Notifications of Enforcement Discretion during the COVID-19 Public Health Emergency
As with many other things, the Notifications of Enforcement Discretion issued during the COVID-19 public health emergency by the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) ended upon the expiration of the COVID-19 public health emergency.
Flexibility for Health Care Providers
In 2020 and 2021, OCR published four separate Notifications of Enforcement Discretion in the Federal Register regarding how HIPAA Rules (including privacy, Security, breach notification, and enforcement) would be applied to certain violations during the COVID-19 public health emergency. These Notifications allowed health care providers flexibility to respond effectively to the COVID-19 public health emergency.
Notification on Uses and Disclosures of Protected Health Information
One of the Notifications that expired, Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19, allowed discretion in imposing penalties for covered health care providers or their business associates for uses and disclosures of protected health information by business associates for public health and health oversight activities, provided certain parameters were met.
Notification on COVID-19 Community-Based Testing Sites
Another Notification that expired, Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites (CBTS) During the COVID-19 Nationwide Public Health Emergency, allowed OCR to exercise enforcement discretion when it came to penalties for noncompliance with HIPAA Rules by covered health care providers and their business associates in their good faith participation in operating COVID-19 testing sites.
Notification on Online or Web-Based Scheduling Applications for COVID-19 Vaccination
The third Notification that expired, Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency, allowed enforcement discretion by OCR for noncompliance with HIPAA Rules by covered health care providers and their business associates in connection with their good faith use of online or web-based scheduling applications for the limited purpose of scheduling appointments for COVID-19 vaccines.
Notification on Telehealth Remote Communications
And the fourth – and final – expired Notification was the Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency. This Notification allowed OCR enforcement discretion in connection with noncompliance with the regulatory requirements under the HIPAA Rules when it came to the good faith provision of telehealth using a non-public facing remote communication technology. This discretion applied to all telemedicine visits, irrespective of whether the service was related to the diagnosis and/or treatment of COVID-19 and related conditions.
Expiration of Enforcement Discretion
The expiration of the enforcement discretion means that the Notifications will not provide a basis for OCR to exercise enforcement discretion with respect to imposing penalties for violations of HIPAA Rules. However, OCR will continue to exercise enforcement discretion consistent with the Notifications for violations of the HIPAA Rules that occurred during the period each Notification was in effect.
“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” said Melanie Fontes Rainer, OCR Director. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”
90 Day Transition Period for Telemedicine Notification
Additionally, with response to the enforcement discretion period ending, OCR is allowing for a 90-day transition period to allow covered health care providers to come into compliance again with the HIPAA Rules as it relates to providing telemedicine services. The HIPAA Rules and requirements are the same as they were prior to the COVID-19 public health emergency, but as some providers may have used telemedicine for the first time during the public health emergency, the 90-day transition period is allowed. The transition period started on May 12, 2023 (the day after the COVID-19 public health emergency ended) and will end at 11:59 PM on August 9, 2023. During that time, OCR will continue to exercise enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA rules as it relates to good faith provision of telehealth services via non-public facing remote communication technologies.