05. 11. 23
Throughout the COVID-19 pandemic, the HHS Office for Civil Rights (OCR) exercised a degree of leniency when it came to imposing penalties for noncompliance with Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) rules. With the public health emergency (PHE) ending, all of that is about to change. Medical providers need to evaluate their practices immediately and ensure that they are complying with stricter rules.
Between 2020 and 2021, OCR published four Notifications of Enforcement Discretion that concerned how HIPAA and HITECH rules would be applied throughout the pandemic. The intention was to support the healthcare sector during the COVID-19 PHE.
The PHE officially ended on May 11, 2023, and the enforcement discretions expired along with it. Providers should take note of the changes.
OCR may penalize healthcare providers for noncompliance with HIPAA when administering telehealth services. During the PHE, providers were permitted to use nonpublic-facing, consumer communication tools like Zoom and Skype, though not public-facing services like Facebook Live and TikTok. OCR now expects providers to transition away from technologies like Zoom and adopt telehealth technology that complies with all HIPAA security and privacy standards.
OCR is allowing a 90-day transition period, ending August 9, so that healthcare providers can bring their telehealth practices in compliance with HIPAA rules. OCR said it would not impose penalties on providers for HIPAA violations during the transition period.
The Healthcare Practice Group at Akerman LLP noted that while there were few telehealth services that complied with the HIPAA Security Rule at the beginning of the PHE, there are now many vendors that do. As such, providers should evaluate how they are administering telehealth and ensure that any vendors they work with are HIPAA compliant.
OCR may begin enforcing penalties for HIPAA violations at community-based sites providing COVID-19 tests. With the enforcement discretion expiring, law firm Clark Hill advises providers to take steps to protect patient’s protected health information (PHI). Such measures include setting up barriers to conceal patients’ identities when being tested, prohibiting filming, and using secure technology for collecting and transmitting electronic PHI.
The OCR is prohibiting business associates from disclosing PHI to government agencies for public health purposes, as well as using PHI for analysis, unless exceptions are made within their business associate agreements.
When performing online scheduling for COVID-19 vaccination appointments, providers and their business associates must ensure that they are protecting patients’ PHI. Clark Hill noted that this includes:
According to compliance expert Danielle McKinley, also known as The HIPAA Chick, medical practices and business associates should make this transition a priority and ensure that they are fully complying with HIPAA and HITECH laws. “The best course of action is to complete a risk assessment and review to ensure the organization is meeting all requirements, especially if the organization utilizes telehealth solutions,” she said.
In a recent episode of The Modern Practice Podcast, Terry McDonald, Rectangle Health’s Director of Compliance Solutions, emphasized the importance of performing a HIPAA risk assessment. “It’s for your own benefit,” he said. “The idea of this assessment is to uncover any gaps or deficiencies you have in your compliance program… You have to do it every year, and the government wants you to do it so you can get ahead of any gaps that you have.”
Get started today with Rectangle Health’s Free Risk Assessment. Find out how well your practice adheres to HIPAA laws so you can make adjustments accordingly.