1 min read

COVID-19 HIPAA transition period for telehealth expires at midnight

Picture of Dean Levitt Dean Levitt August 09, 2023

HIPAA compliance Patient privacy
Two people video conferencing on a laptop

Today, August 9, 2023, marks the expiration of the COVID-19 related HIPAA Enforcement Discretion measures. The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) had previously announced this expiration, which was set for midnight, May 11, 2023, followed by a 90-calendar day transition period for telehealth adjustments.

 

Why it matters

The expiration of these notifications signifies that healthcare providers must now ensure full compliance with HIPAA Rules, especially concerning measures introduced during the pandemic. These measures encompassed areas like telehealth and community-based testing sites. The transition period, which began on May 12, 2023, allowed healthcare providers to make necessary operational changes to ensure privacy and security in compliance with the HIPAA Rules.

 

What they're saying

Melanie Fontes Rainer, OCR Director, had previously commented on the matter, stating, "OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic." She added, "OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules."

 

In the know

During the transition period, which concludes today, the OCR did not impose penalties on covered healthcare providers for noncompliance with the HIPAA Rules, as long as the noncompliance was associated with the good faith provision of telehealth. Some of the enforcement discretions that expired included:

  • COVID-19 Community-Based Testing Sites: Allowed covered entities to operate testing sites without penalties for noncompliance, provided they acted in good faith.
  • Telehealth Remote Communications: Permitted healthcare providers to use non-public facing remote communication products for telehealth, even if not fully compliant with HIPAA Rules.
  • Protected Health Information Disclosures by Business Associates: Allowed business associates to disclose protected health information for public health activities related to COVID-19 without penalties, given they acted in good faith.

 

What's next

Healthcare providers should be vigilant of the expiration of the Notifications of Enforcement Discretion and ensure they've made all necessary operational changes to remain compliant with HIPAA Rules, especially as the transition period for telehealth concludes.

 
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Firefighter directing water stream at large wildfire

Hawaii wildfires prompt limited waiver of HIPAA sanctions

Picture of Dean Levitt Dean Levitt : August 12, 2023

The wildfires in Maui have taken a devastating toll, with the death count in Lahaina reaching 80. As recovery efforts continue, the federal...

HIPAA compliance
Read More
Hand holding a sad face emoji

Online review response leads to costly HIPAA violation for healthcare provider

Picture of Dean Levitt Dean Levitt : June 05, 2023

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has reached a settlement with Manasa Health Center, LLC, a New...

HIPAA compliance Patient privacy
Read More
Two people smiling while looking at a laptop on a couch

HHS OCR unveils telehealth privacy and security resources

Picture of Dean Levitt Dean Levitt : October 18, 2023

The U.S. Department of Health and Human Services' Office for Civil Rights (HHS OCR) has released two guidance documents to bolster the privacy and...

HIPAA compliance Patient privacy
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.