Issue Alerts

OCR Announces the End of COVID-19 Public Health Emergency HIPAA Notifications of Enforcement Discretion

May 9, 2023

By: Brooke Bennett Aziere and Gabriella C. Grause

On April 11, 2023, the United States Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced the end of the four Notifications of Enforcement Discretion (“Notifications”) that OCR issued during the COVID-19 public health emergency (“PHE”) pursuant to OCR’s Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) enforcement discretion. The Notifications provided guidance on how OCR would enforce the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the “HIPAA Rules”) during the PHE. The Notifications will expire on May 11, 2023, at 11:59 p.m., in accordance with the end of the PHE:

• Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (the “Telehealth Notification”) – effective March 17, 2020. OCR announced it would not impose penalties for noncompliance with the HIPAA Rules against covered healthcare providers (“Providers”) who, in good faith, provided telehealth services using non-public-facing audio or video remote communication technology during the PHE. 
  
  Pursuant to the Telehealth Notification, Providers could provide telehealth services using any available non-public-facing audio or video communication technology without fear of incurring penalties for noncompliance, even if the technology or the manner in which the Providers used such technology did not fully comply with the HIPAA Rules. OCR did not want the fear of penalties to keep Providers who had never provided telehealth services from doing so during the PHE. Non-public-facing means only the intended parties can participate in the communication. For example, the Telehealth Notification indicated that non-public-facing communication technology, including applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype, could be utilized during the PHE. The Telehealth Notification did not permit public-facing communication technology such as Facebook Live, Twitch, TikTok, public chat rooms, or similar applications to be used, because they are open to the public to view or participate. 
  
  Once the Telehealth Notification expires on May 11, 2023, Providers may still provide telehealth services using non-public-facing audio or video communication technology, but they will need to ensure their telehealth practices, including the technology they use, are in compliance with the HIPAA Rules. OCR will provide a 90 calendar-day transition period from May 12, 2023, to 11:59 p.m. on August 9, 2023, (the “Transition Period”) for Providers to become HIPAA-compliant. For example, Providers may need time to enter business associate agreements with telehealth technology vendors or review and update their telehealth policies and procedures. Because OCR recognizes it may take time for Providers to adjust their telehealth practices, OCR will not impose penalties for noncompliance with the HIPAA Rules against Providers who, in good faith, provide telehealth services during the Transition Period. However, once the Transition Period ends, OCR may enforce penalties against Providers with telehealth practices that are not HIPAA-compliant starting on August 10, 2023.
   
• Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19 – effective April 7, 2020. OCR announced it would not impose penalties for violations of the HIPAA Privacy Rule against Providers and their business associates when (1) the business associates made good-faith uses or disclosures of PHI for public health and health oversight activities during the PHE, and (2) the business associates informed the Providers within 10 calendar days after such uses and disclosures. 
  
  Under the HIPAA Rules, business associates can use or disclose PHI for public health and health oversight purposes only if it is expressly permitted in a business associate agreement (“BAA”) between the Providers and the business associates. During the PHE, this HIPAA Rule kept some business associates from being able to respond timely to requests for PHI from federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers (the “Authorities”) or to requests from the Authorities to perform public health data analytics on the PHI because their business associate agreements did not expressly permit such disclosures. Thus, this Notification allowed business associates to disclose PHI or to perform public health data analytics on such PHI, as requested by the Authorities, if (1) the business associate made a good-faith use or disclosure of the Provider’s PHI for such public health activities or health oversight activities consistent with the HIPAA Rules, and (2) the business associates informed the Provider within 10 calendar days after the uses or disclosures occurred. 
   
• Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency – effective December 11, 2020. OCR announced it would not impose penalties for noncompliance with the HIPAA Rules against Providers and their business associates who, in good faith, used online or web based scheduling applications (“WBSAs”) to schedule individual appointments for COVID-19 vaccinations during the PHE. WBSAs are non-public-facing online or web based applications that schedule individual appointments for services in connection with large-scale COVID-19 vaccination. 
  
  This Notification was meant for Providers such as large pharmacy chains, public health authorities, and their business associates who needed to quickly schedule large numbers of COVID-19 vaccination appointments. It allowed such Providers and their business associates to use WBSAs in good faith to schedule appointments without fear of incurring penalties for noncompliance with HIPAA, despite some of the WBSAs not being fully HIPAA-compliant. The Notification recommended certain reasonable safeguards for the Providers and their business associates to implement.
   
• Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency – effective March 13, 2020. OCR announced that it would not impose penalties for noncompliance with the HIPAA Rules against Providers or their business associates who, in good faith, operated COVID-19 specimen collection and testing sites (“Community-Based Testing Sites”) during the PHE. The Notification also recommended certain reasonable safeguards be implemented to protect the privacy and security of PHI as part of operating the Community-Based Testing Sites.

OCR has published frequently asked questions and guidance on HIPAA and telehealth that can be found here, and OCR will provide additional guidance on telehealth remote communications to assist Providers during the Transition Period. Providers and their business associates need to act now to ensure compliance with the HIPAA Rules as the PHE comes to an end.

For More Information

If you have questions or want more information regarding the end of the Notifications of Enforcement Discretion, contact your legal counsel. If you do not have regular counsel for such matters, Foulston Siefkin LLP would welcome the opportunity to work with you to meet your specific business needs. Foulston’s healthcare lawyers maintain a high level of knowledge regarding federal and state regulations affecting the healthcare industry. At the same time, our healthcare practice group's relationship with Foulston’s other practice groups, including the taxation, general business, labor and employment, and commercial litigation groups, enhances our ability to consider the legal ramifications of any situation or strategy. For more information, contact Brooke Bennett Aziere at 316.291.9768 or baziere@foulston.com, or Gabriella C. Grause at 316.291.9750 or ggrause@foulston.com. For more information on the firm, please visit our website at www.foulston.com.

Established in 1919, Foulston Siefkin is the largest Kansas-based law firm. With offices in Wichita, Kansas City, and Topeka, Foulston provides a full range of legal services to clients in the areas of administrative & regulatory; antitrust & trade regulation; appellate law; banking & financial services; business & corporate; construction; creditors’ rights & bankruptcy; e-commerce; education & public entity; elder law; employee benefits & ERISA; employment & labor; energy; environmental; ERISA litigation; estate planning & probate; family business enterprise; franchise & distribution; government investigations & white collar defense; governmental liability; government relations & public policy; healthcare; immigration; insurance regulatory; intellectual property; litigation & disputes; long-term care; mediation/dispute resolution; mergers & acquisitions; Native American law; oil, gas & minerals; OSHA; privacy & data security; private equity & venture capital; product liability; professional malpractice; real estate; renewable energy, storage, and transmission; securities & corporate finance; startup/entrepreneurship; supply chain management; tax-exempt organizations; taxation; trade secret & noncompete litigation; and water rights.

Additional Resources

Sign up to receive healthcare law issue alerts straight to your inbox here.

This update has been prepared by Foulston Siefkin LLP for informational purposes only. It is not a legal opinion; it does not provide legal advice for any purpose; and it neither creates nor constitutes evidence of an attorney-client relationship.