Telehealth HIPAA Compliance Flexibilities Extended as the Public Health Emergency Ends

Jonathan Ishee, Michael Paluzzi
Goodwin
Contact
LinkedIn
Facebook
X
Send
Embed

Goodwin

During the COVID-19 public health emergency (PHE), many federal telehealth rules were made flexible to accommodate the need for continued access to healthcare, including prescribing controlled substances without an in-person patient examination, as discussed in our earlier client alert. Another flexibility allowed covered healthcare providers to provide telehealth services to patients through remote technologies that may not have fully complied with the requirements of the Health Information Portability and Accountability Act of 1996 (HIPAA), as amended, including its implementing regulations. Since March 17, 2020, the Office for Civil Rights (OCR), the agency tasked with enforcing HIPAA, has exercised enforcement discretion to not impose penalties for such noncompliance. 

On May 11, 2023, OCR’s enforcement discretion expired, and the US Department of Health and Human Services (HHS) released a fact sheet that details how OCR will continue to support the use of telehealth after the PHE by providing a 90-calendar-day transition period for covered healthcare providers to make any changes to operations required to provide telehealth in compliance with HIPAA. Thus, compliance enforcement will not resume until after August 9, 2023. 

Transitioning to a new telehealth technology and altering current operations takes time; therefore, providers should begin investigating whether their telehealth technologies comply with HIPAA requirements. Specifically, providers should ensure that: (1) only authorized users have access to electronic protected health information (ePHI) through the technology, (2) the technology is sufficiently secure to protect the integrity of ePHI, and (3) appropriate safeguards are in place for sending communications containing ePHI through the technology to prevent accidental or malicious breaches. Providers should be aware that the communication of ePHI via SMS text messaging, unencrypted or unsecured email, or Skype does not fulfill the requirements above unless a patient opts into communication through such channels. Thus, providers should review their practices with respect to communication through such channels before enforcement resumes. 

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Goodwin | Attorney Advertising

Written by:

Goodwin
Goodwin
Contact
more
less

Goodwin on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide