The HHS’ Office for Civil Rights (OCR) has confirmed that the Notifications of Enforcement Discretion it issued due to the COVID-19 pandemic will expire on May 11, 2023; however, regulated entities will be provided with a 90-day grace period to ensure their telehealth services are fully HIPAA-compliant.
The COVID-19 pandemic put healthcare organizations under an incredible strain, and as they battled to provide care to patients under extremely difficult circumstances, OCR provided assistance by exercising enforcement discretion for certain violations of the HIPAA Privacy and Security Rules. OCR published four Notifications of Enforcement Discretion in the Federal Register that confirmed certain good faith violations of the HIPAA Rules would not result in sanctions or penalties.
Those Notifications of Enforcement Discretion were effective immediately and retroactive to the start of the pandemic and would remain in place for the duration of the COVID-19 Public Health Emergency (PHE). The COVID-19 PHI was renewed a dozen times since it was first declared. On April 12, 2023, OCR confirmed that it is the intention of the Secretary of the Department of Health and Human Services not to extend the COVID-19 PHE again. The PHE is due to expire at 11:59 pm on May 11, 2023.
That means that the Notifications of Enforcement Discretion will also expire at 11:59 pm on May 11, 2023, and any good faith violations of the HIPAA Rules covered by those Notifications of Enforcement Discretion after that date and time will be subject to financial penalties and sanctions as they were before the COVID-19 pandemic. The Notifications of Enforcement Discretion that will expire are:
- Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency
- Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19
- Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency
- Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency
OCR had previously provided reassurances to HIPAA-regulated entities that notice would be given to allow them time to ensure compliance with HIPAA Privacy and Security Rules with respect to the provision of telehealth services. OCR has confirmed that there will be a 90-day transition period during which time the flexibilities with respect to telehealth will continue. The 90-day transition period starts on May 12, 2023, which means HIPAA-regulated entities will not be penalized for good faith violations of the HIPAA Rules – as stated in the telehealth Notice of Enforcement Discretion – up to 11:59 pm on August 11, 2023.
The telehealth Notice of Enforcement Discretion covered the use of audio and video communications solutions for the provision of telehealth services and permitted the use of platforms that are not fully HIPAA-compliant, provided those platforms were not public-facing. That meant communications platforms could be used for telehealth even if the provider was unwilling to sign a business associate agreement.
Any HIPAA-regulated entity that provides telehealth services must now ensure that all communications platforms used for telehealth are fully HIPAA-compliant, which means a HIPAA-compliant business associate agreement will be required. If a BAA cannot be obtained, it will be necessary to transition to a HIPAA-compliant provider. Implementing a new solution and training the staff on the use of that platform may be a time-consuming process, so HIPAA-regulated entities should start planning the transition to ensure they are brought into compliance ahead of the compliance deadline.