The U.S. Department of Health & Human Services Office of Civil Rights (OCR) announced on April 11, 2023 that the Notifications of Enforcement Discretions issued during the COVID-19 Public Health Emergency (PHE) would be expiring at 11:59 p.m. on May 11, 2023 due to the expiration of the PHE. A copy of the notice of expiration can be found here.

Despite this expiration, OCR Director Melanie Fontes Rainer announced that OCR would be “providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

Specifically, OCR is providing a 90-calendar day transition period until 11:59 p.m. on August 9, 2023 for health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. Thus, during this 90-day period, health care providers will not face penalties if they engage in the good faith provision of telehealth.

In 2020 and 2021, OCR published four Notifications of Enforcement Discretion in the Federal Register regarding how the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules would be applied to certain violations during the PHE. The following are links to each of those Notifications:

  • Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency – PDF – This Notification announced that OCR would exercise its enforcement discretion and would not impose HIPAA penalties for noncompliance with the regulatory requirements under the HIPAA Rules in connection with the good faith provision of telehealth using a non-public facing remote communication technology. This exercise of discretion applied to telehealth provided for any reason, regardless of whether the telehealth service was related to the diagnosis and treatment of health conditions related to COVID-19.

Health care providers should carefully review each of these Notifications to assess whether adjustments were made to their daily operating practices during the PHE.

Action should be immediately taken to ensure resumed compliance with all applicable HIPAA Rules following the 90-day transition period expiring on August 9, 2023.