HHS Releases HIPAA-Related Guidance for Audio-Only Telehealth

The guidance aims to answer common questions about providing audio-only telehealth services in compliance with HIPAA privacy and security regulations.

The HIPAA Security Rule does not apply to care provided through traditional telephone lines but does apply to mobile technologies that leverage electronic media like WiFi, the Department of Health and Human Services (HHS) clarified in a new guidance.

HHS’ Office for Civil Rights (OCR) released the guidance, which details how covered healthcare providers and health plans can provide audio-only telehealth services within the bounds of HIPAA.

HIPAA, or the Health Insurance Portability and Accountability Act, led to the creation of national standards to protect patient health information from being disclosed without the patient’s consent or knowledge.

In April 2020, OCR issued a notification of enforcement discretion for telehealth amid the rapidly growing COVID-19 public health crisis.

The notification stated that OCR would not impose penalties for HIPAA noncompliance on covered healthcare providers “in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

Specifically, OCR said it would not penalize covered entities for using non-public facing remote products to communicate with patients, even when the technology and its use do not fully comply with HIPAA rules.

But the enforcement discretion only remains in effect until HHS declares the public health emergency over.  

Now, HHS has released guidance that will clarify how covered entities can continue to provide audio-only telehealth services in compliance with HIPAA rules once the enforcement discretion is no longer in effect.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options,” said Lisa J. Pino, director of the OCR, in the press release. “This guidance explains how the HIPAA Rules permit healthcare providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information.”

The guidance, which is provided through a series of frequently asked questions, states that the HIPAA Security Rule does not apply to audio-only telehealth services provided using a standard telephone line because the information transmitted is not electronic.

But the rule applies when a covered entity uses electronic communication technologies, such as Voice over Internet Protocol, and mobile devices that use electronic media, like the Internet, intra- and extranets, cellular, and Wi-Fi networks.

Further, a covered entity communicating with patients via the telephone is not required to enter into a business associate agreement (BAA) with a telecommunication service provider that only has transient access to the personal health information it transmits. But a BAA is required if the service provider has a hand in creating, receiving, or maintaining the information on behalf of the covered entity.

Audio-only telehealth has emerged as a key tool to combat virtual care disparities. Research has shown that people with government-sponsored insurance, Black individuals, and those older than 65 have higher proportions of audio-only telehealth visits than their counterparts.

Further, audio-only telehealth supported safety-net clinics and federally qualified health centers during the pandemic.

The Centers for Medicare and Medicaid Services' 2022 Physician Fee Schedule includes Medicare coverage for audio-only telemental health services provided by rural health clinics and federally qualified health centers, but federal reimbursement for the modality beyond this is unclear.