With the COVID public health emergency (PHE) having ended, you are likely already in action mode to prepare for all the regulatory changes. Some flexibilities will stay intact or have been extended, but most requirements and policies will revert back to their pre-pandemic state — including relaxed HIPAA enforcement.
If you’re fuzzy on the different HIPAA-related flexibilities, it’s understandable. The Office for Civil Rights (OCR) issued them at different times and tweaked them after they went into effect. Here is a brief overview of the four Notifications of Enforcement Discretion slated to expire, according to OCR guidance:
- Get ready for these changes for testing sites. OCR announced an enforcement discretion for COVID testing on April 9, 2020 with a retroactive start date of March 13, 2020. Under the notification, certain covered entities (CEs), business associates (BAs), and large pharmacy chains wouldn’t have penalties imposed for noncompliance with specific provisions of the HIPAA rules when participating in the feds’ COVID-19 testing program. This specifically impacted providers, BAs, and pharmacies operating and testing patients at COVID-19 Community-Based Testing Sites (CBTS) across the nation. Find the details on this policy in the Federal Register, which expired on May 11.
- Understand the telehealth updates — and transition option. On March 17, 2020, OCR announced an enforcement discretion for HIPAA related to the Centers for Medicare & Medicaid Services’ (CMS’) telehealth expansion. During the COVID PHE, OCR has opted to not impose penalties for HIPAA noncompliance “against covered healthcare providers in connection with the good faith provision of telehealth,” according to the provision. Under the enforcement discretion, the feds allowed providers to utilize non-public-facing technologies like FaceTime and Skype for telehealth visits without risk of penalty, but public-facing technologies like TikTok and Facebook Live were not allowed.
OCR plans to continue exercising its enforcement discretion for the telehealth provision over a transition period, the agency says. “OCR is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth.”
The transition period will start on May 12 and will end at 11:59 p.m. on Aug. 9. Review the original provision in the Federal Register.
- Know the use and disclosure of PHI updates. During the heights of the pandemic, information exchange was critical to circumventing the spread of the virus. That prompted OCR to add an enforcement discretion on April 7, 2020, noting that it would not impose penalties on CEs and BAs for specific HIPAA Privacy Rule provisions when patients’ protected health information (PHI) was used or disclosed for PHE-related matters. This policy particularly promoted the sharing of data between CEs and CMS, the Centers for Disease Control and Prevention (CDC), and other state and local health agencies for public health reasons and pandemic oversight. See details on this enforcement discretion that ended on May 11 in the Federal Register.
- Here’s how vaccination scheduling changes. On Dec. 11, 2020, OCR announced another COVID-19 PHE-inspired enforcement discretion. This one allowed CEs to use web-based-scheduling applications (WBSAs) to schedule patients’ COVID vaccination appointments with vendors without imposing penalties for HIPAA violations. This last provision expired on May 11 like the others and is available to peruse in the Federal Register.
Bottom line: With the PHE — and OCR’s enforcement discretions — ending in a matter of weeks, you should be updating your policies and procedures to align with pre-pandemic HIPAA compliance. You can find OCR’s explanation and overview of the expiration of these Notifications of Enforcement Discretion in the Federal Register.
Learn how to manage your urgent care after the end of the PHE in this blog >>