Guidance on Permitted Telehealth & the Health Insurance Portability and Accountability Act (HIPAA)

Guidance for Telehealth & HIPAA


Recent Department of Health and Human Services guidance affirmed and encouraged telehealth care beyond the current Public Health Emergency by laying out some key HIPAA security considerations.

Mitigating the environmental risks for the covered entity and identifying the party on the other side of the line are straightforward; these are often already established practices. Telehealth demands a thorough vetting of the technology being used to communicate. Methods where the access to PHI is purely transient, such as traditional telephone services, may lie outside of HIPAA’s security requirements as mere conduits for communication. However, the multitude of applications, meeting services, messenger services, and Voice over Internet Protocol technologies (VoIP) likely must meet HIPAA’s security standards.

These alternative technologies can increase the risk of interception, lack necessary encryption, generate unsecured PHI, lack proper authentication, and potentially require a business associate agreement depending on the nature of the product or service. While it may limit options for covered entities to connect live with patients, awareness of where security requirements apply to the technology used in a Telehealth setting is vital as it impacts the confidentiality, integrity, and availability of PHI.

Revolution Law Group is located in Greensboro, NC, and serves individuals and small businesses throughout the Triad and surrounding areas. To contact us please visit or call 336-333-7907.

The information included here is for informational purposes only, is not exhaustive of all considerations when creating documents, is not intended to be legal advice, and should not be relied upon for that purpose. We strongly recommend you consult with an attorney and do not attempt to create your own documents.