The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has announced the expiration of the COVID-19 related HIPAA Enforcement Discretion measures on May 11, 2023. Healthcare providers must ensure compliance with HIPAA Rules, as the OCR provides a 90-calendar day transition period for telehealth adjustments.
Why it matters:
The expiration of these notifications means that healthcare providers must ensure compliance with the HIPAA Rules as they relate to the various measures introduced during the pandemic, such as telehealth and community-based testing sites.
What they're saying:
"OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic," said Melanie Fontes Rainer, OCR Director. "OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules."
In the know:
The OCR will continue to support the use of telehealth after the public health emergency by providing a 90-calendar day transition period for healthcare providers to make necessary changes to their operations to ensure privacy and security compliance with the HIPAA Rules.
The transition period will begin on May 12, 2023, and end at 11:59 pm on August 9, 2023. During this time, OCR will not impose penalties on covered healthcare providers for noncompliance with the HIPAA Rules, as long as the noncompliance is in connection with the good faith provision of telehealth.
A breakdown of enforcement discretions expiring on 11:59 pm on May 11, 2023
- COVID-19 Community-Based Testing Sites: This enforcement discretion allowed covered entities to operate COVID-19 testing sites without facing penalties for noncompliance with the HIPAA Rules, as long as they acted in good faith to provide testing services during the public health emergency.
- Telehealth Remote Communications: The Telehealth Notification permitted healthcare providers to utilize non-public facing remote communication products (such as video chat applications) for telehealth purposes, even if those products did not fully comply with the HIPAA Rules, to facilitate patient care during the pandemic.
- Protected Health Information Disclosures by Business Associates: This enforcement discretion allowed business associates to use and disclose protected health information (PHI) for public health and health oversight activities related to COVID-19 without facing penalties for noncompliance, as long as they acted in good faith.
- Online Scheduling of COVID-19 Vaccination Appointments: This discretion enabled covered entities to use online or web-based scheduling applications for individual appointments related to COVID-19 vaccinations, even if these applications did not fully comply with the HIPAA Rules, as long as the entities acted in good faith.
Healthcare providers should be aware of the expiration of the Notifications of Enforcement Discretion and make any necessary operational changes to ensure compliance with HIPAA Rules during the 90-calendar day transition period for telehealth.