HIPAA Compliance After the COVID-19 Public Health Emergency and the Expiration of Existing Enforcement Discretion

Last month, HHS Office for Civil Rights (“OCR”) announced that its COVID-19 related enforcement discretion regarding the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) will end on May 11, 2023, coinciding with the expiration of the national public health emergency (“PHE”).

OCR exercised HIPAA-related enforcement discretion throughout the PHE to enable flexibility associated with the good faith provision of telehealth, and it will continue this flexibility by providing a 90-calendar day transition period that will extend to August 9, 2023. During the transition period, OCR will continue to exercise its discretion for:

  • Covid-19 Testing Sites, which removed the imposition of penalties for HIPAA noncompliance against a covered entity in connection with the good faith participation of their business associates in operating COVID–19 Community-Based Testing Sites.
  • Telehealth Remote Communications, which removed the imposition of penalties for HIPAA noncompliance for the good faith provision of telehealth during the PHE.
  • Uses and disclosures of PHI by business associates for public oversight activities, which removed the imposition of penalties if the business associate made a good faith use of PHI for public health activities or health oversight activities and informed the covered entity within 10 days after such use.
  • Web-based scheduling applications for scheduling of individual appointments for COVID-19 vaccinations, which permitted the good faith use of web applications without imposing information collection requirements or enforcing penalties for noncompliance with HIPAA.

The transition period will allow health care providers to make any required changes to their operations to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.

It is imperative that covered entities and their business associates remain apprised on OCR policy related to HIPAA and telehealth, as well as legislation that may expand or restrict access to virtual care, particularly as applicable COVID-19 waivers continue to expire.

How Frier Levitt Can Help

Frier Levitt continues to stay abreast of new and proposed telehealth and data privacy legislation affecting providers “post-pandemic” now that waiver periods have all but elapsed. Frier Levitt attorneys regularly advise providers, marketers, and administrative and technology companies on developing and restructuring telehealth business models to comply with applicable law, including data privacy laws, while considering obstacles such as licensing, prescribing, and insurance reimbursement concerns that are unique to each arrangement. If you are seeking to Launch a Telemedicine Practice or Telehealth Startup or want to ensure your compliance in an existing model, contact us to speak to an experienced telehealth attorney who can comprehensively evaluate and recommend a compliant, sustainable model.