OCR Expiring COVID Enforcement Discretion
Updated: May 1
This news primarily affects the following enforcement discretion the Office of Civil Rights implemented in support of the COVID pandemic:
Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities
Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments
Melanie Fontes Rainer, OCR Director is quoted, "OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” and “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”
OCR is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. The transition period will be in effect beginning on May 12, 2023 and will expire at 11:59 p.m. on August 9, 2023. OCR will continue to exercise its enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA Rules that occurs in connection with the good faith provision of telehealth during the 90-calendar day transition period.
Updated May 1st: We're adding an (but not all) example(s) of what these changes mean. During COVID, OCR may have overlooked using communications methods that may not be HIPAA compliant (e.g. Zoom, Skype, FaceTime, etc.) and OCR may now elect to investigate providers and their business associates continuing to use non-compliant methods to communicate with their patients.
Each affected topic is linked above.
Stay (HIPAA) safe,