HHS Issues New HIPAA Guidance on Audio-Only Telehealth Services

HIPAA Guidance

Through its Office for Civil Rights, the U.S. Department of Health and Human Services issued new  HIPAA guidance on 13 June that reveals how HIPAA-covered entities can use remote communication technologies to provide audio-telehealth services.

The primary goal behind rolling out this new HHS HIPAA guidance is to ensure that healthcare providers can conduct these audio-telehealth communication services consistently in compliance 

With the HIPAA’s Privacy, Security, and Breach Notification Rules even when OCR’s Notification of Enforcement Discretion for Telehealth is no longer in effect. 

Also, the new HIPAA healthcare guidance clarifies how covered entities can provide audio-only virtual primary care in adherence to HIPAA, USA and boost confidence in the public that their health information is being utilized properly by maintaining HIPAA’s standards for privacy and security. 

HIPAA, or the Health Insurance Portability and Accountability Act, prompted the formation of public norms to safeguard patient health information from being unveiled without the patient’s consent or information.

In its guidance in 2020, OCR illuminated to the public that it wouldn’t force penalties against healthcare providers for noncompliance with the HIPAA rules regarding the reasonable faith provisions of telehealth services during the COVID-19 PHE. The new HHS HIPAA guidance is released to support the continuation of extended access to care utilizing audio-only telehealth services.

The new telehealth HIPAA guidance incorporates responses to four frequently asked questions (“FAQs”) regarding compliance with the HIPAA privacy and security rules about audio-only telehealth services. These FAQs cover the following points:

  1. Whether the HIPAA Privacy Rule license health care providers and health plans to utilize remote communication technologies to deliver audio-only telehealth services?

The OCR explained that such practice is permissible given that reasonable safeguards for protecting the privacy of protected health information (“PHI”) from impermissible purposes or disclosures are used while giving telehealth HIPAA services. Such safeguards include the arrangement of telehealth services in private settings, not utilizing speakerphones, and utilizing lowered voices to restrict accidental purposes or revelations of PHI. Moreover, confirmation of the patient’s identity is required, which might be performed either orally or recorded as a hard copy (counting utilizing electronic techniques).

  1. Whether health care providers and health plans need to meet HIPAA Security Rule necessities to utilize remote communication technologies to give audio-only telehealth services?

The OCR explained that the telehealth HIPAA guidance doesn’t apply to audio-only telehealth services provided utilizing a telephone landline because the data communicated isn’t electronic. In any case, the HIPAA Security Rule applies to the utilization of electronic communication technologies, for example, communication applications on a smartphone or other computing device, Voice over Internet Protocol (VoIP) technologies. The technologies that electronically record or decipher a telehealth session and messaging services that electronically store audio messages. In this way, covered substances must address security dangers and weaknesses to electronic PHI while involving these technologies as a component of the risk analysis and risk management processes.


Interested in Developing HIPAA Compliant Telemedicine App?

Connect with Us For Free Demo

Request a Quote
  1. Whether a healthcare provider or a health plan may conduct audio-only telehealth utilizing remote communication technologies without a business associate agreement (“BAA”) with the vendor?

Predictable with its earlier situation on the issue, the OCR expressed that HIPAA healthcare

doesn’t need a BAA between a provider and vendor where the provider has quick access to PHI. It sends during a call because the vendor is simply going about as a course for the PHI and isn’t making, getting, or keeping up with PHI for the supplier. For example, a BAA isn’t needed when a provider conducts an audio-only telehealth session with a patient using a cell phone, and the vendor’s only job is to interfere with the call. In any case, a provider needs to go into a BAA with a vendor that is more than a simple conductor for PHI. For instance, a BAA is required where the vendor’s cell phone application stores PHI (e.g., accounts, records) or interprets oral communications to another dialect (and in this manner makes and gets PHI) to furnish significant access to people with limited English proficiency.

  1. Whether healthcare providers might utilize remote communication technologies to give audio-only telehealth if an individual’s health plan doesn’t give inclusion to those services? 

OCR noticed that providers might offer audio-only telehealth services utilizing remote communication technologies steady with the necessities of the HIPAA Guidance, whether or not any health plan covers or pays for that assistance.

With the new HHS HIPAA guidance, telehealth can fundamentally extend access to health care. Specific populations might experience issues getting to or not accessing technologies utilized for audio-video telehealth because of different variables, including monetary assets, limited English proficiency, disability, internet access, accessibility of adequate broadband, and cell coverage in the geographic region. Audio-only telehealth, particularly the innovations that don’t need broadband accessibility, can assist with tending to the necessities of some of these people.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guide explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

With this new HIPAA healthcare release, healthcare providers and health plans can deliver telehealth services for the needy in remote areas utilizing audio-only telehealth as it now falls under HIPAA regulations. Also, people with disabilities and not with the resources required for audio-video consultation can get the needed diagnosis and treatment for the ailment they are suffering from in areas with lesser possible medical facilities. 

HIPAA Guidance Rollout

HIPAA (The Health Insurance Portability and Accountability Act) which is a landmark piece of legislation was introduced in 1996. Its primary goal was to address insurance coverage issues for the individuals that are between jobs. Because they were the candidates who have faced the loss of insurance coverage issue the most. 

Besides, HIPAA was responsible for preventing healthcare fraud and ensuring protected health information of the patients by restricting health data access to authorized personnel only. 

Why is HIPAA Guidance important for Healthcare Providers?

HIPAA guideline benefits the healthcare industry with a host of benefits. From transitioning health information paper records to electronic copies, streamlining healthcare operations to improving efficiency in the healthcare industry, and ensuring secure sharing of protected health information. 

This becomes possible, thanks to HIPAA standards for recording health data and electronic transactions. Because all HIPAA-covered entities follow the same code sets and nationally recognized identifiers. Due to this, the transfer of electronic health information between healthcare providers, health plans, and other entities can take place securely in a large amount. And the healthcare industry runs seamlessly without any hassle. 

What is HIPAA Guidance Violation?

When the acquisition, access, use, or disclosure of Protected Health Information (PHI) is done in a way that could pose a significant personal risk for the patient is called HIPAA Violation. 

HIPAA Guidance Violation Consequences

If you violate HIPAA rules, you could face these potential outcomes

  • An employer could deal with the violation internally.
  • You could be terminated
  • You could face sanctions from professional boards
  • You could encounter criminal charges, including fines and imprisonment

Therefore it is vital to follow HIPAA rules sincerely if you want to run a healthcare business successfully without any fuss. 

Now when you have understood everything about the HIPAA, HIPAA violation, lately released new HIPAA guidance and more. It’s important to strictly follow HIPAA guidance to refrain your healthcare practice from violation consequences. Whether you are offering audio-only telehealth or audio-video telehealth services utilizing the industry’s best telemedicine application. 

HIPAA Compliant Telehealth Platform lets patients utilize audio-video consultation and leverage medical care from the comfort of their homes until there’s no need to see the doctor in person. Because it is less expensive, it saves time and prevents patients from coming in contact with the others.


Get Best Custmizable Telehealth Solutions

Kickstart your healthcare business with our advanced telehealth solution

Free Demo


If being a healthcare provider, whether clinic or hospital, you did not make your way online through a telemedicine app. It is the right time to shift your offline clinic to an online one through HIPAA-compliant telemedicine software. Not only does it help in streamlining your clinical workflows and operations, but it also eliminates the need for more staff members. 

VCDoctor is one of the industry’s best white label HIPAA software solutions. It is an all-in-one, one-stop solution that allows 100% customization per your business requirements. For more information, Request a free consultation with our healthcare experts. They would love to clear your doubts and answer your queries.

Related posts