The Office of Civil Rights is offering healthcare providers a 90-day transition period to comply with the HIPAA Rules for telehealth from May 12 to August 9, with OCR continuing its enforcement discretion and refraining from imposing penalties for noncompliance during the grace period. The PHE allowed providers to treat patients in other states without a license in the state where the patient was located, and non-HIPAA compliant platforms were allowed, which are both coming to an end with the PHE on May 11.
The Department of Health and Human Services OCR has announced that the Office of Civil Rights is providing healthcare providers with a 90-day transition period to comply with the HIPAA Rules for telehealth. The transition period will begin on May 12 and will end on August 9 at 11:59 p.m. During this time, OCR will continue to exercise its enforcement discretion and will not impose penalties on covered providers for noncompliance.
Under the public health emergency (PHE), healthcare professionals were allowed to treat patients in other states without having a license in the state where the patient was discovered. Platforms that were non-HIPAA compliant might also be used as long as they were hidden from the public. With the PHE, both of these flexibility periods will end on May 11; nevertheless, providers will still have 90 days to comply. Other telehealth provisions will expire at the end of 2023 and 2024.
The expiration of HIPAA Enforcement Discretion is set to occur with the end of the COVID-19 Public Health Emergency on May 11. The OCR issued four Notifications of Enforcement Discretion that applied to certain violations of HIPAA rules during the PHE, related to community-based testing sites, using protected health information for public health, scheduling COVID-19 vaccinations, and telehealth appointments.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency will expire at 11:59 pm on May 11, with the expiration of the COVID-19 public health emergency.
Four Notices of Enforcement Discretion by OCR concerning the COVID-19 worldwide public health emergency’s application of the Privacy, Security, Breach Notification, and Enforcement Regulations of HIPAA were published in the Federal Register in 2020 and 2021.
OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the healthcare sector and the public in responding to the pandemic. OCR continues to support the use of telehealth after the public health emergency by providing a transition period for healthcare providers to make any changes to their operations needed to provide telehealth privately and securely in compliance with the HIPAA Rules, said Melanie Fontes Rainer, OCR Director.