Providers have 90-days from the end of the Public Health Emergency (PHE) to become compliant with the HIPAA Rules for telehealth services
May 12, 2023
The Office for Civil Rights (OCR) announced on April 11, 2023 that providers will have 90-days after the end of the Public Health Emergency (PHE) to become compliant with the HIPAA Rules (HIPAA Privacy, Security and Breach Notification Rules) for telehealth services. Since the beginning of the PHE, the OCR has utilized Enforcement Discretion to determine how violations with privacy, security, and breach notifications would be managed. The PHE ended on May 11, 2023. Providers now have a 90-day transition period (until August 9, 2023) to be compliant with the HIPAA Rules. (Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency – PDF (“Telehealth Notification”), effective from March 17, 2020, to 11:59 pm May 11, 2023.)
Some flexibilities during the PHE included:
- Non-compliance with the use of telehealth technologies that did not fully meet the requirements of the HIPAA Rules, as long as, good faith in the provision of telehealth services was accomplished
- Telehealth services could be provided for either COVID-19 related issues or non-COVID-19 related issues
- Non-public facing applications could be used for video chats (including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype). However, public facing applications, such as Facebook Live, Twitch, and TikTok were not permitted.
- Penalties would not be issued if a Business Associates Agreement (BAA) was not in place with a video communication vendors
Here is a list of HIPAA compliant communication application vendors who stated they would enter into a BAA with a Covered Entity using their platforms:
- Skype for Business I Microsoft Teams
- Updox
- VSee
- Zoom for Healthcare
- Doxy.me
- Google G Suite Hangouts Meet
- Cisco Webex Meetings I Webex Teams
- Amazon Chime
- GoToMeeting
- Spruce Health Care Messenger
In addition to the telehealth enforcement discretion, OCR issued another enforcement discretion notice that impacted the disclosure of Protected Health Information (PHI) by Business Associates (BA) of Covered Entities. (Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19 – PDF, effective from April 7, 2020, to 11:59 pm May 11, 2023.) A few things you can do to protect your organization and your patients:
- Make sure your BAs are aware that OCR’s Enforcement Discretion expired at the end of the PHE on May 11, 2023
- Ask your BA to confirm that provisions for the HIPAA Rules (privacy, security, and breach notification) are in place within their organization
- Finally, review and update (if necessary) your Business Associates Agreement (BAA) – this should be done on an annual basis or more frequently, if needed
Read the entire Press Release: https://www.hhs.gov/about/news/2023/04/11/hhs-office-for-civil-rights-announces-expiration-covid-19-public-health-emergency-hipaa-notifications-enforcement-discretion.html