Notifications of Enforcement Discretion expire at 11:59 pm on May 11, 2023
Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announces that the Notifications of Enforcement Discretion issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency will expire at 11:59 pm on May 11, 2023, due to the expiration of the COVID-19 public health emergency.
“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” said Melanie Fontes Rainer, OCR Director. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”
In 2020 and 2021, OCR published four Notifications of Enforcement Discretion in the Federal Register regarding how the Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”) would be applied to certain violations during the COVID-19 nationwide public health emergency. These Notifications and the effective beginning and end dates are:
- Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency – PDF, effective from March 13, 2020, to 11:59 pm May 11, 2023.
- Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency – PDF (“Telehealth Notification”), effective from March 17, 2020, to 11:59 pm May 11, 2023.
- Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19 – PDF, effective from April 7, 2020, to 11:59 pm May 11, 2023.
- Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency – PDF, effective from December 11, 2020, to 11:59 pm May 11, 2023.
OCR is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. The transition period will be in effect beginning on May 12, 2023 and will expire at 11:59 p.m. on August 9, 2023. OCR will continue to exercise its enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA Rules that occurs in connection with the good faith provision of telehealth during the 90-calendar day transition period.
The Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency may be found at: https://public-inspection.federalregister.gov/2023-07824.pdf – PDF.
Source: HHS