Today, August 9, 2023, marks the expiration of the COVID-19 related HIPAA Enforcement Discretion measures. The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) had previously announced this expiration, which was set for midnight, May 11, 2023, followed by a 90-calendar day transition period for telehealth adjustments.
The expiration of these notifications signifies that healthcare providers must now ensure full compliance with HIPAA Rules, especially concerning measures introduced during the pandemic. These measures encompassed areas like telehealth and community-based testing sites. The transition period, which began on May 12, 2023, allowed healthcare providers to make necessary operational changes to ensure privacy and security in compliance with the HIPAA Rules.
Melanie Fontes Rainer, OCR Director, had previously commented on the matter, stating, "OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic." She added, "OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules."
During the transition period, which concludes today, the OCR did not impose penalties on covered healthcare providers for noncompliance with the HIPAA Rules, as long as the noncompliance was associated with the good faith provision of telehealth. Some of the enforcement discretions that expired included:
Healthcare providers should be vigilant of the expiration of the Notifications of Enforcement Discretion and ensure they've made all necessary operational changes to remain compliant with HIPAA Rules, especially as the transition period for telehealth concludes.