AMARILLO, TX – The COVID-19 pandemic affected life in a myriad of ways. Those effects extended into most facets of everyday life, and very notably in our healthcare system. A system based on very specific, and sometimes outdated, rules and regulations suddenly found itself in a position where not only did it have to be flexible with the needs of the communities it serves but be willing to advance much faster than its rules would normally allow.
Enter enforcement discretion. Several offices within the Department of Health and Human Services (HHS) exercised enforcement discretion during the COVID-19 public health emergency (PHE), including the Office for Civil Rights (OCR), which is responsible for maintaining and enforcing health information privacy (i.e., HIPAA). Enforcement discretion essentially means that OCR would use its discretion to decide whether and when it would enforce the rules of HIPAA.
This enforcement discretion allowed healthcare providers to offer services like telehealth without having to meet certain requirements under HIPAA. But, the government announced that the PHE would end on May 11, 2023. And, with the expiration of the PHE comes the termination of OCR’s enforcement discretion. So, what does this mean for providers, and will they have to re-learn how to provide healthcare services in a post-PHE system?
There were four notifications from the OCR related to HIPAA enforcement discretion issued during 2020 and 2021. Each of those notifications will be terminating on the same date as the expiration of the PHE. Those notifications are:
- Enforcement Discretion related to COVID-19 community-based testing sites during the PHE. This notification allowed enforcement discretion for issues of noncompliance with providers that participated in good faith in the operation of a COVID-19 Community-Based Testing Site during the PHE.
- Enforcement Discretion related to remote telehealth communications during the PHE. This notification allowed enforcement discretion for issues of noncompliance with providers that offered telehealth services during the PHE.
- Enforcement Discretion related to uses and disclosures of protected health information by business associates for certain activities during the PHE. This notification allowed enforcement discretion for issues of noncompliance with providers or business associates that used or disclosed protected health information for public health and health oversight activities during the PHE.
- Enforcement Discretion related to online web-based scheduling applications for COVID-19 vaccinations during the PHE. This notification allowed enforcement discretion for issues of noncompliance with providers using online or web-based scheduling applications in good faith to schedule COVID-19 vaccinations during the PHE.
OCR will continue to exercise its enforcement discretion consistent with the notifications with respect to any violations that occurred during the period of each notification, so it will not retroactively review providers for HIPAA violations. If you relied on one or more of the notifications listed above when implementing services or practices during the PHE, OCR has announced a 90-calendar day transition period. Covered entities and business associates have from May 12, 2023 through August 9, 2023 at 11:59pm to come into compliance with HIPAA rules related to telehealth.
This applies to all covered entities and business associates that are affected by the notifications listed above. If you’re not certain whether your business has any practices in place that are affected by the termination of OCR’s enforcement discretion, then you should consult with your attorney as soon as possible.
Lastly, it is important to note that the termination of this enforcement discretion is coming around the same time as new HIPAA rules. Back in 2020, OCR proposed a number of changes to HIPAA, which had not previously been overhauled since 2013. It is anticipated that the final rule implementing those changes will be published some time in 2023. Those changes will affect more than just telehealth services, and we encourage you to keep an eye out for them as well.
Rossanna J. Madrigal, JD, MPH is a senior attorney in the Health Care Group at Brown & Fortunato, PC, a law firm with a national health care practice based in Texas. She represents pharmacies, infusion companies, HME companies, manufacturers and other health care providers throughout the United States. Ms. Madrigal can be reached at (806) 345-6308 or firstname.lastname@example.org.
Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm with a national health care practice based in Texas. He represents pharmacies, infusion companies, HME companies, manufacturers and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or email@example.com.