That Enforcement Discretion for Telehealth remains in effect until OCR either declares the COVID-19 public health emergency (PHE) to be over or lets the PHE expire (the PHE is currently set to expire on July 15, 2022). If OCR does not extend the PHE or declare it over, the Notification of Enforcement Discretion for Telehealth will automatically be rescinded. Details of HIPAA guidelines for telehealth in a post-PHE world are provided below.
HHS Issues HIPAA Audio-Only Telehealth Guidance, But Why Now?
In December of 2021, President Biden issued Executive Order (EO)14058, with the hopeful title of “Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government.” The EO aimed to improve public confidence that HIPAA covered entities are protecting the privacy and security of PHI.
Specifically, the EO directed the HHS Secretary to develop guidance for HIPAA-beholden entities on providing telehealth in compliance with HIPAA rules, following the end of the PHE, to improve patient experience and convenience. On June 13, HHS published the long-awaited guidance. *The HIPAA guidelines for telehealth addressed in the guidance should be reviewed by providers.
HIPAA Guidelines for Telehealth: What’s In The Guidance?
The HIPAA audio-only telehealth guidance addresses questions that HHS has received about whether, and in what circumstances, audio-only telehealth is permissible under the HIPAA Rules post-PHE.
In March 2020, when the COVID-19 pandemic began, HHS issued the above-mentioned Notification of Enforcement Discretion for Telehealth. This notification, designed to enable remote care during the pandemic, stated that OCR would exercise its enforcement discretion and not impose penalties on covered health care providers for noncompliance with specific rules.
What are those rules? The rules regarding non-public facing audio or video remote communication technologies.
The notification relaxed those rules to permit providers to use any available “non-public” facing remote communication technologies for telehealth, even where those technologies and how they were used, might not fully comply with the HIPAA Rules. However, once the PHE is over, the enforcement discretion is over. Meaning – providers will have to comply with HIPAA telehealth requirements as they did before the PHE.