During the COVID-19 public health emergency (PHE), many federal telehealth rules were made flexible to accommodate the need for continued access to healthcare, including prescribing controlled substances without an in-person patient examination, as discussed in our earlier client alert. Another flexibility allowed covered healthcare providers to provide telehealth services to patients through remote technologies that may not have fully complied with the requirements of the Health Information Portability and Accountability Act of 1996 (HIPAA), as amended, including its implementing regulations. Since March 17, 2020, the Office for Civil Rights (OCR), the agency tasked with enforcing HIPAA, has exercised enforcement discretion to not impose penalties for such noncompliance.
On May 11, 2023, OCR’s enforcement discretion expired, and the US Department of Health and Human Services (HHS) released a fact sheet that details how OCR will continue to support the use of telehealth after the PHE by providing a 90-calendar-day transition period for covered healthcare providers to make any changes to operations required to provide telehealth in compliance with HIPAA. Thus, compliance enforcement will not resume until after August 9, 2023.
Transitioning to a new telehealth technology and altering current operations takes time; therefore, providers should begin investigating whether their telehealth technologies comply with HIPAA requirements. Specifically, providers should ensure that: (1) only authorized users have access to electronic protected health information (ePHI) through the technology, (2) the technology is sufficiently secure to protect the integrity of ePHI, and (3) appropriate safeguards are in place for sending communications containing ePHI through the technology to prevent accidental or malicious breaches. Providers should be aware that the communication of ePHI via SMS text messaging, unencrypted or unsecured email, or Skype does not fulfill the requirements above unless a patient opts into communication through such channels. Thus, providers should review their practices with respect to communication through such channels before enforcement resumes.