The COVID Grace Period for HIPAA is Ending. Are You Ready?

Throughout the COVID-19 pandemic, the HHS Office for Civil Rights (OCR) exercised a degree of leniency when it came to imposing penalties for noncompliance with Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) rules. With the public health emergency (PHE) ending, all of that is about to change. Medical providers need to evaluate their practices immediately and ensure that they are complying with stricter rules.

COVID-19 Enforcement Discretions

Between 2020 and 2021, OCR published four Notifications of Enforcement Discretion that concerned how HIPAA and HITECH rules would be applied throughout the pandemic. The intention was to support the healthcare sector during the COVID-19 PHE.

The PHE officially ended on May 11, 2023, and the enforcement discretions expired along with it. Providers should take note of the changes.

Telehealth Services

OCR may penalize healthcare providers for noncompliance with HIPAA when administering telehealth services. During the PHE, providers were permitted to use nonpublic-facing, consumer communication tools like Zoom and Skype, though not public-facing services like Facebook Live and TikTok. OCR now expects providers to transition away from technologies like Zoom and adopt telehealth technology that complies with all HIPAA security and privacy standards.

OCR is allowing a 90-day transition period, ending August 9, so that healthcare providers can bring their telehealth practices in compliance with HIPAA rules. OCR said it would not impose penalties on providers for HIPAA violations during the transition period.

The Healthcare Practice Group at Akerman LLP noted that while there were few telehealth services that complied with the HIPAA Security Rule at the beginning of the PHE, there are now many vendors that do. As such, providers should evaluate how they are administering telehealth and ensure that any vendors they work with are HIPAA compliant.

COVID-19 Community-Based Testing Sites

OCR may begin enforcing penalties for HIPAA violations at community-based sites providing COVID-19 tests. With the enforcement discretion expiring, law firm Clark Hill advises providers to take steps to protect patient’s protected health information (PHI). Such measures include setting up barriers to conceal patients’ identities when being tested, prohibiting filming, and using secure technology for collecting and transmitting electronic PHI.

Uses and Disclosures of PHI by Business Associates

The OCR is prohibiting business associates from disclosing PHI to government agencies for public health purposes, as well as using PHI for analysis, unless exceptions are made within their business associate agreements.

Online Scheduling for COVID-19 Vaccination Appointments

When performing online scheduling for COVID-19 vaccination appointments, providers and their business associates must ensure that they are protecting patients’ PHI. Clark Hill noted that this includes:

• Using only the minimum amount of PHI needed
• Using encryption technology
• Enabling all available privacy settings
• Making certain that PHI storage is only temporary
• Ensuring that online applications do not disclose PHI in a way that is inconsistent with HIPAA
• Putting business associate agreements in place for any vendors that provide online scheduling applications.

Time for a Risk Assessment

According to compliance expert Danielle McKinley, also known as The HIPAA Chick, medical practices and business associates should make this transition a priority and ensure that they are fully complying with HIPAA and HITECH laws. “The best course of action is to complete a risk assessment and review to ensure the organization is meeting all requirements, especially if the organization utilizes telehealth solutions,” she said.

In a recent episode of The Modern Practice Podcast, Terry McDonald, Rectangle Health’s Director of Compliance Solutions, emphasized the importance of performing a HIPAA risk assessment. “It’s for your own benefit,” he said. “The idea of this assessment is to uncover any gaps or deficiencies you have in your compliance program… You have to do it every year, and the government wants you to do it so you can get ahead of any gaps that you have.”

Get started today with Rectangle Health’s Free Risk Assessment. Find out how well your practice adheres to HIPAA laws so you can make adjustments accordingly.

References

1. Gandle, L., Hodge, E.F.; and Cohen, J. (2023, Apr. 27). “All Good Things Must Come to an End: The Expiration of OCR’s Enforcement Discretion.” Health Law Rx. https://www.healthlawrx.com/2023/04/all-good-things-must-come-to-an-end-the-expiration-of-ocrs-enforcement-discretion/
2. Schmeltzer, P.F.; Howard, J.F. (2023, Apr. 28). “How Will the End of HIPAA Enforcement Discretion Affect Covered Entities When the Public Health Emergency Expires on May 11?” Clark Hill. https://www.clarkhill.com/news-events/news/how-will-the-end-of-hipaa-enforcement-discretion-affect-covered-entities-when-the-public-health-emergency-expires-on-may-11/

Andrew Deichler

Andrew Deichler is the Senior Content Manager for Rectangle Health's Marketing Team. An experienced multimedia communications professional and award-winning journalist, Andrew develops and produces a multitude of content, including blogs, case studies, eBooks, whitepapers, executive reports, videos, and more. Prior to joining Rectangle Health, Andrew served as the Content Manager for Kyriba's Strategic Marketing team. Other previous roles include Editor, Students and Emerging Professionals for SHRM, and Multimedia Content Manager for the Association for Financial Professionals.