HIPAA flexibility for telehealth technology
Providers have more flexibility to use everyday technology for virtual visits during the COVID-19 public health emergency. HIPAA-compliant products also provide patient privacy protection for long-term use. The Administration’s plan is to end the COVID-19 public health emergency (PHE) on May 11, 2023.
On this page:
HIPAA flexibilities during COVID-19
The U.S. Department of Health and Human Services Office for Civil Rights issued a Notification of Enforcement Discretion to empower covered health care providers to use widely available communications applications without the risk of penalties imposed by the U.S. Department of Health and Human Services Office for Civil Rights for violations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules for the good faith provision of telehealth services. For more information, read FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency or visit HIPAA and COVID-19.
Technology considerations
What’s allowed during COVID-19?
Under this notice, covered health care providers may use popular applications to deliver telehealth as long as they are “non-public facing.” Examples of non-public facing applications include:
Video chat applications
- Apple FaceTime
- Facebook Messenger video chat
- Google Hangouts video
- Zoom
- Skype
Text-based applications
- Signal
- Jabber
- Facebook Messenger
- Google Hangouts
- iMessage
Examples of public facing applications not allowed for this use are Facebook Live and Twitch.
HIPAA-compliant technology
Under this notice, covered health care providers that seek additional privacy protections should use technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements in connection with the provision of their video communication products. The list below includes some vendors that say they provide HIPAA-compliant video communication products and that they will enter into a HIPAA business associate agreement.
Although it’s always important to confirm, examples of vendors who say they meet HIPAA requirements include:
- Skype for Business / Microsoft Teams
- Updox
- VSee
- Zoom for Healthcare
- Doxy.me
- Google G Suite Hangouts Meet
- Cisco Webex Meetings / Webex Teams
- Amazon Chime
- GoToMeeting
- Spruce Health Care Messenger
Note: The U.S. Department of Health and Human Services Office for Civil Rights has not reviewed the business associate agreements offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. There may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA business associate agreement with a covered entity. Further, the U.S. Department of Health and Human Services Office for Civil Rights does not endorse any of the applications that allow for video chats listed above.
Disclaimer: The reference to named video- and text-based communications software for telehealth is informational and not intended as an endorsement of those services.
The U.S. Department of Health and Human Services Office for Civil Rights released guidance to help health care providers and health plans bound by HIPAA and HIPAA rules understand how they can use remote communication technologies for audio-only telehealth post-COVID-19 public health emergency. More information about this guidance is available on the Legal Considerations page.