traffic_analyzer/DigitalVision V

Pandemic-Era Telehealth Rules Set to Expire in May, Shifting HIPAA Compliance Obligations

When the public health emergency ends on May 11, OCR’s four Notifications of Enforcement Discretion under HIPAA will also expire, including loosened telehealth requirements.

The COVID-19 public health emergency (PHE) is set to end on May 11, marking the expiration of many pandemic-era support programs and lighter compliance obligations. As such, the HHS Office for Civil Rights (OCR) issued a statement about the end of the PHE, reminding HIPAA-covered entities that the Notifications of Enforcement Discretion issued under HIPAA and HITECH during the pandemic are also set to expire at 11:59 p.m. on May 11.

“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” said OCR Director Melanie Fontes Rainer.

“OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

Specifically, OCR issued four Notifications of Enforcement Discretion under HIPAA in 2020 and 2021 to allow covered entities to set up COVID-19 testing sites, disclose testing data to health authorities, conduct telehealth appointments, and use web-based scheduling applications for COVID-19 vaccinations.

Eased restrictions in these areas allowed covered entities to ensure that patients had access to healthcare services without worrying about facing penalties for noncompliance. For example, providers were permitted to use non-public-facing communication technologies like Zoom and Skype to deliver telemedicine.

“This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID–19,” the rule stated at the time.

The expansion of telehealth during the pandemic even led many patients to prefer telehealth over in-person appointments for select services, changing the nature of how healthcare is delivered.

Although HIPAA-covered entities have been expecting the end of the PHE for some time, HHS granted them a 90-calendar day transition period to come into compliance with HIPAA rules in respect to telehealth.

“The transition period will be in effect beginning on May 12, 2023 and will expire at 11:59 p.m. on August 9, 2023,” HHS stated.

“OCR will continue to exercise its enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA Rules that occurs in connection with the good faith provision of telehealth during the 90-calendar day transition period.”

The end of the PHE marks a new era for telehealth, as demand for telehealth remains high but HIPAA penalties come back into play.

Next Steps

Dig Deeper on HIPAA compliance and regulation