HIPAA-compliant telehealth? Back to business, after a 90-day transition period

Relaxed enforcement of federal telehealth rules because of the pandemic is coming to an end.

Health care providers will have 90 days to comply with HIPAA telehealth rules after the COVID Public Health Emergency ends at midnight on May 11. The U.S. Department of Health and Human Service’s Office of Civil Rights (OCR) announced that it will continue to exercise its enforcement discretion – and not impose penalties – on covered providers for noncompliance during the 90-day transition period, which will expire on August 9, 2023.

“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” OCR Director Melanie Fontes Rainer said. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA rules.”

Related: Telehealth enforcement: Is it the next big thing?

During the public health emergency, providers did not have to be licensed in the state in which the patient was located and were allowed to treat patients in other states. In addition, non-HIPAA-compliant platforms were allowed if they were not public facing, such as video chats or FaceTime. Both of these flexibilities are coming to an end, with other telehealth provisions set to expire at the end of 2023 and 2024.

This means no more unsecure video chats, social media or Face Time can be utilized for purposes of telehealth unless they follow HIPAA Privacy and Security Rules. Facilities have until Aug. 9, 2023 to get back in compliance.

In 2020 and 2021, OCR published four notifications of enforcement discretion. These notifications and their effective beginning and ending dates are:

• Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency (March 13, 2020, to 11:59 p.m., May 11, 2023).
• Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency (March 17, 2020, to 11:59 p.m., May 11, 2023).
• Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19 April 7, 2020, to 11:59 p.m., May 11, 2023).
• Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency, (December 11, 2020, to 11:59 p.m., May 11, 2023).