Medicare Compliance & Reimbursement

HIPAA:

Say Goodbye to These 4 Enforcement Discretions

But: OCR offers one olive branch.

With the COVID public health emergency (PHE) coming to an end next month, you are likely already in action mode to prepare for all the regulatory changes. Some flexibilities will stay intact or have been extended, but most requirements and policies will revert back to their pre-pandemic state — including relaxed HIPAA enforcement.

Background: During the heights of the pandemic, the HHS Office for Civil Rights (OCR) issued four separate Notifications of Enforcement Discretion, alleviating specific requirements related to HIPAA and HITECH. These regulatory flexibilities allowed covered healthcare providers to continue to care for patients while the COVID-19 PHE raged on.

On April 11, OCR reminded entities that the enforcement discretions the agency put in place in 2020 and 2021 will expire at 11:59 p.m. on May 11 when the PHE comes to a close.

“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” said OCR Director Melanie Fontes Rainer in a release. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

Pocket These Details About the 4 Notifications

If you’re fuzzy on the different HIPAA-related flexibilities, it’s understandable. OCR issued them at different times and tweaked them after they went into effect. Here is a brief overview of the four Notifications of Enforcement Discretion slated to expire, according to OCR guidance:

1. Get ready for these changes for testing sites. OCR announced an enforcement discretion for COVID testing on April 9, 2020 with a retroactive start date of March 13, 2020. Under the notification, certain covered entities (CEs), business associates (BAs), and large pharmacy chains wouldn’t have penalties imposed for noncompliance with specific provisions of the HIPAA Rules when participating in the feds’ COVID-19 testing program. This specifically impacted providers, BAs, and pharmacies operating and testing patients at COVID-19 Community-Based Testing Sites (CBTS) across the nation. Find the details on this policy in the Federal Register, which is set to expire on May 11, at www.govinfo.gov/content/ pkg/FR-2020-05-18/pdf/2020-09099.pdf.

2. Understand the telehealth updates — and transition option. On March 17, 2020, OCR announced an enforcement discretion for HIPAA related to the Centers for Medicare & Medicaid Services’ (CMS’) telehealth expansion. During the COVID PHE, OCR has opted to not impose penalties for HIPAA noncompliance “against covered healthcare providers in connection with the good faith provision of telehealth,” according to the provision. Under the enforcement discretion, the feds allowed providers to utilize non-public-facing technologies like FaceTime and Skype for telehealth visits without risk of penalty, but public-facing technologies like TikTok and Facebook Live were not allowed.

Olive branch: OCR plans to continue exercising its enforcement discretion for the telehealth provision over a transition period, the agency says. “OCR is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth.”

The transition period will start on May 12 and will end at 11:59 p.m. on Aug. 9. Review the original provision in the Federal Register at www.govinfo.gov/content/pkg/FR-2020-04-21/ pdf/2020-08416.pdf.

3. Know the use and disclosure of PHI updates. During the heights of the pandemic, information exchange was critical to circumventing the spread of the virus. That prompted OCR to add an enforcement discretion on April 7, 2020, noting that it would not impose penalties on CEs and BAs for specific HIPAA Privacy Rule provisions when patients’ protected health information (PHI) was used or disclosed for PHE-related matters. This policy particularly promoted the sharing of data between CEs and CMS, the Centers for Disease Control and Prevention (CDC), and other state and local health agencies for public health reasons and pandemic oversight. See details on this enforcement discretion ending on May 11 in the Federal Register at www.govinfo.gov/content/pkg/FR-2020-04-07/ pdf/2020-07268.pdf.

4. Here’s how vaccination scheduling changes. On Dec. 11, 2020, OCR announced another COVID-19 PHE-inspired enforcement discretion. This one allowed CEs to use web-based-scheduling applications (WBSAs) to schedule patients’ COVID vaccination appointments with vendors without imposing penalties for HIPAA violations. This last provision expires on May 11 like the others and is available to peruse in the Federal Register at www.govinfo.gov/content/ pkg/FR-2021-02-24/pdf/2021-03348.pdf.

Bottom line: With the PHE — and OCR’s enforcement discretions — ending in a matter of weeks, you should be updating your policies and procedures to align with pre-pandemic HIPAA compliance. You can find OCR’s explanation and overview of the expiration of these Notifications of Enforcement Discretion in the Federal Register at https:// public-inspection.federalregister.gov/2023-07824.pdf.

Other Articles in this issue of

Medicare Compliance & Reimbursement

View All