How do HIPAA regulations apply to audio-only communications between providers and patients?

While there has been a growing use of telemental health services, some patients such as those with limited digital literacy and those with reduced access to broadband still rely on audio-only services. On June 21, 2022, the U.S. Department of Health and Human Services (HHS) issued guidance on how the Health Insurance Portability and Accountability Act (HIPAA) relates to audio-only telehealth services. A summary of the guidance is as follows:

1. HIPAA-covered entities can use remote communication technologies to provide audio-only services.
2. Covered health care providers and health plans do not need to meet the requirements of the HIPAA Security Rule when they are using a traditional telephone landline. However, they do need to meet HIPAA requirements when they are using electronic communications technologies such as Voice Over IP (VoIP), smartphone communication apps, or services that record or store the audio messages.
3. HIPAA Rules permit health care organizations to conduct audio-only telehealth with a telecommunication provider without a business associate agreement, so long as the telecommunication provider does not create, receive, or maintain any protected health information from the session and is only connecting the call.
4. Covered health care providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those service.

Further details about this new guidance can be found here.