On April 11, 2023, the Department of Health and Human Services’ Office for Civil Rights (OCR) confirmed that four notifications of enforcement discretion regarding enforcement of the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA rules) during the COVID-19 public health emergency (PHE) will expire at the end of the PHE.¹ The notifications, which address (i) telehealth services, (ii) COVID-19 community-based testing sites, (iii) business associate disclosures of COVID-19 data to public health and health oversight agencies, and (iv) web-based scheduling applications for vaccinations, will expire at 11:59 pm on May 11, 2023.² After that date, OCR will no longer rely on the notifications to exercise enforcement discretion with respect to the HIPAA violations addressed in each notification.

To soften the transition, OCR is providing a 90-calendar-day period (ending on August 9, 2023, at 11:59 pm) to give covered entities and business associates relying on the telehealth services notification additional time to come into full compliance with the HIPAA rules. There is not a similar transition period for the other notifications. OCR will continue to exercise enforcement discretion for violations of the HIPAA rules which occurred during the PHE and are covered by the notifications.

Background

OCR issued the notifications during the PHE to assist covered entities and their business associates (collectively, regulated entities) in addressing the nation’s healthcare needs during the COVID-19 pandemic. Because of the speed and scale with which regulated entities had to provide healthcare services, particularly in the early days of the PHE, such entities sometimes used technology or otherwise delivered healthcare services in a manner that did not fully comply with the HIPAA rules. Pursuant to the notifications, OCR exercised enforcement discretion and refrained from penalizing certain violations of the HIPAA Rules during the PHE. However, OCR also encouraged regulated entities to implement safeguards to minimize the risk to the privacy and security of protected health information (PHI).

The four notifications set to expire at the end of the PHE are described below, though given developments over the past three years, the telehealth services notification is likely to be most relevant to regulated entities.

• Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency

This notification provides that OCR will not impose penalties for noncompliance with the HIPAA rules in connection with the good faith provision of telehealth during the PHE.³ OCR’s exercise of enforcement discretion with respect to telehealth services was crucial during the COVID-19 pandemic, allowing providers to treat patients virtually, thereby limiting the risk of exposure for providers, their staffs, and other patients. Under this notification, a covered healthcare provider could use any non-public facing remote communication product for audio or video communication (e.g., Apple FaceTime, Zoom, and Skype) with a patient for the good-faith provision of telehealth services. For example, OCR stated that it would not impose penalties against covered entity healthcare providers for lack of a HIPAA business associate agreement (BAA) with a video communications vendor. OCR also issued FAQs explaining what it may consider to be the bad faith provision of telehealth services that could trigger enforcement action by the agency.

In the April 2023 notice, OCR encourages regulated entities to use the 90-day transition period to modify their telehealth practices to come into compliance with the HIPAA rules by, among other things, selecting a telehealth vendor that will sign a BAA and comply with the applicable HIPAA rules. The transition period will give regulated entities until 11:59 pm on August 9, 2023, to bring their telehealth services into compliance with the HIPAA rules.

• Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency

This notification provides that OCR will exercise enforcement discretion with respect to noncompliance by regulated entities with the HIPAA rules related to good faith participation in the operation of COVID-19 community-based testing sites (CBTS).⁴ OCR recognized that during the COVID-19 pandemic, covered healthcare providers, including large pharmacy chains, and business associates may participate in CBTS, including mobile, drive-through, or walk-up sites providing COVID–19 specimen collection or testing services to the public. OCR issued this notification to prevent the fear of technical HIPAA violations from impeding the rapid rollout of CBTS during the pandemic.

Those covered healthcare providers and business associates still operating CBTS must comply with the HIPAA rules after 11:59 pm on May 11, 2023.

• Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19

This notification provides that OCR will exercise enforcement discretion with respect to business associates providing PHI, such as COVID-19 data, to federal, state, and local public health and health oversight agencies to assist with ensuring the public health and safety during the PHE.⁵ During the pandemic, federal public health authorities and health oversight agencies like the Centers for Disease Control and Prevention and Centers for Medicare & Medicaid Services, state and local health departments, and state emergency operations centers requested COVID-19 data, including PHI, from business associates. However, under the HIPAA Rules, business associates could not disclose such PHI unless expressly permitted by a BAA. This notification permitted business associates to make good faith disclosures of the needed COVID-19 data to federal, state, and local public health and health oversight agencies. To the extent that business associates are providing PHI under this notification, that provision of data must end or otherwise come into compliance with the HIPAA rules on May 12, 2023.

• Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency

This notification provides that OCR will not impose penalties for noncompliance in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling individual appointments for COVID–19 vaccinations during the PHE.⁶ OCR recognized that covered healthcare providers may use WBSAs to quickly schedule large numbers of people for COVID-19 vaccinations. However, some WBSAs, and the ways in which they are used, may not fully comply with the HIPAA rules. To the extent regulated entities are using or providing WBSAs, they must fully comply with the HIPAA rules beginning May 12, 2023.

Coming into Compliance

Regulated entities should prepare for the expiration of the notifications by assessing whether they are still relying on any of the notifications in providing services. If so, they should consider how to provide the services in a way that fully complies with the HIPAA rules. For example, while there were relatively few telehealth applications that complied with the HIPAA Security Rule at the beginning of the COVID-19 pandemic, there are now many more telehealth vendors offering products that comply with the HIPAA Rules. Regulated entities should also update their HIPAA policies and procedures once they identify how they will provide services after May 11, 2023, and train their workforce members accordingly.

Copyright 2023, American Health Law Association, Washington, DC. Reprint permission granted.

[1] https://www.hhs.gov/about/news/2023/04/11/hhs-office-for-civil-rights-announces-expiration-covid-19-public-health-emergency-hipaa-notifications-enforcement-discretion.html

[2] 88 Fed. Reg. 22380 (Apr. 13, 2023), https://www.govinfo.gov/content/pkg/FR-2023-04-13/pdf/2023-07824.pdf.

[3] 85 Fed. Reg. 22024(Apr. 21, 2020), https://www.govinfo.gov/content/pkg/FR-2020-04-21/pdf/2020-08416.pdf.

[4] 85 Fed. Reg. 29637 (May 18, 2020), https://www.govinfo.gov/content/pkg/FR-2020-05-18/pdf/2020-09099.pdf.

[5] 85 Fed. Reg. 19392 (Apr. 7, 2020), https://www.govinfo.gov/content/pkg/FR-2020-04-07/pdf/2020-07268.pdf.

[6] 86 Fed. Reg. 11139 (Feb. 24, 2021), https://www.govinfo.gov/content/pkg/FR-2021-02-24/pdf/2021-03348.pdf.