The U.S. Department of Health & Human Services Office of Civil Rights (OCR) announced on April 11, 2023 that the Notifications of Enforcement Discretions issued during the COVID-19 Public Health Emergency (PHE) would be expiring at 11:59 p.m. on May 11, 2023 due to the expiration of the PHE. A copy of the notice of expiration can be found here.

Despite this expiration, OCR Director Melanie Fontes Rainer announced that OCR would be “providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

Specifically, OCR is providing a 90-calendar day transition period until 11:59 p.m. on August 9, 2023 for health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. Thus, during this 90-day period, health care providers will not face penalties if they engage in the good faith provision of telehealth.

In 2020 and 2021, OCR published four Notifications of Enforcement Discretion in the Federal Register regarding how the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules would be applied to certain violations during the PHE. The following are links to each of those Notifications:

  • Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency – PDF – This Notification announced that OCR would exercise its enforcement discretion and would not impose HIPAA penalties for noncompliance with the regulatory requirements under the HIPAA Rules in connection with the good faith provision of telehealth using a non-public facing remote communication technology. This exercise of discretion applied to telehealth provided for any reason, regardless of whether the telehealth service was related to the diagnosis and treatment of health conditions related to COVID-19.

Health care providers should carefully review each of these Notifications to assess whether adjustments were made to their daily operating practices during the PHE.

Action should be immediately taken to ensure resumed compliance with all applicable HIPAA Rules following the 90-day transition period expiring on August 9, 2023.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John W. Kaveney John W. Kaveney

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service…

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service providers, medical billing companies, skilled nursing and rehabilitation facilities, behavioral health centers and pharmacies.

His practice in the healthcare field encompasses advising healthcare clients on corporate compliance matters, including the implementation of new, and the assessment of existing, corporate compliance programs. He also assists healthcare clients with compliance audits and investigations, as well as guiding clients through the self-disclosure and repayment processes. Finally, he provides general legal advice concerning compliance and regulatory matters under state and federal healthcare laws.

In the area of information privacy and data security, Mr. Kaveney advises healthcare clients on issues arising under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). This includes the implementation and assessment of privacy and security policies and procedures to ensure the proper protection and utilization of protected health information both by healthcare providers and the business associates with which they contract. In addition, he represents healthcare clients in investigating, reporting, and remediating information breaches and the liability such breaches create under various information privacy and security laws.

Additionally, Mr. Kaveney provides counsel on Medicaid and Medicare reimbursement matters before the Division of Medical Assistance and Health Services and the Provider Reimbursement Review Board, as well as assisting clients in civil litigation and with professional licensing and medical staffing concerns.

Contact information:

jkaveney@greenbaumlaw.com | 973.577.1796 | vCard | LinkedIn

For more information visit the Greenbaum, Rowe, Smith & Davis LLP website.