By Libbie CanterAnna D. KrausOlivia VegaElizabeth Brim & Jorge Ortiz on April 14, 2023

On April 11, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that four Notifications of Enforcement Discretion (“Notifications”) that were issued under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) during the COVID-19 pandemic will expire on May 11, 2023.  In response to the COVID-19 Public Health Emergency, OCR announced it would exercise enforcement discretion with respect to noncompliance with certain provisions of HIPAA.  Now that the public health emergency is set to expire, OCR is rescinding the relevant Notifications.  Below, we summarize the four Notifications that are set to expire:

  1. Enforcement discretion to allow uses and disclosures of Protected Health Information (“PHI”) by business associates for public health and health oversight activities.  OCR did not impose penalties against business associates or covered entities if: (1) the business associate made a good faith use or disclosure of the covered entity’s PHI for public health activities or health oversight activities, and (2) the business associate informed the covered entity within ten days after the use or disclosure occurred (or commenced, with respect to uses or disclosures that will repeat over time).
  2. Enforcement discretion regarding COVID–19 Community-Based Testing Sites (“CBTS”) during the pandemic.  OCR did not penalize covered health care providers or their business associates for noncompliance with HIPAA if they had participated in good faith in the operation of a CBTS. 
  3. Enforcement discretion regarding online or web-based scheduling applications COVID–19 vaccinations.  OCR did not penalize covered health care providers or their business associates for noncompliance with HIPAA if they acted in good faith when using online or web-based scheduling applications for the scheduling of COVID-19 vaccinations.
  4. Enforcement discretion for telehealth remote communications during the pandemic.  As our past coverage on this issue highlighted, OCR had exercised enforcement discretion with respect to a covered entity’s communication with patients and provision of telehealth services using remote communication technologies that did not fully comply with the HIPAA Security Rule.  Specifically for this Notification, OCR is providing a 90-calendar-day transition period, beginning  on May 12, 2023, and end on August 9, 2023, for covered health care providers to come into compliance with HIPAA.  OCR will continue to exercise its enforcement discretion during this transition period and will not impose penalties on covered health care providers for noncompliance with HIPAA that occurs in connection with the good faith provision of telehealth services.  During this transition period, OCR plans to provide additional guidance on telehealth remote communications to assist covered health care providers with coming into compliance with HIPAA.  After the transition period, OCR will no longer use this Notification as a basis to exercise discretion in enforcing HIPAA’s requirements as they relate to telehealth services.  

The official Federal Register notice can be found here.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

Photo of Olivia Vega Olivia Vega

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and…

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and state privacy and data security laws and regulations, including on topics such as HIPAA, California’s Confidentiality of Medical Information Act, and the California Consumer Privacy Act. In addition, Olivia maintains an active pro bono practice.

Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an…

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an active pro bono practice.

Photo of Jorge Ortiz Jorge Ortiz

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related…

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related to privacy policies and compliance obligations under U.S. state privacy regulations like the California Consumer Privacy Act.