OCR Issues a 90-day transition for HIPAA Compliant Telehealth Platforms

Under the PHE (Public Health Emergency), non-HIPAA compliant platforms (like smartphone applications FaceTime and Skype) were allowed as long as they were not public facing (i.e., TikTok, Vimeo, etc).

But with the PHE winding down in less than a month, the OCR (Office of Civil Rights) originally state that this flexibility would expire with the PHE. Meaning that the platform used for all Telehealth encounters has to be HIPAA protected.

The Office of Civil Rights, updated this statement in April and said they are “providing a 90-day transition period for healthcare providers to come into compliance with the HIPAA Rules regarding telehealth, according to the HHS OCR.”

The transition period will be in effect beginning on May 12 and will expire at 11:59 p.m. on August 9.

OCR said it would continue to exercise its enforcement discretion and not impose penalties on covered providers for noncompliance during the 90-day transition period. Once the transition period ends, patients will no longer be able to use their non-HIPAA smartphone apps for their Telehealth encounters. They will need to access HIPAA-secured platforms, and physician practices should make sure they are also posting this alert and change in plain sight for patients. They have been used to 3 years of relaxed rules, and these rules will be back to pre-PHE status by August. The time is now to start making the transition.

Other telehealth provisions expire at the end of 2023 and 2024. Look for our Medicare 1st and 2nd Quarter NSCHBC Webinars for more information on all statuses of the 1135 Waiver Flexibilities at https://nschbc.org/catalog_qtrly.

Why This Matters

HIPAA Enforcement Discretion is expiring with the end of the COVID-19 Public Health Emergency on May 11, according to the OCR notice on April 11.

OCR issued four Notifications of Enforcement Discretion that applied to certain violations of HIPAA rules during the PHE. These were related to community-based testing sites; using protected health information for public health; scheduling appointments for COVID-19 vaccinations; and telehealth.

The “Big Picture”

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency will expire at 11:59 pm on May 11, with the expiration of the COVID-19 public health emergency.

In 2020 and 2021, OCR published four Notifications of Enforcement Discretion in the Federal Register regarding how the Privacy, Security, Breach Notification, and Enforcement Rules of HIPAA would be applied to certain violations during the COVID-19 nationwide public health emergency.

These Notifications and the effective beginning and ending dates are:

  • Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency, effective from March 13, 2020, to 11:59 pm May 11, 2023.
  • Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency, effective from March 17, 2020, to 11:59 pm May 11, 2023.
  • Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19, effective from April 7, 2020, to 11:59 pm May 11, 2023.
  • Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency, effective from December 11, 2020, to 11:59 pm May 11, 2023.

The Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency may be found at: https://public-inspection.federalregister.gov/2023-07824.pdf – PDF.

On The Record

“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the healthcare sector and the public in responding to this pandemic,” said Melanie Fontes Rainer, OCR Director. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for healthcare providers to make any changes to their workflow operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

References: