Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Alerts
    4. OCR issues guidance on HIPAA-compliant use of audio-only telehealth

      Alerts

    Alert / Healthcare

    OCR issues guidance on HIPAA-compliant use of audio-only telehealth

    June 21, 2022

    LinkedInX (Twitter)EmailCopy URL

    By Valerie Montague, Rebecca Simone, Laurie Cohen and Jéna GradyShahreen Hussain

    The guidance addresses considerations for covered entities around use of audio-only telehealth services when OCR’s pandemic-related enforcement discretion ends.

    What’s the impact?

    • OCR emphasizes the important role telehealth plays in expanding access to healthcare and the need to ensure compliance with HIPAA for these arrangements post-PHE
    • The guidance clarifies when audio-only telehealth services and vendor agreements require compliance with the HIPAA Security Rule
    • Covered entities should take the opportunity now, prior to the end of the PHE, to analyze changes needed in telehealth arrangements

    DOWNLOAD

    OCR guidance on HIPAA-compliant use of audio-only telehealth (PDF)

    On June 13, 2022, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued guidance to healthcare providers and health plans on how to use audio-only telehealth services in a HIPAA-compliant manner, particularly when OCR’s telehealth enforcement discretion is no longer in effect.

    Acknowledging that healthcare providers had to rapidly pivot to the use of telehealth or expand their use of telehealth during the pandemic, on April 21, 2020, OCR published the Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (Telehealth Notification). The Telehealth Notification advises healthcare providers that OCR will exercise enforcement discretion and not impose penalties for HIPAA noncompliance related to the good faith provision of telehealth during the COVID-19 public health emergency (PHE). Healthcare providers are able to use non-public-facing audio or video technologies for telehealth even when such arrangements are not in full compliance with HIPAA. The Telehealth Notification is set to expire with the declared PHE or when the Secretary of HHS declares that the COVID-19 PHE no longer exists.

    In both the guidance and its press release, OCR emphasizes the important role telehealth and, in particular, audio-only telehealth plays in expanding access to healthcare. For example, audio-only telehealth is particularly helpful for certain consumers since it leverages technology that does not require broadband availability, thereby resolving some internet-related inaccessibility problems. As covered entities see the end of OCR’s Telehealth Notification enforcement discretion on the horizon, the new guidance is intended to help healthcare providers and health plans structure their post-PHE, audio-only telehealth services in a HIPAA-compliant manner.

    As reiterated in the guidance, the HIPAA Privacy Rule permits the use of audio-only telehealth services. The guidance reminds covered entities that OCR expects them to safeguard protected health information (PHI) when providing services via telehealth, such as by providing telehealth services in a private setting whenever feasible. If services cannot be provided in fully private settings, then covered entities must use reasonable safeguards to protect the confidentiality of PHI (e.g., using lowered voices) to prevent any inadvertent disclosure.

    The guidance also addresses how covered entities should handle interactions with new patients or other individuals participating in telehealth services. Entities must verify the identity of individuals not known to them either orally or in writing. For an individual with limited English proficiency, covered entities must verify their identity using language assistance tools. Notably, the guidance references the requirement under civil rights laws that, as a general matter, communications with an individual who has a disability must be as effective as communications with others, and appropriate aids and services should be supplied when needed.

    With respect to electronic protected health information (ePHI), the guidance clarifies when audio-only telehealth services require compliance with the HIPAA Security Rule. As the Security Rule applies to PHI transmitted or stored in electronic media, audio-only telehealth services conducted through a traditional landline do not trigger Security Rule compliance. In contrast, covered entities must comply with the HIPAA Security Rule and its safeguards when using modern electronic technologies for remote communications, including smartphone applications (apps), Voice over Internet Protocol (VoIP), messaging services that electronically store audio messages, and technologies that electronically record or transcribe a telehealth session. For services that capture ePHI, it is critical that covered entities implement and maintain rigorous risk analysis and risk management systems to identify and assess any potential risks or vulnerabilities to the confidentiality, integrity, and availability of data transmitted through such technologies. This may mean that covered entities using such technologies during the PHE need to update their security risk analyses to include these remote communications technologies and that their subsequent risk management plans outline steps to eliminate or reduce any identified risks in using these technologies. The guidance cites use of a robust inventory and asset management process to ensure that the healthcare provider or health plan continuously identifies communication technologies and information systems that trigger HIPAA Security Rule compliance.

    Finally, where the Telehealth Notification allowed covered entities to work with remote communication technology vendors without executing a HIPAA business associate agreement (BAA), covered entities should analyze whether BAAs are necessary for these arrangements when the OCR enforcement discretion ends. The guidance discusses scenarios in which the HIPAA regulations permit covered entities to conduct audio-only telehealth sessions without a BAA in place with the vendor. When a healthcare provider has an audio-only telehealth session with a patient using a smartphone, a BAA between the covered entity and the telecommunication service provider (TSP) is not needed as long as the TSP is solely connecting the call and does not create, receive, or maintain any PHI from the session. The opposite is true when TSPs or vendors go beyond providing mere data transmission services and instead store PHI, such as in the app developer’s cloud infrastructure, via recordings or transcripts. In such circumstances, the healthcare provider must enter into a BAA with the app developer or other vendor before offering or utilizing the provider’s subscribed smartphone app with patients. Covered entities should take the opportunity now, prior to the end of the PHE, to analyze their telehealth arrangements, including those that are audio-only, to identify the need for BAAs and prepare and execute any necessary agreements.


    1. Shahreen Hussain, a legal intern in Nixon Peabody’s Health Care practice, assisted with the preparation of this alert.
      [back to reference ]

    Practices

    HealthcareHealthcare Regulatory & ComplianceHealthcare TransactionsHealthcare FinanceHealthcare Dispute ResolutionDigital Health & Telemedicine

    Insights And Happenings

    • Alert

      DEA proposes regulations for prescribing controlled substances via telemedicine

      March 2, 2023
    • Alert

      New York State OMIG issues new more detailed regulations for provider compliance programs

      Jan 18, 2023
    • Podcast

      OCR enforcement actions emphasize focus on HIPAA Right of Access Initiative

      Healthcare
      Oct 12, 2022
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved