How Will the End of HIPAA Enforcement Discretion Affect Covered Entities When the Public Health Emergency Expires on May 11?

Authors:

Paul F. Schmeltzer John F. Howard

On Jan. 30, 2023, the Biden Administration announced its intent to end the national emergency and public health emergency declarations related to the COVID-19 pandemic on May 11, 2023. Thereafter on April 11, 2023, the Department of Health and Human Services Office for Civil Rights (OCR) announced the expiration of its notifications of enforcement discretion related to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), due to the end of the COVID-19 public health emergency (PHE).

What this means for covered entities under HIPAA is that the four Notifications of Enforcement Discretion will expire on May 11, 2023. The OCR’s four Notifications provided for enforcement discretion for telehealth services, community-based testing sites, uses and disclosures by business associates, and online scheduling of individual appointments for COVID-19 vaccinations.

Telehealth

On March 17, 2020, OCR issued a notification announcing that, with respect to telehealth services offered during the PHE, it would not impose penalties for noncompliance with HIPAA’s regulatory requirements, provided that the noncompliance was in connection with the good-faith provision of telehealth services using nonpublic-facing remote communication technology.

The OCR had recognized that some of the remote communication technologies used by providers during the PHE might not be fully HIPAA compliant. OCR noted that providers can use nonpublic-facing audio and video technologies such as Zoom, FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, but providers should not use public-facing technologies such as Facebook Live, Twitch or TikTok, as these are not private and are widely shared by users.

What this means for covered entities is that OCR expects that providers will use this transition period to choose and implement HIPAA-compliant telehealth technology for the continued provision of telehealth services. Effectively, this means that providers will not be permitted to use standard consumer versions of audio and video technologies such as Zoom and Skype to provide telehealth. Instead, providers will need to transition to technology that complies with HIPAA security and privacy standards. Covered entities must also ensure that they have Business Associate Agreements in place with audio and video technologies vendors they use to provide telehealth services to patients. OCR has provided a 90 calendar-day transition period for this Notification of Enforcement where they will continue to exercise enforcement discretion and not impose any penalties. This period will end on Aug. 9, 2023.

Business Associates

On April 2, 2020, OCR issued a notification announcing its exercise of enforcement discretion with respect to HIPAA’s Privacy Rule as it relates to the use and disclosure of protected health information (PHI) by business associates to aid federal and state health authorities and oversight agencies in addressing the COVID-19 crisis. Under this notification, OCR relaxed its enforcement against business associates for the use and disclosure of a covered entity’s PHI even if not permitted by their business associate agreement, provided that (1) the business associate’s use or disclosure of PHI was in good faith and was made for public health activities or health oversight activities, and (2) the business associate notified the covered entity within 10 days of the use or disclosure of PHI. With the relaxed enforcement of this notification expiring on May 11, 2023, business associates will not be able to disclose PHI to any federal and state agencies that request it for public health purposes or use a covered entities PHI for analysis, to address COVID-19 unless expressly permitted by business associate agreements governing their use and disclosure of PHI. Now is the time for covered entities and business associates to make the necessary changes to their business associate agreements if they wish to have their business associates continue activity permitted under this enforcement discretion, and execute those agreements.

COVID-19 Community-Based Testing Sites

On April 9, 2020, OCR issued a notification stating that it would exercise enforcement discretion and would not impose penalties for HIPAA noncompliance by community-based testing sites, which include mobile, drive-through, and walk-up sites providing COVID-19 testing. Before the expiration of this enforcement discretion on May 11, 2023, covered entities operating community-based testing sites should implement additional safeguards to protect PHI, such as setting up opaque barriers to protect individuals’ identities during the collection of specimens, posting signage prohibiting filming, use secure technology for recording and transmitting electronic PHI, and making notices of privacy practices readily viewable or available for individuals.

Online Scheduling Applications for COVID-19 Vaccinations

OCR issued a notification of its exercise of enforcement discretion regarding nonpublic-facing online or web-based scheduling applications used for scheduling COVID-19 vaccinations. This enforcement discretion was limited to web-based scheduling applications that were used in good faith during the PHE and not directly connected to a covered entity’s electronic health record. The May 11, 2023 expiration of this notification means that covered healthcare providers and their business associates using web-based scheduling applications for the scheduling of individual appointments for COVID-19 vaccinations must implement safeguards to protect the privacy and security of individuals’ PHI, including (1) using and disclosing only the minimum PHI necessary for the purpose; (2) using encryption technology to protect PHI; (3) enabling all available privacy settings; (4) ensuring that storage of any PHI (including metadata that constitutes PHI) by the vendor is only temporary; (5) ensuring the web-based scheduling applications vendor does not use or disclose ePHI in a manner that is inconsistent with HIPAA, and (6) ensuring that business associate agreements are in place with any vendors providing such scheduling applications. Covered entities are encouraged to review the privacy and security protections in place with web-based scheduling applications vendors that represent that their applications are HIPAA-compliant to ensure everything is compliant.