OCR’s COVID-19 Enforcement Discretions

Throughout the COVID-19 public health emergency that began in January of 2020, the Office for Civil Rights has issued several notifications of enforcement discretion for certain aspects of the HIPAA rules. This means that, for the topics covered, the OCR will not impose penalties for noncompliance with the HIPAA rules as long as the covered entity or business associate has made a good faith effort to comply. The Centers for Medicare and Medicaid has also relaxed some of its restrictions on provider reimbursement and benefit coverage during this time.

Public health emergencies must be reviewed and can be renewed every 90 days by the Secretary of the Department of Health and Human Services. The most recent renewal was on April 12, 2022. The next renewal is this month. The Biden Administration has reported that states will be given 60 days’ notice when the decision is made not to renew again. Since no notice has been given, the current emergency will likely be extended into October.

Many providers began using some form of telehealth or remote treatment when the pandemic began. The first enforcement discretion from the OCR addressed the use of telehealth for remote patient encounters. Telehealth can be provided via audio, text message, or video conferencing. OCR stressed that providers must use a product that is non-public facing. This means that the product chosen  must be a one-on-one mode of communication that is not accessible by the public like Facebook Live, Tik-Tok, or Twitch.

Many EHRs and communication products like Doxy.me and Updox were able to quickly help providers get set up and be compliant right away. However, some providers have not had the opportunity to work with a product that meets the HIPAA requirements, or the vendor does not offer a business associate agreement (BAA).

If you choose a telehealth solution that is not offered through your EHR, make sure you choose a reputable software product. These companies are open about their security practices and often post information that explain them on their website. If your EHR or practice management system is certified under the Office of the National Coordinator’s (ONC) Health IT Certification Program, the telehealth service provided through their system must meet the same security requirements. In this situation, the EHR or practice management vendor is responsible for signing a subcontractor BAA.

Now is the time to ensure the telehealth product your practice is using meets the HIPAA Security Rule requirements and your practice has a fully signed, valid BAA. Do not forget to make sure the correct security settings are enabled in the software. It is also a good time to set up privacy and administrative processes if you haven’t already. If you have, review them with your workers to be sure they are being followed. Patients should sign a telehealth consent form and telehealth visits should be conducted in private just like any other patient encounter.