Skip to Main Content

HHS Issues Guidance on Application of the HIPAA Rules to Audio-Only Telehealth

Friday, June 24, 2022

The Department of Health and Human Services (HHS) issued guidance to providers and health plans in order to understand how they can utilize remote communication technologies for audio-only telehealth in compliance with the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (HIPAA).


In March 2020, HHS issued enforcement discretion stating it will not impose certain HIPAA penalties against health care providers using audio-only telehealth communications in good faith during the COVID-19 public health emergency (PHE). This enforcement discretion remains in effect until the PHE no longer exists. However, HHS’ recent guidance clarifies that audio-only telehealth services may continue to be used even after this expiration date.

HHS Guidance

This guidance was issued in the form of FAQs addressing the following topics:

  • The HIPAA Privacy Rule allows covered entities to use remote communication technologies to provide audio-only telehealth services as long as reasonable safeguards are adopted to protect the privacy of protected health information (PHI).
  • The HIPAA Security Rule applies to electronic PHI but does not apply to audio-only telehealth services using a standard telephone line or landline because the information transmitted is not electronic.
  • In some circumstances, the HIPAA Rules allow a covered health care provider or a health plan to conduct audio-only telehealth using remote communication technologies without a business associate agreement in place with the vendor.
  • Covered providers may offer audio-only telehealth services consistent with the HIPAA Rules, regardless of whether any health plan covers or pays for those services.


  • The HIPAA Security Rule does not apply to services provided using traditional landlines, but does apply when a covered entity uses electronic communication technologies to provide remote telehealth services.
  • Current technologies that may be used for remote communication and require compliance with the HIPAA Security Rule include communication applications on a smartphone or Voice over Internet Protocol (VoIP) technologies.

Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your legal or medical needs.