Aug. 9, at midnight. This is the date and exact time the HHS Office for Civil Rights (OCR) ended its HIPAA enforcement discretion for the use of telehealth—giving itself back the authority to enforce portions of the privacy, security and breach notification rules it had let slide during the pandemic. In May, OCR ended the three other enforcement waivers, 30 days after the COVID-19 public health emergency (PHE) was declared over.
So, now that fall is here, covered entities (CEs) and business associates (BAs) are all in full compliance with all relevant HIPAA regulations that were loosened for telehealth and other activities during the pandemic, correct?
Not sure? Perhaps now is an appropriate time to be sure.
Beginning in 2020, OCR issued four enforcement discretions that allowed CEs and BAs to undertake some activities in ways that might typically violate HIPAA but which OCR officials believed were necessary in light of the COVID-19 pandemic to speed up care and treatment and help end the virus.
On April 13, OCR declared in the Federal Register that with the May 11 expiration of the PHE, OCR’s enforcement discretions would also expire—except when it came to telehealth. For telehealth, OCR allowed an extra 90 days for a “transition period” related to the “provision of telehealth using non-public facing remote communication technologies.” This is the timing that led to the Aug. 9 compliance deadline.
“During the 90-calendar day transition period, OCR will continue to exercise its enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth,” OCR said in the Federal Register. “These regulatory requirements remain the same as they were before the COVID–19 PHE; however, OCR recognizes that regulated entities that began using remote communication technologies for telehealth for the first time during the COVID–19 PHE may need additional time to come into compliance.”