The U.S. Department of Health & Human Services Office of Civil Rights (OCR) announced on April 11, 2023 that the Notifications of Enforcement Discretions issued during the COVID-19 Public Health Emergency (PHE) would be expiring at 11:59 p.m. on May 11, 2023 due to the expiration of the PHE. A copy of the notice of expiration can be found here.

Despite this expiration, OCR Director Melanie Fontes Rainer announced that OCR would be “providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

Specifically, OCR is providing a 90-calendar day transition period until 11:59 p.m. on August 9, 2023 for health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. Thus, during this 90-day period, health care providers will not face penalties if they engage in the good faith provision of telehealth.

In 2020 and 2021, OCR published four Notifications of Enforcement Discretion in the Federal Register regarding how the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules would be applied to certain violations during the PHE. The following are links to each of those Notifications:

• Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency – PDF – This Notification announced that OCR would exercise its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules by covered health care providers, including some large pharmacy chains, and their business associates, in connection with the good faith participation in the operation of COVID-19 specimen collection and testing sites.

• Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency – PDF – This Notification announced that OCR would exercise its enforcement discretion and would not impose HIPAA penalties for noncompliance with the regulatory requirements under the HIPAA Rules in connection with the good faith provision of telehealth using a non-public facing remote communication technology. This exercise of discretion applied to telehealth provided for any reason, regardless of whether the telehealth service was related to the diagnosis and treatment of health conditions related to COVID-19.

• Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19 – PDF – This Notification announced that OCR would exercise its enforcement discretion to not impose penalties on covered health care providers or their business associates for violations of certain provisions of the HIPAA Privacy Rule for uses and disclosures of PHI by business associates for public health and health oversight activities.

• Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency – PDF – This Notification announced that OCR would exercise its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules by covered health care providers, including some large pharmacy chains and public health authorities, or their business associates, in connection with the good faith use of online or web-based scheduling applications for the limited purpose of scheduling individual appointments for COVID-19 vaccinations.

Health care providers should carefully review each of these Notifications to assess whether adjustments were made to their daily operating practices during the PHE.

Action should be immediately taken to ensure resumed compliance with all applicable HIPAA Rules following the 90-day transition period expiring on August 9, 2023.