HIPAA Compliance Alert: OCR Anticipates the End of Enforcement Discretion for Telehealth Use

A popular saying is that it takes 21 days to form a habit and about 66 days on average for a behavior to become automatic. If that is correct, the three-year period of unprecedented waivers and flexibilities in the provision of healthcare related to the COVID Public Health Emergency (“PHE”) gave both providers and patients more than enough time to develop certain automatic behaviors around the provision and receipt of healthcare services.

The more immediate impact of the PHE was to change the healthcare landscape, with a sudden and exponential growth in the use of telehealth by both providers and patients. During the initial year of the PHE, telehealth was a critical tool for providers and patients seeking to minimize physical contact and the risk and spread of COVID infection. Accordingly, its use was facilitated by several PHE-era flexibilities, from payment policy waivers to the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announcement of enforcement discretion regarding telecommunications technologies.

However, over time, telehealth began to change the general expectations (for both providers and patients) about how and where healthcare should and could be provided. Easy access to telehealth has become the norm, as opposed to the exception, as clinicians became accustomed to the flexibility of being able to “work from home” and patients got used to seeking healthcare advice from the comfort of their own living rooms.

As early as 2021, we began cautioning providers to start thinking about “future-proofing” their telehealth models. Now, with the official end of the PHE approaching rapidly on May 11, 2023, OCR director, Melanie Fontes Rainer, confirmed that OCR will be providing a “transition period” of 90 days to allow healthcare providers to make operational changes to ensure that telehealth is provided in compliance with the HIPAA requirements. By August 9, 2023, OCR may undertake action and impose penalties on covered entities that are non-compliant with HIPAA rules in the provision of telehealth services. Thus, healthcare providers should start preparing now for the changes by ensuring that appropriate business associate agreements are in place with all telehealth vendors. Providers should also consider assessing staff practice patterns related to telehealth and revisiting staff education on the use of permitted, HIPAA-compliant telehealth platforms. As always, healthcare providers should also ensure that all technologies and applications that will have access to or transmit protected health information (“PHI”) are included in the provider’s HIPAA-required Security Risk Assessment.

Other areas in which OCR is ending its enforcement discretion on May 11, 2023, include: COVID-19 community-based testing sites, the uses and disclosures of PHI for public health and health oversight activities for COVID-19, and online or web-based scheduling applications for COVID-19 vaccinations.

For more information, please contact AGG Healthcare partners Lanchi Bombalier or Madison Pool.