HHS Secretary Will Not Renew COVID-19 PHE: HIPAA Enforcement Discretion to End on May 11, 2023
The Secretary of the Department of Health and Human Services (HHS) has announced that he does not plan to renew the COVID-19 Public Health Emergency, which is due to expire on May 11, 2023. The HHS’ Office for Civil Rights (OCR) has confirmed that the Notifications of Enforcement Discretion that were issued in response to the COVID-19 Public Health Emergency will expire one month from today, at 11:59 pm on May 11, 2023.
Four Notifications of Enforcement Discretion were announced by OCR in response to the COVID-19 Public Health Emergency in 2020 and 2021 to support the healthcare sector during the COVID-19 pandemic. Under the Notices of Enforcement Discretion, OCR would refrain from imposing financial penalties for violations of certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The flexibilities introduced by OCR concerned Community-based COVID-19 testing sites, uses and disclosures of protected health information by business associates for public health oversight activities, the use of online or web-based scheduling applications for scheduling individual appointments for COVID-19 vaccinations, and the use of telehealth remote communications that would not, under normal circumstances, be HIPAA-compliant.
OCR had previously stated that it would provide healthcare organizations with sufficient time to come into compliance with the HIPAA Rules regarding telehealth, so while the notice of enforcement discretion ends on May 11, 2023, HIPAA-covered entities will be provided with a three-month – 90-day – transition period, during which time financial penalties will not be imposed for non-compliance with the HIPAA Rules in connection with the good faith provision of telehealth services. The transition period starts on May 12, 2023, and expires at 11:59 pm on August 9, 2023.
“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” said Melanie Fontes Rainer, OCR Director. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Since the telehealth Notice of Enforcement Discretion took effect, healthcare providers have been able to use any non-public-facing remote communication product for audio and video communication to provide telehealth services, even if those platforms are not HIPAA compliant. For instance, if a communication platform was used and the provider of that communication platform was unwilling to enter into a business associate agreement with the healthcare provider, the platform could be used without risking a financial penalty.
Now that the Notice of Enforcement Discretion is due to expire, healthcare providers must now enter into a HIPAA-compliant business associate agreement with the provider of the communication platform to be able to continue to use it after August 9, 2023. Healthcare providers should make arrangements to obtain a business associate agreement or transition to a HIPAA-compliant communications platform as soon as possible to prevent any disruption to telehealth services and to avoid financial penalties for non-compliance.
