Expiration of COVID HIPAA Enforcement Discretion

Expiration of COVID HIPAA Enforcement Discretion

The Secretary of Health and Human Services announced that the COVID-19 public health emergency (PHE) declaration will officially expire on May 11, 2023. Accordingly, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced that its enforcement discretion concerning the Health Insurance Portability and Accountability Act (HIPAA) will expire at the same time. Upon expiration of the PHE, OCR will no longer have the ability to exercise discretion when imposing penalties for HIPAA violations.

To help providers come into compliance with the HIPAA Rules on telehealth, OCR is providing a 90-day transition period ending on August 9, 2023. During this transition period, OCR will not penalize healthcare providers in connection with the good faith provision of telehealth.

HIPAA Enforcement Discretion

HIPAA creates federal standards for when and how health care providers, including allergists, can use protected health information (PHI). OCR is tasked with enforcing HIPAA regulations by investigating complaints, conducting compliance reviews and audits, providing education and outreach to support compliance, and imposing civil monetary penalties up to $50,000 per violation.

To provide flexibility so health care providers could respond effectively to the COVID-19 PHE, OCR exercised enforcement discretion with respect to certain HIPAA Rules during the PHE.

During the COVID-19 PHE, the OCR has not imposed penalties for noncompliance with the HIPAA Rules in connection with:

  • The good faith provision of telehealth using a nonpublic facing audio or video remote communication technology – i.e., Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype – has applied to all telehealth, regardless of whether the service was related to the diagnosis and treatment of health conditions related to COVID-19.
  • Uses and disclosures of PHI by business associates for public health and health oversight activities.
  • The good faith use of online or web-based scheduling applications for the scheduling of individual appointments for COVID-19 vaccinations.
  • The good faith participation in the operation of a COVID-19 Community-Based Testing Site.

REMEMBER: While HIPAA enforcement discretion will end on May 11, 2023, OCR is providing a 90-day transition period – until Aug. 9, 2023 – with respect to the provision of telehealth. During this time, the OCR will not impose HIPAA violation penalties in connection with the good faith provision of telehealth.

The expiration of HIPAA enforcement discretion is separate and distinct from the Medicare waivers on telehealth services.

For more information on HIPAA and telehealth, please refer to the guidance webpage.