The Secretary of the Department of Health and Human Services will not be renewing the COVID-19 Public Health Emergency (PHE), which is set to expire at 11:59 pm on May 11, 2023. That means the four Notices of Enforcement Discretion issued by the HHS’ Office for Civil Rights (OCR) in 2020 and 2021 in response to the COVID-19 pandemic will also expire, and the HIPAA flexibilities they introduced will no longer be in effect.
The four Notices of Enforcement Discretion allowed HIPAA-covered entities to set up covid testing sites, use web-based scheduling applications for arranging COVID-19 vaccinations, disclose testing data to health authorities, and conduct telehealth appointments using technologies that may not be fully compliant with the HIPAA Rules.
Telehealth services were massively expanded during the pandemic to allow patients to receive the care they needed remotely, without having to travel to see a healthcare provider in person. This was important during the pandemic to control infections. Telehealth services have proven popular and many patients now prefer to have at least some healthcare visits conducted via audio and video communications platforms.
Healthcare providers that want to continue to provide patients with telehealth services must now ensure that the communication platforms they use allow telehealth to be provided in a private and secure manner, and those platforms must now be fully compliant with the HIPAA Rules.
The end of the COVID-19 PHE should not come as a surprise to HIPAA-covered entities, as when HHS Secretary Xavier Becerra announced the last extension to the PHE in January he said the PHE would not be renewed again, and when OCR announced the Notices of Enforcement Discretion it was made clear that they would only remain in place for as long as the COVID-19 PHE existed.
However, OCR accepts that it may take time for healthcare providers to ensure their telehealth services are fully compliant with the HIPAA Rules and confirmed that there will be a 90-day transition period, during which time OCR will continue to exercise enforcement discretion for telehealth. That means that financial penalties will not be imposed for HIPAA violations related to the good faith provision of telehealth services per the telehealth Notice of Enforcement Discretion up to 11:59 pm on August 11, 2023. After August 11, 2023, healthcare providers will risk financial penalties if they continue to provide telehealth services using communications platforms that are not fully HIPAA compliant.
