On April 11, 2023, U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced its plan to allow the Notifications of Enforcement Discretion issued under HIPAA and the HITECH Act during the COVID-19 Public Health Emergency (PHE) to expire on May 11, 2023.
Early on in the COVID-19 pandemic, the use of telehealth appointments increased dramatically in an effort to prevent the spread of COVID-19 as millions of doctors’ visits and health care examinations were often postponed or even canceled. OCR quickly recognized the critical need to assist the healthcare sector and the public in responding to this unprecedented crisis and in 2020 and 2021, published four Notifications of Enforcement Discretion in the Federal Register regarding how the Privacy, Security, Breach Notification, and Enforcement Rules under HIPAA would be applied to certain violations during the PHE. The following Notifications of Enforcement Discretion were effective immediately and retroactive to the start of the pandemic and would remain in place for the duration of the COVID-19 PHE.
1. Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency
2. Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency
3. Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19
4. Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency
Since these Notifications of Enforcement Discretion took effect, healthcare providers have been able to use virtually any non-public-facing remote communication product for audio and video communication to provide telehealth services, even if those platforms were not fully HIPAA-compliant. As many healthcare providers and patients alike have come to rely on this form of patient care, OCR has established a transition period to enable health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with HIPAA. Accordingly, while the notice of enforcement discretion ends on May 11, 2023, HIPAA-covered entities will be provided with a three-month – 90-day – transition period through August 9, 2023, during which time financial penalties will not be imposed for non-compliance with HIPAA in connection with the good faith provision of telehealth services. OCR will, however, continue to enforce HIPAA for all other purposes after May 11, 2023, and will investigate complaints filed with OCR alleging HIPAA violations that occurred after the enforcement discretion ends.
The expiration of the Notifications of Enforcement Discretion highlights the importance of healthcare providers to take immediate steps to review existing policies and practices in transitioning to HIPAA-compliant communications platforms to prevent any disruption to telehealth services and to avoid financial penalties for non-compliance.