The Department of Health and Human Services (HHS) scaled down HIPAA enforcement related to telehealth as long as there is a declared public health emergency, but at some point, things will return to normal. What should you do now to ensure that your behavioral telehealth platform is HIPAA compliant?
HIPAA Compliant Telehealth Platforms For Behavioral Health: HHS Giveth, but When Will They Take Away?
On March 15, 2020, U.S. states began shutting down in response to COVID-19. The Centers for Disease Control (CDC) reported a 154% increase in telehealth services during the last week of March 2020 over March 2019. As providers worked to provide quality telehealth care for patients during the shutdown, new options had to be considered, some of which had a steep learning curve.
In recognition of the need, HHS issued guidance stating, “Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
When the public health emergency is rescinded, regular enforcement of HIPAA rules and regulations will return. Earlier this year, the American Medical Association sent a letter to the Director of HHS’s Office for Civil Rights (OCR), asking for a “one-year glide path to compliance, during which physicians and other affected parties shall not be subject to HIPAA audits and other HIPAA enforcement activity related to telemedicine.”
HHS Secretary Xavier Becerra told reporters in October that he would give 60 days’ notice to states, healthcare providers, and other stakeholders before lifting the public health emergency.