Pulmonology Coding Alert

Compliance:

Bid Farewell to Certain HIPAA Flexibilities

Enjoy telehealth discretion as a compromise.

You’re likely in action to prepare your practice for regulatory changes following the declared end of the COVID-19 public health emergency (PHE). While some flexibilities will remain or be extended, several policies and requirements are returning to their pre-pandemic status, such as HIPAA enforcement flexibilities.

Background: The HHS Office for Civil Rights (OCR) issued four separate Notifications of Enforcement Discretion during the peaks of the pandemic. These notifications relaxed specific requirements related to HIPAA and HITECH, which allowed covered healthcare providers to continue to deliver care for patients during the COVID PHE.

On April 11, OCR reminded entities that the enforcement discretions the agency put in place in 2020 and 2021 would expire at 11:59 p.m. on May 11 when the PHE came to a close.

“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” said OCR Director Melanie Fontes Rainer in a release. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

Pocket These Details About the 4 Notifications

If you’re fuzzy on the different HIPAA-related flexibilities, it’s understandable. OCR issued them at different times and tweaked them after they went into effect. Here is a brief overview of the four Notifications of Enforcement Discretion slated to expire, according to OCR guidance:

1. Get ready for these changes for testing sites. OCR announced an enforcement discretion for COVID testing on April 9, 2020, with a retroactive start date of March 13, 2020. Under the notification, certain covered entities (CEs), business associates (BAs), and large pharmacy chains wouldn’t have penalties imposed for noncompliance with specific provisions of the HIPAA Rules when participating in the feds’ COVID-19 testing program. This specifically impacted providers, BAs, and pharmacies operating and testing patients at COVID-19 Community-Based Testing Sites (CBTS) across the nation. Find the details on this policy in the Federal Register, which was set to expire on May 11, at www.govinfo.gov/content/pkg/ FR-2020-05-18/pdf/2020-09099.pdf.

2. Understand the telehealth updates — and transition option. On March 17, 2020, OCR announced an enforcement discretion for HIPAA related to the Centers for Medicare & Medicaid Services’ (CMS’) telehealth expansion. During the COVID PHE, OCR has opted to not impose penalties for HIPAA noncompliance “against covered healthcare providers in connection with the good faith provision of telehealth,” according to the provision. Under the enforcement discretion, the feds allowed providers to utilize non-public-facing technologies like FaceTime and Skype for telehealth visits without risk of penalty, but public-facing technologies like TikTok and Facebook Live were not allowed.

Olive branch: OCR plans to continue exercising its enforcement discretion for the telehealth provision over a transition period, the agency says. “OCR is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth.”

The transition period started on May 12 and will end at 11:59 p.m. on Aug. 9. Review the original provision in the Federal Register at www.govinfo.gov/content/pkg/FR-2020-04-21/ pdf/2020-08416.pdf.

3. Know the use and disclosure of PHI updates. During the heights of the pandemic, information exchange was critical to circumventing the spread of the virus. That prompted OCR to add an enforcement discretion on April 7, 2020, noting that it would not impose penalties on CEs and BAs for specific HIPAA Privacy Rule provisions when patients’ protected health information (PHI) was used or disclosed for PHE-related matters. This policy particularly promoted the sharing of data between CEs and CMS, the Centers for Disease Control and Prevention (CDC), and other state and local health agencies for public health reasons and pandemic oversight. See details on this enforcement discretion that ended on May 11 in the Federal Register at www.govinfo.gov/content/pkg/FR-2020- 04-07/pdf/2020-07268.pdf.

4. Here’s how vaccination scheduling changes. On Dec. 11, 2020, OCR announced another COVID-19 PHE-inspired enforcement discretion. This one allowed CEs to use web-based-scheduling applications (WBSAs) to schedule patients’ COVID vaccination appointments with vendors without imposing penalties for HIPAA violations. This last provision expired on May 11 like the others and is available to peruse in the Federal Register at www.govinfo.gov/content/ pkg/FR-2021-02-24/pdf/2021-03348.pdf.

Bottom line: With the PHE — and OCR’s enforcement discretions — behind us, you should be updating your policies and procedures to align with pre-pandemic HIPAA compliance. You can find OCR’s explanation and overview of the expiration of these Notifications of Enforcement Discretion in the Federal Register at https://public-inspection.federalregister.gov/2023- 07824.pdf.