HIPAA Guidelines on Telemedicine

The HIPAA guidelines on telemedicine start with preparing for the remote delivery of healthcare by auditing procedures, analyzing risks, training healthcare professionals, and entering into Business Associate Agreements with the vendors of communication services. Thereafter, procedures must be developed for verifying patient identities and obtaining consent where necessary, and for securing PHI collected or disclosed in patient encounters.

• Conduct an audit to identify how healthcare professionals communicate with patients and business associates.
• Identify and analyze risks to the privacy of health information and the security of electronic transmissions.
• Develop policies to mitigate the risk of violations and breaches, and provide HIPAA training on the policies.
• Ensure compliant business associate agreements are in place with each business associate and software vendor.
• Implement verification procedures for first contacts and when access credentials are known to have been compromised.
• Develop policies for recording patient consent when the confidentiality of a remote consultation cannot be guaranteed.
• All remote patient encounters should be documented and securely retained to comply with the HIPAA document retention requirements.

Telemedicine has been a factor in the provision of healthcare since the invention of the telephone. As video and digital technologies evolved throughout the twentieth century, healthcare providers adopted the technologies to improve the quality of remote care – not only by replacing physical visits with virtual ones, but also by facilitating faster collaboration between healthcare units.

The adoption of physician-to-patient telemedicine accelerated following the passage of the Affordable Care Act and the subsequent Hospital Readmissions Reduction Program introduced by the Centers for Medicare and Medicaid Services (CMS). Healthcare providers found that, by monitoring patients’ health remotely, hospital readmissions dropped significantly – generating massive savings.

As health plans and the CMS identified the financial benefits of telemedicine, the number of covered remote services – and who they were available to – increased substantially. Congress authorized more allowable uses of telehealth under the Social Security Act (§1834(m)), and Fee For Service (FFS) Medicare telehealth was expanded to cover all counties outside metropolitan areas.

Telemedicine and HIPAA

Since the early 2000s, healthcare providers that qualify as HIPAA covered entities have had to comply with the HIPAA Administrative Simplification Regulations. The Regulations are best known for protecting the privacy of individually identifiable health information (the HIPAA Privacy Rule) and ensuring the confidentiality, integrity, and availability of Protected Health Information (PHI) when it is collected, maintained, shared, or transmitted electronically (the HIPAA Security Rule).

The HIPAA Privacy Rule applies whether healthcare is provided face-to-face or remotely, so there are no specific HIPAA guidelines on telemedicine within the HIPAA Privacy Rule. What guidelines exist for HIPAA-compliant telemedicine have been compiled from guidance issued by the Department of Health and Human Services (HHS) and other interpretations of the HIPAA Privacy Rule that have led to the development of HIPAA-compliant telemedicine best practices.

The HIPAA Security Rule applies to most telehealth activities, but not all – see “Telehealth Phone Calls” below. The HIPAA Security Rule also applies to business associates of covered entities, which, in the context of telemedicine and HIPAA, means covered entities providing a service on behalf of other covered entities (when there is no direct treatment relationship with the patient) as well as providers of HIPAA-compliant telemedicine platforms and HIPAA-compliant telehealth software.

Because of the overlap of roles in “indirect treatment relationships,” there may be additional considerations that healthcare providers of all types may have to take into account when providing telemedicine services. These are explained in the following sections – along with the HIPAA requirements for telehealth when sharing PHI with other healthcare providers acting as business associates or transmitting PHI via HIPAA-compliant telemedicine software.

Privacy Rule HIPAA Telehealth Requirements

Healthcare professionals providing telehealth services can experience unique challenges. One of the challenges during initial consultations is verifying the identity of the patient. This is particularly relevant when a patient has been referred from one covered entity to another (with whom there is no previous treatment relationship) or the consultation is being hosted at a remote facility managed by a different healthcare provider because the patient does not have access to telehealth technology.

Once the identity of the patient has been verified, the privacy of the consultation can also be challenging. Healthcare providers may need to obtain recorded consent to continue with the consultation when a translator, caregiver, or family member is present, or when the patient is in a public location where the consultation may be overheard. There are many examples of patients taking telemedicine calls when they are at work, at the gym, or on a ski lift.

The location of the healthcare provider may also be a challenge to compliance with the HIPAA Privacy Rule telehealth requirements. Providers may have to conduct consultations from a busy office, from home, or from a public location with a lot of background noise that makes it impossible to reduce the volume of their voice. In such circumstances, it may be necessary to reschedule the consultation or explain to the patient that the personal information they can disclose will be limited.

However, possibly the most challenging issue to overcome is when a healthcare provider refers a patient to another healthcare provider not under the control of the same covered entity. Depending on the nature of the telehealth activity, it may be necessary to limit the amount of PHI disclosed to the second healthcare provider and/or request that the second healthcare provider enter into a Business Associate Agreement or attest that any PHI disclosed to them will not be further disclosed.

Security Rule HIPAA Telehealth Requirements

The Security Rule HIPAA telehealth requirements are generally the same as the Security Rule HIPAA requirements for other healthcare activities. However, there are a few HIPAA guidelines on telemedicine that covered entities and business associates should be conscious of in order to avoid inadvertent HIPAA violations and impermissible disclosures of PHI, and to prevent unjustified complaints from patients who wrongly believe their privacy rights have been violated.

The first guideline relates to software vendors who claim their solutions are HIPAA compliant but who refuse to enter into a Business Associate Agreement because they cannot access encrypted PHI (because the covered entity maintains the decryption key). HHS has issued guidance on this issue (see question 2), stating that software vendors and service providers are considered to be business associates because they have “persistent access” to PHI passing through or stored on their servers.

The second guideline relates to conducting risk analyses on complex telemedicine frameworks – for example, when a HIPAA-compliant telemedicine platform connects directly with an EHR. In such circumstances, HHS recommends healthcare providers take advantage of the HIPAA Security Risk Assessment Tool developed by the Office of the National Coordinator for Health Information Technology. (Note: the previously recommended NIST HIPAA Security Toolkit is no longer supported).

The final guideline relates to potential security risks at the patient’s end of a telemedicine consultation. Although the context of the guideline is CMS’s Interoperability and Patient Access Final Rule (2020), it applies to the Security Rule HIPAA telehealth requirements inasmuch as “the covered entity is not liable for what happens to PHI once the designated third party receives the information.” In this case, the “designated third party” is the patient’s device.

HIPAA and Telehealth Phone Calls

The HIPAA General Provisions in Part 160 include a definition of electronic media. It is important to be aware of this definition because, under specific conditions, some transmissions of PHI are not considered electronic transmissions. In such cases, the administrative, physical, and technical safeguards of the HIPAA Security Rule do not apply – but other state privacy and security laws may.

The Department of Health and Human Services (HHS) has issued HIPAA guidelines on telemedicine relating to this definition. Guidance published in 2022 stated “The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity using a standard (PTSN) telephone line, often described as a traditional landline, because the information transmitted is not electronic”.

The guidance applies to audio-only telehealth phone calls made or received by a covered entity, regardless of the technology being used by the patient. However, the guidance notes “standard telephone lines” (as used by a covered entity) do not include VoIP services and mobile or desktop technologies that use electronic media such as the Internet, or cellular or Wi-Fi networks.

HIPAA Compliant Telemedicine and Business Associates

In addition to the HIPAA Privacy and Security Rules, it is important healthcare providers are aware of the HIPAA General Provisions in Part 164 that apply HIPAA Privacy Rule standards to business associates “where provided”. The reason this is important is, as mentioned previously, there can be cases when consultations are conducted by one healthcare provider on behalf of another healthcare provider as a business associate because there is no existing direct treatment relationship.

Although most healthcare providers qualify as covered entities, some do not. In such cases, not only might a non-qualifying healthcare provider – conducting the consultation as a business associate – be required to comply with the HIPAA Security and Breach Notification Rules (as all Business Associates are required to do), but they must also comply with HIPAA Privacy Rule standards relevant to the role they are providing for the covered entity. This should be noted in the Business Associate Agreement.

With regards to software vendors and service providers, not all vendors and providers are willing to sign covered entities’ Business Associate Agreements, but insist that covered entities sign theirs. This is usually the case for large Cloud Service Providers (i.e., Microsoft, AWS, Google, etc.) because they provide standardized services to all their customers and cannot provide bespoke services to meet each covered entity’s individual compliance requirements. This also applies to HIPAA-compliant email.

However, just because other healthcare providers agree with the terms of (for example) Microsoft’s Business Associate Agreement, it does not mean the Agreement is suitable for every covered entity. Healthcare providers are advised to read all the terms of any Business Associate Agreement they are asked to enter into, and, if a clause is identified that does not align with an existing HIPAA policy, be prepared to change service providers or amend the HIPAA policy.

One final point with regards to HIPAA compliant telemedice and business associates relates to complex telemedicine environments in which a telemedicine platform connects with an EHR via an AI-assisted transcriber. In such cases, it will be necessary to maintain separate Business Associate Agreements with the vendors of the communications platform, the EHR, and the transcriber service.

Other Non-HIPAA Guidelines on Telemedicine

There are many other non-HIPAA guidelines on telemedicine healthcare providers may need to be aware of. For example, no two states are identical in how they define and regulate telemedicine, and some states may have laws that preempt HIPAA because they offer stronger privacy protections or greater patient rights. With regard to HIPAA telehealth rules, it may be necessary to know if the state permits HIPAA-covered entities to provide telehealth services across state lines.

Different states also have different regulations relating to breach notifications. For example, there are three exceptions to the definition of a breach under HIPAA. If an exception does not apply, covered entities have sixty days to notify affected individuals of the breach. These exceptions do not apply in all states, and some states have wider definitions of a covered entity. Some states also allow less time for affected individuals and State Attorneys General to be notified of a data breach.

With regards to the HIPAA telehealth requirements, a breach is defined as any impermissible use or disclosure that compromises the security or privacy of PHI – for example, if a healthcare provider fails to verify the identity of a remote patient before discussing somebody else’s health condition with them. Some states have a stricter definition of a breach inasmuch as any impermissible use or disclosure is considered a breach even if it does not result in the security or privacy of PHI being compromised.

Other non-HIPAA guidelines on telemedicine include the conditions for prescribing controlled substances remotely and disclosing substance use disorder patient records via telemedicine. Healthcare providers should also keep up to date on which telemedicine services are covered by health plans and Medicare, as these are frequently changing and can vary from plan to plan. The most recent changes to Medicare coverage can be found in this policy update.

The Impact of the COVID-19 Public Health Emergency

It is difficult to accurately measure the impact of the COVID-19 public health emergency on telemedicine because the only data available is the Medicare FFS Part B Claims Data used in CMS’s Telehealth Trends Report. Minus any health plan data, this report shows that – prior to the COVID-19 public health emergency – only 7% of eligible patients took advantage of telemedicine services.

As the public health emergency took hold, the percentage of eligible patients using telemedicine services increased to 47% – mostly due to restrictions on outpatient visits, but also due to HHS’ Office for Civil Rights announcing temporary HIPAA guidelines on telemedicine and the relaxation of enforcement action against providers who violated HIPAA telehealth rules in good faith.

The percentage of patients using telehealth services has gradually declined as providers, staff, and patients become more comfortable with virus mitigation strategies and has settled at around 15%. The percentage is expected to remain at this level due to “a newfound awareness and acceptance of telemedicine”, despite the temporary HIPAA guidelines on telemedicine ending in August 2023.

HIPAA Compliant Telemedicine in the Post-Covid Era

Although the percentage of patients using telehealth services has declined since the end of the public health emergency, the number of benefits of telehealth identified during the pandemic has prompted CMS to experiment with different services to help determine which represent value for money. The agency has recently published a revised Category 3 list of services that likely have clinical and financial benefits, but lack sufficient evidence to justify permanent coverage.

As opportunities to enhance services and save money are identified, as health plans follow CMS’s lead, and as technology continues to evolve, the types of telemedicine available to patients will continue to expand. This will place new challenges on healthcare professionals wishing to provide HIPAA-compliant telemedicine services and specific HIPAA guidelines on telemedicine may soon be published by HHS to answer questions about HIPAA telehealth requirements.

If your organization is unsure about what safeguards and guidelines should be implemented to support HIPAA-compliant telemedicine, it is advisable to seek professional compliance advice.

Summary of HIPAA Guidelines on Telemedicine

Guideline	Description
Conduct an audit	If an organization is unaware of how healthcare professionals communicate with patients, it is impossible to ensure compliance.
Analyze risks	The risk analysis required by the HIPAA Security Rule should be extended to uses and disclosures of PHI during remote communications.
Develop policies	Policies that already exist for face-to-face interactions with patients should be extended to cover remote interactions with patients.
Business Associate Agreements	Include any third parties who provide telemedicine services on the organization’s behalf if no direct treatment relationship exists.
Verification procedures	Ensure business associates report all security incidents (as required by §164.314) to know when access credentials have been compromised.
Record consent	Consent is advised when a requested channel of communication is unsecure or when there is a risk of a consultation being overheard.
Document and retain documentation	Some, but not all, telemedicine platforms automatically record remote communications with patients and archive them securely.

HIPAA Guidelines on Telemedicine FAQs

Who decides the rules about HIPAA and telehealth?

Multiple agencies decide the rules about HIPAA and telehealth. For example, HHS’ Office for Civil Rights publishes the HIPAA Privacy and Security Rules, HHS’ Centers for Medicare and Medicaid Services determines the physicians’ fee schedule – which determines what telehealth services can be provided through Medicare – and the Federal Trade Commission monitors compliance with the Health Breach Notification Rule by organizations that do not qualify as HIPAA covered entities.

What is the difference between HIPAA compliant telemedicine and HIPAA-compliant telehealth?

The difference between HIPAA-compliant telemedicine and HIPAA-compliant telehealth (as defined by the Office of the National Coordinator for Health Information Technology) is that telemedicine refers to remote clinical services conducted in compliance with HIPAA, while telehealth can also include remote non-clinical services such as provider training and medical education. When any telehealth service includes the use or disclosure of PHI, the service must be HIPAA compliant.

If a secure channel is established between a physician and a patient, is that enough to satisfy the HIPAA telemedicine requirements?

If a secure link is established between a physician and a patient, it is not enough to satisfy the HIPAA telemedicine requirements because the HIPAA Security Rule requires additional safeguards such as auditing capabilities, data backup procedures, and disaster recovery mechanisms. All communications must be tracked, logged, and stored securely to ensure the confidentiality, integrity, and availability of ePHI and support business continuity in the event of a man-made or natural disaster.

How likely are Man-in-the-Middle attacks in telemedicine?

It is not known how likely Man-in-the-Middle attacks are in medicine. A survey conducted in 2020 claimed that 62% of respondents who worked in the healthcare industry had been the victim of a Man-in-the-Middle attack in the past five years. However, the scale of the survey is not published; it is not known what percentage of the attacks were telemedicine-related, or how the respondents knew they were the victims of a Man-in-the-Middle attack.

What if a patient is not technology-minded and can only use a non-compliant service such as Facebook Live?

If a patient is not technology-minded and can only use a non-compliant service such as Facebook Live, covered entities should offer a HIPAA-compliant communications channel similar to the one the patient is familiar with. For example, Google Meet could be used as a replacement for Facebook Live as the invitation to join a meeting is sent via a Gmail link, so the patient would only need to click on the link to connect with their physician without downloading or installing any software.

Does HHS endorse any specific HIPAA-compliant telemedicine software?

HHS does not endorse any specific HIPAA-compliant telemedicine software because “the HIPAA Security Rule is based on the fundamental concepts of flexibility, scalability, and technology neutrality”. With regards to technology neutrality, the General Rules of the HIPAA Security Rule (45 CFR § 164.306) allow covered entities a flexibility of approach to determine which security measures and specific technologies are reasonable and appropriate for implementation in their organizations.

What are the key challenges of HIPAA compliance for telehealth?

The key challenges of HIPAA compliance for telehealth vary according to the service being provided. For healthcare provider to patient communications, the likely key challenges are patient verification and confidential communications. For telehealth services between healthcare providers, the likely key challenges are user authentication and secure communications. Depending on the relationship between providers, a HIPAA-compliant Business Associate Agreement may also be a challenge.

Have the HIPAA guidelines for telehealth changed due to the COVID pandemic?

The HIPAA guidelines for telehealth changed due to the COVID pandemic – but only temporarily. During the Public Health Emergency, HHS’ Office for Civil Rights issued a Notice of Enforcement Discretion for Telehealth Remote Communications, which allowed covered entities to use potentially non-compliant telemedicine platforms to communicate with patients. The temporary measures ended in May 2023, with a transition extension available until August 2023.

Is telehealth HIPAA compliant?

Telehealth is HIPAA compliant when policies and safeguards are applied to comply with the HIPAA Privacy and Security Rules. Best practices for ensuring telehealth is HIPAA compliant include conducting a risk analysis and developing policies for identity verification and obtaining patient consent where necessary. The risk analyses, policies, copies of patient consent, and Business Associate Agreements (where necessary) must be retained for a minimum of six years.

What is a HIPAA-compliant telehealth platform?

A HIPAA-compliant telehealth platform is a cloud-based communication service with the necessary safeguards and controls to support HIPAA compliance. Before using any telehealth platform to collect, store, or transmit PHI, the controls must be configured to comply with the HIPAA Privacy and Security Rules, users must be trained on how to use the platform compliantly, and the vendor of the platform must enter into a Business Associate Agreement.

Do you have to comply with all the HIPAA telehealth rules if you contact a patient by phone?

Whether or not you have to comply with all the HIPAA telehealth rules if you contact a patient by phone depends on what type of phone you use. If you conduct an audio-only telehealth consultation from a PTSN landline, the HIPAA Security Rules for HIPAA-compliant telehealth do not apply. However, if you use a VoIP service or mobile or desktop app that connects you to the patient via a cellular or Wi-Fi network or via the Internet, all the HIPAA telehealth rules apply.

Are most forms of telehealth communication covered by the HIPAA Privacy Rule?

Most forms of telehealth communication are covered by the HIPAA Privacy Rule, inasmuch as it is important to ensure telehealth consultations are conducted confidentially in order to avoid impermissible disclosures of PHI. Exceptions to this HIPAA guideline on telehealth exist when two healthcare units under the control of the same covered entity share PHI remotely to collaborate on (for example) diagnoses, courses of treatment, and care plans.

Do the HIPAA telemedicine requirements apply to all healthcare providers?

The HIPAA telemedicine requirements apply to all healthcare providers that qualify as HIPAA-covered entities. To qualify as a HIPAA covered entity, a healthcare provider must transmit – or subcontract the transmission of – health information in electronic form in connection with a standard published by the Secretary for Health and Human Services (the standards mostly relate to authorizations, claims, and billing, and can be found in Part 162 of the HIPAA Administrative Simplification Regulations).

Can a state or federal law affect telehealth and HIPAA compliance?

A state or federal law can affect telehealth and HIPAA compliance if the state or federal law has more privacy protections than HIPAA or provides patients with more rights over their PHI. For example, the federal rules relating to the confidentiality of substance use disorder patient records (42 CFR Part 2) or the Texas Medical Records Privacy Act can pre-empt some provisions of HIPAA and affect the measures healthcare providers have to put in place to comply with these laws, as well as HIPAA.

Do the HIPAA guidelines on telemedicine limit which patients are eligible for remote consultations?

The HIPAA guidelines on telemedicine do not limit which patients are eligible for remote consultations. Eligibility is determined by each insurance provider or the Centers for Medicare and Medicaid Services (CMS). The Health Resources and Services Administration has released a tool that shows if a healthcare provider will be able to provide remote consultations under a Medicare plan. Alternatively, patients can pay their healthcare provider privately for remote consultations.

What happens if you violate the HIPAA requirements for telehealth?

What happens if you violate the HIPAA requirements for telehealth depends on the nature of the violation, its consequences, and – if you are a member of a covered entity’s workforce – your employer’s sanctions policy. Subject to these provisos, minor violations of the HIPAA requirements for telehealth will result in a verbal warning and/or further training. However, repeated or more serious violations could result in suspension and/or termination of contract.

What training should be provided on HIPAA and telehealth?

The training provided on HIPAA and telehealth should be “as necessary and appropriate for the members of the workforce to carry out their functions” in compliance with HIPAA (45 CFR §164.530). Also, the compliant use of HIPAA-compliant telehealth platforms should be included in the covered entity’s security and awareness training program (45 CFR §164.308). The failure to provide adequate training on HIPAA and telehealth is itself a HIPAA violation.

What are the telehealth HIPAA rules if a patient is unable to verify their identity?

The telehealth HIPAA rules if a patient is unable to verify their identity depend on whether the patient is unwilling or incapable of verifying their identity. In the former case, unless there is a compelling case for continuing with a remote consultation, the consultation should be postponed until the patient’s identity can be verified. In the latter case, a healthcare provider can postpone the consultation or continue if, in their professional judgment, it is in the patient’s best interests.

Is non-compliance with the HIPAA telemedicine rules a civil violation or a criminal violation?

Non-compliance with the HIPAA telemedicine rules is a civil violation unless it can be proven that a member of a covered entity’s workforce has knowingly and wrongfully disclosed individually identifiable health information contrary to §1177 of the Social Security Act. In such cases, the impermissible disclosure of PHI will be referred by HHS’ Office for Civil Rights to the Department of Justice for a criminal investigation.

How do the HIPAA telehealth rules apply to children?

The HIPAA telehealth rules apply to children in the same way as face-to-face consultations. This means that, unless a state law preempts HIPAA, parents are considered to be the personal representatives of “unemancipated minors” and have a right of access to the child’s PHI. This also means parents can be present during a remote consultation with a child without the child’s consent.