The COVID-related discretionary enforcement of HIPAA for telehealth service delivery will end on August 10, 2023, according to the US Department of Health and Human Services’ Office for Civil Rights (OCR). The announcement is titled, Expiration of Notifications of Enforcement Discretion and Transition Period for Telehealth. It explains that the 90-calendar day transition period that began in April concerning telehealth will expire at 11:59 PM on August 9, 2023. The OCR oversees the enforcement of specific regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including the HIPAA Privacy, Security, and Breach Notification Rules.
History of HIPAA Enforcement Discretion
During the nationwide health crisis caused by the COVID-19 pandemic, healthcare providers were informed that the OCR would operate with “discretionary enforcement” of HIPAA requirements. In some cases, clinicians were allowed to employ remote communication technologies for telehealth services, some of which did not strictly adhere to HIPAA requirements. In light of the public health emergency caused by COVID-19, the OCR thereby exercised leniency in its enforcement, refraining from imposing penalties for noncompliance with HIPAA regulations. The OCR enforcement discretion applied to all telehealth services, irrespective of whether they were directly linked to diagnosing or treating COVID-19-related health issues.
Providers were informed that they could use popular video chat applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, but only if they explained the risks to their clients and patients. The notice also named specific platforms which were to be avoided, including Facebook Live, Twitch, and TikTok, as they were considered “public-facing.”
For enhanced privacy protection, providers were encouraged to provide telehealth services through HIPAA-compliant technology vendors willing to establish HIPAA Business Associate Agreements (BAAs).
Upcoming HIPAA Enforcement Changes
Starting August 10, the OCR will reinstate its former levels of enforcement, marking a return to the pre-pandemic state of HIPAA regulation. With this, healthcare providers need to be fully compliant with all aspects of the HIPAA rules, including but not limited to those related to telehealth services. More specifically, the OCR has continued its quest to prosecute covered entities violating the HIPAA Right of Access Initiative, choosing to withhold records from patients and, more recently, prosecuting vendors who fail to honor their obligations under BAAs.
Essential Telehealth Law & Ethical Issues
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!
Read More
HIPAA Compliant Cybersecurity for Professionals
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.
Read More