BLOG POST

Health Law Scan

Legal Insights and Perspectives for the Healthcare Industry

Back to Business: Adapting to the Expiration of 4 HIPAA Enforcement Discretion Waivers

Throughout the COVID-19 pandemic and related public health emergency (PHE), the US Department of Health and Human Services, Office for Civil Rights (OCR) issued four Notifications of Enforcement Discretion (referred to as “waivers”) designed to offer flexibility to healthcare providers battling the virus. On April 11, the OCR announced that these waivers will officially expire on May 11, 2023, in conjunction with the end of the PHE. While it is not unexpected that the OCR is pulling back these waivers, healthcare providers must ensure that their ongoing operations are fully compliant with the OCR’s HIPAA-related requirements. This blog post details the list of waivers issued by the OCR that will expire on May 11.

Enforcement Discretion Waiver Related to Uses and Disclosures of Protected Health Information by Business Associates

The OCR refrained from imposing penalties against business associates or covered entities for improper disclosure of protected health information (PHI) if (1) the business associate made a good faith use or disclosure of the PHI for public health or health oversight activities and (2) the business associate informed the covered entity within 10 days of such use or disclosure.

This waiver allowed business associates to share PHI or to perform data analytics on PHI at the request of public health authorities and health oversight agencies, health departments, and emergency operations centers to help ensure the health and safety of the public during the PHE.

Enforcement Discretion Waiver Related to Telehealth Remote Communications

The OCR refrained from imposing penalties for noncompliance with HIPAA against covered entities when using unencrypted communications technologies to provide telehealth during the PHE. The waiver permitted the use of “any non-public facing remote communication product that is available to communicate with patients,” for video chats.

The waiver also stated the OCR would not impose penalties when covered entities failed to enter into a business associate agreement (BAA) with video communication vendors. This flexibility was critical to enable the widespread provision of telehealth services since physicians and other practitioners did not, at the time, need to invest in higher-cost telehealth platforms to see patients.

Enforcement Discretion Waiver Related to Community-Based Testing Sites

The OCR refrained from imposing penalties for noncompliance with HIPAA against covered entities and business associates in connection with the good faith operation of community-based testing sites (CBTS) during the PHE. The OCR recognized the operation of a CBTS as including any activities that supported the collection of specimens for COVID–19 testing, enabling substantial flexibility in opening and operating pop-up testing sites critical to population surveillance testing.

Enforcement Discretion Waiver Related to Online Scheduling for COVID-19 Vaccinations

The OCR refrained from imposing penalties for noncompliance with HIPAA against covered entities and business associates in connection with the good faith use of online or web-based scheduling applications (WBSAs) to schedule COVID-19 vaccination appointments. This waiver permitted covered entities to quickly schedule a large number of COVID-19 vaccinations without evaluating whether it was necessary to enter into a BAA with the WBSA vendor.

Critically, while the OCR’s waivers will expire on May 11, 2023, the OCR indicated that it will recognize a 90-day transition period, from May 12, 2023 to August 9, 2023. During the transition period, the OCR will continue to exercise its enforcement discretion and will not impose penalties on HIPAA-regulated entities for noncompliance that occurs in connection with the good faith provision of telehealth.

Nevertheless, providers who have been operating telehealth programs through informal communication technologies should begin the process of identifying and contracting with a vendor offering an encrypted and HIPAA-compliant communications platform enabling full audio and video capabilities.

For more information on the OCR waivers and ongoing Office of Inspector General enforcement priorities, please contact the authors of this blog post.