HHS Issues Guidance on HIPAA and Audio-Only Telehealth
HHS Issues Guidance on HIPAA and Audio-Only Telehealth
Today,
the U.S. Department of Health and Human Services (HHS), through its
Office for Civil Rights (OCR), is issuing guidance on how covered health
care providers and health plans can use remote communication
technologies to provide audio-only telehealth services when such
communications are conducted in a manner that is consistent with the
applicable requirements of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach
Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth - PDF is no longer in effect.
This guidance will help individuals to continue to benefit from
audio-only telehealth by clarifying how covered entities can provide
these services in compliance with the HIPAA Rules and by improving
public confidence that covered entities are protecting the privacy and
security of their health information.
While telehealth can significantly expand access to health care,
certain populations may have difficulty accessing or be unable to access
technologies used for audio-video telehealth because of various
factors, including financial resources, limited English proficiency,
disability, internet access, availability of sufficient broadband, and
cell coverage in the geographic area. Audio-only telehealth, especially
using technologies that do not require broadband availability, can help
address the needs of some of these individuals.
“Audio telehealth is an important tool to reach patients in rural
communities, individuals with disabilities, and others seeking the
convenience of remote options. This guidance explains how the HIPAA
Rules permit health care providers and plans to offer audio telehealth
while protecting the privacy and security of individuals’ health
information,” said OCR Director Lisa J. Pino.
The Guidance on How the HIPAA Rules Permit Health Plans and Covered
Health Care Providers to Use Remote Communication Technologies for
Audio-Only Telehealth
| What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit? This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded. ...read more |
| Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based Fees Covered Entity: Private Practice Issue: Access A patient alleged that a covered entity failed to provide him access to his medical records. After OCR notified the entity of the allegation, the entity released the complainant’s medical records but also billed him $100.00 for a “records review fee” as well as an administrative fee. The Privacy Rule permits the imposition of a reasonable cost-based fee that includes only the cost of copying and postage and preparing an explanation or summary if agreed to by the individual. To ...read more |
| Mental Health Center Provides Access after Denial Covered Entity: Mental Health Center Issue: Access, Authorization The complainant alleged that a mental health center (the "Center") improperly provided her records to her auto insurance company and refused to provide her with a copy of her medical records. The Center provided OCR with a valid authorization, signed by the complainant, permitting the release of information to the auto insurance company. OCR also determined that the Center denied the complainant's request for access because her therapists believed providing the records to her would likely cause her substantial harm. The Center did not, ...read more |
| If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate? Answer: Yes, because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate. Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules. An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually ...read more |
|
May 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | | | 1 | 2 |
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
| 31 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54)
January 2025 (1)
Blog Labels
BAA (4)
ePHI (2)
HIPAA (2)
HIPAA Enforcement (3)
Data Breach (1)
Covered Entity (40)
PPP Fraud (1)
Telehealth (1)
EHR Fraud (1)
|
