On April 11, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that four Notifications of Enforcement Discretion (“Notifications”) that were issued under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) during the COVID-19 pandemic will expire on May 11, 2023. In response to the COVID-19 Public Health Emergency, OCR announced it would exercise enforcement discretion with respect to noncompliance with certain provisions of HIPAA. Now that the public health emergency is set to expire, OCR is rescinding the relevant Notifications. Below, we summarize the four Notifications that are set to expire:
- Enforcement discretion to allow uses and disclosures of Protected Health Information (“PHI”) by business associates for public health and health oversight activities. OCR did not impose penalties against business associates or covered entities if: (1) the business associate made a good faith use or disclosure of the covered entity’s PHI for public health activities or health oversight activities, and (2) the business associate informed the covered entity within ten days after the use or disclosure occurred (or commenced, with respect to uses or disclosures that will repeat over time).
- Enforcement discretion regarding COVID–19 Community-Based Testing Sites (“CBTS”) during the pandemic. OCR did not penalize covered health care providers or their business associates for noncompliance with HIPAA if they had participated in good faith in the operation of a CBTS.
- Enforcement discretion regarding online or web-based scheduling applications COVID–19 vaccinations. OCR did not penalize covered health care providers or their business associates for noncompliance with HIPAA if they acted in good faith when using online or web-based scheduling applications for the scheduling of COVID-19 vaccinations.
- Enforcement discretion for telehealth remote communications during the pandemic. As our past coverage on this issue highlighted, OCR had exercised enforcement discretion with respect to a covered entity’s communication with patients and provision of telehealth services using remote communication technologies that did not fully comply with the HIPAA Security Rule. Specifically for this Notification, OCR is providing a 90-calendar-day transition period, beginning on May 12, 2023, and end on August 9, 2023, for covered health care providers to come into compliance with HIPAA. OCR will continue to exercise its enforcement discretion during this transition period and will not impose penalties on covered health care providers for noncompliance with HIPAA that occurs in connection with the good faith provision of telehealth services. During this transition period, OCR plans to provide additional guidance on telehealth remote communications to assist covered health care providers with coming into compliance with HIPAA. After the transition period, OCR will no longer use this Notification as a basis to exercise discretion in enforcing HIPAA’s requirements as they relate to telehealth services.
The official Federal Register notice can be found here.