HIPAA phone, HIPAA phone compliance, HIPAA telephone, HIPAA telephone rules, HIPAA-compliant phones

New OCR Guidance Regarding HIPAA-Compliant Phones


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced the latest HIPAA guidelines regarding the audio-only service for all telehealth technologies. The OCR is the enforcement arm of HHS for HIPAA. Even though this announcement promotes audio-only telehealth for people who struggle with accessing audio-video calls, it is expected to impact the overall telehealth industry.

At issue is that HIPAA-compliant phones vary significantly for analog and digital voice communications. The new OCR guidance for HIPAA telephone rules is strictly for electronically protected health information (e-PHI) transferred by digitally mediated telephones, that is, those telephone lines transmitted through the general, unprotected Internet. As most practitioners know, any digital communication containing e-PHI must comply with the HIPAA privacy rule. Most practitioners, however, may not have yet realized that a number of relatively inexpensive Internet-based telephone carriers are not HIPAA-compliant.

The concept has remained unclear, even though voice-over-internet protocol was used excessively during COVID. However, that has changed completely this time with OCR launching a complete set of guidelines for audio-only telehealth services mediated by the unprotected Internet, stressing the importance of using HIPAA-compliant phones only.

HIPAA Compliant Phones and the New Guidance

All healthcare service providers who are covered entities must comply with all HIPAA rules if they conduct audio-only services involving the transfer of e-PHI.

The new HIPAA guidance is not for the telehealth providers that conduct voice-only services using standard telephone lines. The new security rules only apply to electronically transmitted information, such as HIPAA-compliant phones. But, considering the adoption of electronic media and the extensive use of electronic devices and technologies, such as Wi-Fi, extranets, cellular, and the Internet, it goes without saying that all types of audio-based telehealth services are now covered in the new guidance. Note that the covered healthcare provider won’t be responsible for the privacy of the data they share with the patients through electronic media.

A few examples of the entities that use electronic media for remote communication and are required to comply with the HIPAA rules are:

  • Communication apps
  • Apps that record a telehealth session
  • Messaging apps that store audio texts.

The new security rule has made it mandatory for all HIPAA-covered entities to identify and address all possible threats and risks. For instance, the authorities analyze whether the covered entities use encrypted transmission technology to ensure that all the information exchanged is secured. Most importantly, there is a chance the telehealth session recorded on provider devices might get leaked to a third party, or an unauthorized user can access this private information, thus leading to a cybersecurity breach. HIPAA phone compliance also suggests that the app is automatically closed after a brief period of inactivity.

It is recommended that all healthcare sectors follow these new OCR guidelines and prefer HIPAA-compliant phones to avoid hefty fines for security breaches. See Telehealth.org’s recent article Audio-Only Telehealth HIPAA Guidance Issued: Practitioner Update for more related information.

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x