Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency, 45 CFR Parts 160 and 164, 88 Fed. Reg. 22380 (Apr. 13, 2023)
Available at https://www.federalregister.gov/public-inspection/2023-07824/expiration-of-certain-notifications-of-enforcement-discretion-issued-in-response-to-the-covid-19
HHS’s Office for Civil Rights (OCR) has announced that enforcement relief from several HIPAA and HITECH Act requirements granted in connection with the COVID-19 public health emergency (PHE) will end due to the PHE’s expiration. As background, OCR exercised its enforcement discretion during the COVID-19 pandemic to support the health care sector by, among other things, announcing in March 2020 that during the COVID-19 PHE it would not impose HIPAA noncompliance penalties against health care providers using telehealth communications in good faith (see our Checkpoint article). As noted in a news release about the enforcement relief’s expiration, the PHE is expected to end on May 11, 2023.
The guidance allows covered health care providers using telehealth communications a 90-day transition period after the end of the PHE to come into HIPAA compliance, with the enforcement relief expiring at the end of the day on August 9, 2023. The transition period will allow providers more time to bring their telehealth and remote communications services into HIPAA compliance, which may be particularly helpful for those who started using telehealth technology during the PHE. OCR intends to provide additional guidance during the transition period. Enforcement discretion will be exercised with respect to noncompliance that occurs through August 9, 2023, but not with respect to noncompliance that occurs after that time.
EBIA Comment: Although the COVID-19 national emergency ended on April 10, 2023 (see our Checkpoint article), the planned end date of the PHE remains May 11, 2023, unless otherwise announced. The telehealth enforcement relief for providers does not apply directly to health plans, but its expiration serves as a reminder of the breadth and importance of the HIPAA rules. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXIII.O (“HIPAA Privacy and Security Issues for Health Plans Incorporating Telemedicine”). See also EBIA’s Self-Insured Health Plans manual at Section XI.E.5 (“Telemedicine”).
Contributing Editors: EBIA Staff.