COVID-19 HIPAA transition period for telehealth expires at midnight

Today, August 9, 2023, marks the expiration of the COVID-19 related HIPAA Enforcement Discretion measures. The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) had previously announced this expiration, which was set for midnight, May 11, 2023, followed by a 90-calendar day transition period for telehealth adjustments.

Why it matters

The expiration of these notifications signifies that healthcare providers must now ensure full compliance with HIPAA Rules, especially concerning measures introduced during the pandemic. These measures encompassed areas like telehealth and community-based testing sites. The transition period, which began on May 12, 2023, allowed healthcare providers to make necessary operational changes to ensure privacy and security in compliance with the HIPAA Rules.

What they're saying

Melanie Fontes Rainer, OCR Director, had previously commented on the matter, stating, "OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic." She added, "OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules."

In the know

During the transition period, which concludes today, the OCR did not impose penalties on covered healthcare providers for noncompliance with the HIPAA Rules, as long as the noncompliance was associated with the good faith provision of telehealth. Some of the enforcement discretions that expired included:

• COVID-19 Community-Based Testing Sites: Allowed covered entities to operate testing sites without penalties for noncompliance, provided they acted in good faith.
• Telehealth Remote Communications: Permitted healthcare providers to use non-public facing remote communication products for telehealth, even if not fully compliant with HIPAA Rules.
• Protected Health Information Disclosures by Business Associates: Allowed business associates to disclose protected health information for public health activities related to COVID-19 without penalties, given they acted in good faith.

What's next

Healthcare providers should be vigilant of the expiration of the Notifications of Enforcement Discretion and ensure they've made all necessary operational changes to remain compliant with HIPAA Rules, especially as the transition period for telehealth concludes.