The U.S. Department of Health and Human Service’s Office of Civil Rights (“OCR”) has announced that several notifications of enforcement discretion issued during the COVID-19 public health emergency (“PHE”) will expire concurrently with the expiration of the PHE on May 11, 2023 at 11:59 PM. OCR originally issued guidance in March 2020, April 2020, and December 2020 explaining how it would apply enforcement discretion and not enforce penalties as they related to violations of Privacy, Security, and Breach Notification Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA Rules”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Both arose from certain activities related to the COVID-19 PHE.
The previously announced notifications allowed for flexibility in OCR’s regulatory enforcement in the following areas:
Allowance for Uses and Disclosures of PHI for Public Health and Health Oversight Activities in response to COVID-19
Covered entities and business associates were permitted to use and disclose PHI for COVID-19 response and public health surveillance activities. For example, this flexibility covered disclosures to the Centers for Disease Control and Prevention (“CDC”) or similar state or local agencies, as well as disclosures to the Centers for Medicare and Medicaid Services (“CMS”).
COVID-19 Community-Based Testing Sites during the PHE
OCR allowed for enforcement discretion related to noncompliance in connection with good faith participation and operation of community-based COVID-19 specimen and testing sites. This included mobile, drive-through, and walk-up sites at various community access and private business locations.
Online or web-based scheduling appointments for vaccination during the PHE
OCR allowed for enforcement discretion related to noncompliance in connection with good faith use of web-based applications or online modalities used to schedule COVID-19 vaccination appointments.
Telehealth Remote Communications
OCR allowed for enforcement discretion with regulatory requirements in connection with the use of non-public facing telehealth technologies to provide telehealth services, regardless of whether or not the service was related to COVID-19. This notification allowed providers to use popular apps including, but not limited to, FaceTime, Skype, Zoom, and Google Hangouts. OCR has recognized that some of these vendors may offer HIPAA-compliant products and/or have expressed willingness to enter into business associate agreements, but has not approved or endorsed any of the same.
OCR is allowing for a 90-day transition period and will continue to exercise enforcement discretion. Additionally, it will not impose penalties on covered entities for noncompliance with HIPAA Rules associated with the provider’s good faith provision of telehealth services only. The 90-day transition period is scheduled to end on August 9, 2023 at 11:59 PM. During this time, providers should review their telehealth technology vendor(s), confirm the execution of a business associate agreement with vendors, as necessary, and review the vendor’s compliance with the HIPAA Rules. OCR plans to release additional guidance for covered entities during the transition period.