New HHS Guidance Prepares HIPAA-Covered Entities for End of Pandemic Flexibility

Bruce D. Armon, Samantha Gross


On June 13, 2022, the U.S. Department of Health and Human Services Office for Civil Rights issued guidance (the “Guidance”) for covered health care providers and health plans relating to the use of remote communication technologies to provide audio-only telehealth services in a manner that is compliant with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Breach Notification Rules (collectively, the “HIPAA Rules”) after the federal public health emergency ends.

What You Need to Know:

  • The COVID-19 public health emergency is scheduled to expire mid-July. 
  • When the public health emergency expires, the federal government will no longer exercise enforcement discretion with regard to HIPAA compliance for telehealth services. 
  • This guidance includes frequently asked questions and it reminds covered entities of the HIPAA rules regarding the use of remote communication technologies to provide audio-only telehealth services.  

​In March 2020, HHS announced that during the COVID-19 public health emergency, HIPAA-covered entities were exempt from complying with the HIPAA Rules “in connection with the good faith provision of telehealth using non-public facing audio or video remote communication technologies.” HHS has exercised enforcement discretion to remove barriers to telehealth care, which in part allowed telehealth to expand significantly during the pandemic.

The Guidance includes frequently asked questions and it reminds covered entities that the HIPAA Privacy Rule permits the use of remote communication technologies to provide audio-only telehealth services. Covered entities must apply reasonable safeguards to protect the privacy of protected health information (“PHI”), such as conducting telehealth visits in private spaces and, if the individual is not known to the covered entity, verifying the identity of the individual. The Guidance reiterates that the HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard telephone line (i.e., a landline) because the information transmitted is not electronic. However, where the health care provider is using Voice over Internet Protocol or mobile technologies that use electronic media (e.g., internet, wi-fi, or cellular data), the HIPAA Security Rule applies. The Guidance notes that HIPAA-covered entities using such systems that transmit electronic protected health information must implement HIPAA Security Rule safeguards to protect those technologies.  

The Guidance addresses when a covered entity needs (and does not need) a business associate agreement (BAA) with telecommunication service providers (TSP). Where a covered entity is using a TSP to transmit PHI to patients, the vendor is merely a “conduit for the PHI” and a BAA is not needed. However, where the TSP is more than a “mere conduit for PHI” such as when a smartphone app is used to create, receive, or transmit PHI, a business associate relationship is established and a BAA is necessary. Finally, the Guidance addresses the use of telehealth when an individual’s health plan is not paying for services.  

The federal public health emergency is currently set to expire in mid-July. The Guidance reminds HIPAA-covered entities of the importance of complying with the HIPAA Rules when providing services via telehealth as our country gradually begins activities in the ‘new normal’ within the health care delivery system.    

Saul Ewing attorneys regularly assist covered entities with HIPAA compliance, including with respect to telehealth issues. For more information relating to the Firm’s HIPAA compliance practice, please contact the authors or the Firm's attorney with whom you are regularly in contact.

Bruce Armon Headshot
Samantha R. Gross