider must ensure that applicable requirements, including the use of reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible use or disclosure, are met. For example, covered health care providers are expected to provide telehealth services in private settings to the extent feasible and are required to verify the patient’s identity either orally or in writing (including by electronic methods) in instances where the patient is not known to the covered entity. The covered entity should document the verification in the patient record.

HIPAA Security Rule Compliance 

According to the guidance from OCR, covered health care providers must meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services. Importantly, the HIPAA Security Rule’s requirements do not apply to audio-only telehealth services that are provided using a standard telephone line (i.e., a traditional landline). Instead, the Rule only applies to electronic protected health information (ePHI) that is transmitted by, or maintained in, electronic media. The key to determining whether the HIPAA Security Rule requirements apply is the type of remote communication technology used by the covered health care provider. For example, the Security Rule requirements would not apply in instances where the covered health care provider is providing services using a traditional landline, regardless of whether the patient is utilizing another type of remote communication technology. Importantly, covered health care providers are not responsible for the privacy and security of a patient’s health information once the information has been received by the patient’s phone or device.

The HIPAA Security Rule does apply, however, in instances where electronic communication technologies are used. Electronic communication technologies include Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media like the internet, intra- and extranets, cellular, and Wi-Fi as well as communication applications (apps) on smartphones or other computing devices, technologies that electronically record or transcribe the telehealth sessions, and messaging services that store audio messages electronically. If a covered health care provider uses one of these types of electronic communication technologies, the HIPAA Security Rule safeguards must be applied. Specifically, the covered health care provider must identify, assess, and address any potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI through its risk analysis and risk management processes.  According to the guidance, this risk analysis and risk management should consider whether there is a risk that the transmission could be intercepted by an unauthorized third party, whether the remote communication technology supports encrypted transmissions, and whether authentication is required to access the device or app where ePHI for the telehealth session may be stored, among others.

Business Associate Agreements

OCR’s guidance also clarifies that covered health care providers may conduct audio-only telehealth using remote communication technologies without having a business associate agreement (BAA) in place with the vendor. However, if the vendor is acting as a business associate, a BAA is required. For example, if the vendor does not create, receive, or maintain any PHI from a telehealth session and is only connecting the call, a BAA is not required. In contrast, if the vendor is more than a conduit for the PHI (i.e., has more than transient access to the PHI it transmits), a BAA is required. Another example of an instance where a BAA would be required is when a covered health care provider uses a smartphone app to translate oral communications to another language. 

Covered health care providers that wish to offer audio-only telehealth services using remote communication technologies should review the guidance from OCR and update their policies and procedures as necessary. Additionally, providers should ensure that appropriate BAAs are in place where necessary. Robust inventory and asset management processes to ensure that accurate and thorough risk analyses occur are also critical for covered health care providers that use electronic communication technologies. Attorneys on Barclay Damon’s Health & Human Services Providers Team are available to assist health care providers with compliance efforts under the HIPAA Rules and will continue to monitor any developments and best practices.

If you have any questions about the content of this alert, please contact Dena DeFazio, associate, at ddefazio@barclaydamon.com, or another member of the firm’s Health & Human Services Providers Team.

Subscribe

Click here to sign up for alerts, blog posts, and firm news.

Featured Media

Alerts

RAPID Action: NYS Office of Energy Renewable Energy Siting and Transmission Announces Draft Regulations for New Transmission Siting Framework

Alerts

NYSDEC Issues Draft Freshwater Wetlands General Permit

Alerts

USPTO Updates Audit Program

Alerts

NYS DOL Publishes Long-Awaited FAQs on Paid Prenatal Leave Law

Alerts

Update on Massachusetts Pay Transparency Law Disclosures and EEO Reporting Requirements in 2025

Alerts

Massachusetts Employers Required to Provide Job Applicants Notice That Use of a Lie Detector Test Is Unlawful

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out