HHS Issues Guidance on HIPAA and Audio-Only Telehealth

HHS Issues Guidance on HIPAA and Audio-Only Telehealth

Today, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), is issuing guidance on how covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services when such communications are conducted in a manner that is consistent with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth - PDF is no longer in effect.

This guidance will help individuals to continue to benefit from audio-only telehealth by clarifying how covered entities can provide these services in compliance with the HIPAA Rules and by improving public confidence that covered entities are protecting the privacy and security of their health information.

While telehealth can significantly expand access to health care, certain populations may have difficulty accessing or be unable to access technologies used for audio-video telehealth because of various factors, including financial resources, limited English proficiency, disability, internet access, availability of sufficient broadband, and cell coverage in the geographic area.  Audio-only telehealth, especially using technologies that do not require broadband availability, can help address the needs of some of these individuals.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

The Guidance on How the HIPAA Rules Permit Health Plans and Covered Health Care Providers to Use Remote Communication Technologies for Audio-Only Telehealth


Dentist Revises Process to Safeguard Medical Alert PHI Covered Entity: Health Care Provider Issue: Safeguards, Minimum Necessary An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word "AIDS" on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker. When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant's file. To resolve this matter, OCR also required the practice to revise its policies and operating ...read more



If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate? Answer: Yes, because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate.  Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules.  An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually ...read more



Public Hospital Corrects Impermissible Disclosure of PHI in Response to a Subpoena Covered Entity: General Hospital Issue: Impermissible Uses and Disclosures A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the protected health information (PHI) of one of its patients. Contrary to the Privacy Rule protections for information sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive satisfactory assurance that the party seeking the information ...read more



Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety Covered Entity: General Hospital Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health or Safety After treating a patient injured in a rather unusual sporting accident, the hospital released to the local media, without the patient’s authorization, copies of the patient’s skull x-ray as well as a description of the complainant’s medical condition. The local newspaper then featured on its front page the individual’s x-ray and an article that included the date of the accident, the location of the accident, the patient’s ...read more

July 2026
SuMoTuWeThFrSa
1234
567891011
12131415161718
19202122232425
262728293031

Blog Home

Newest Blog Entries
1/21/25 Understanding Business Associate Agreements

11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims

11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme

11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges

11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6

11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach

11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth

11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations

11/12/22 May a covered entity use or disclose protected health information for litigation?

11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?

Blog Archives
January 2025 (1)
November 2022 (54)

Blog Labels
ePHI (2)
HIPAA Enforcement (3)
Telehealth (1)
PPP Fraud (1)
EHR Fraud (1)
Data Breach (1)
HIPAA (2)
BAA (4)
Covered Entity (40)