End of the Public Health Emergency Marks End of HIPAA Enforcement Discretion for Telehealth Practices
The COVID-19 public health emergency (PHE) in the United States came to an end on May 11, 2023. Simultaneously, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced that its enforcement discretion regarding violations of the Health Insurance Portability and Accountability Act (HIPAA), applicable during the PHE, also would be coming to an end.[i] Covered entities and business associates now have a 90-day transition period, ending on Aug. 9, 2023, in which to bring their telehealth practices into compliance with the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA Rules). Among other things, this will require entities that may be using telehealth technologies provided by companies that will not agree to sign business associate agreements (BAAs) to switch to platforms offered by companies that do.
In 2020 and 2021, OCR published four Notifications of Enforcement Discretion (Notifications) regarding how the HIPAA Rules would be applied to certain violations occurring during the PHE. Three of the Notifications involved COVID-19-specific activities. In each Notification, OCR determined it would not impose penalties against covered entities or their business associates for noncompliance with the requirements under the HIPAA Rules when participating in good faith in specific activities.
In its March 17, 2020, Notification, OCR announced that it would not impose penalties against providers for violations of the HIPAA Rules when delivering care of any type remotely by telehealth.[ii] Specifically, providers who treated patients in good faith using everyday, non-public facing communications technologies like FaceTime or Skype would not be subject to HIPAA enforcement. However, OCR cautioned that this flexibility did not extend to the use of public-facing video communication applications like Facebook Live, Twitch, and TikTok. Despite recommending that providers identify HIPAA-compliant telehealth vendors and enter into BAAs with such vendors, OCR confirmed it would not impose penalties for failure to have a BAA in place or other noncompliance with HIPAA requirements during the PHE.
Through Aug. 9, OCR will continue to exercise its enforcement discretion and will not impose penalties for noncompliance with the HIPAA Rules that occur in connection with the good faith provision of telehealth. Between now and then, health care providers should take advantage of the transition period to review their telehealth operations — including their arrangements with their telehealth technology vendors — and take steps to ensure that their provision of telehealth services complies in all respects with the HIPAA Rules.
[i] Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID–19 Nationwide Public Health Emergency (Apr. 13, 2023).
[ii] See Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (Mar. 17, 2020).