Health care providers must comply with the HIPAA rules with respect to telehealth effective Aug. 9 at 11:59 p.m., when the 90-day enforcement discretion period announced in April expires. The Department of Health and Human Services’ Office for Civil Rights implemented a HIPAA enforcement discretion policy for telehealth during the COVID-19 public health emergency, which ended May 11. This provided enforcement discretion to not impose penalties for HIPAA violations against covered health care providers in connection with their good faith provision of telehealth using non-public facing remote communications technologies during the PHE. Providers then had a 90-day transition period to come into compliance. OCR has also published guidance on how providers can use remote communications technologies for audio-only telehealth in compliance with HIPAA rules, including when the notice of enforcement discretion is no longer in effect.
The AHA advocated for temporary waivers of sanctions and penalties against hospitals that did not comply with elements of the HIPAA privacy rule, and waivers for the types of technologies that could be used to provide telehealth to include everyday communications technologies during the PHE. AHA has also urged Congress to make Medicare telehealth flexibilities granted during the PHE permanent for rural and other providers.