Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency

Expiration of Notifications of Enforcement Discretion and transition period for telehealth.

CFR Part: "45 CFR Parts 160 and 164"

Citation: "88 FR 22380"

Page Number: "22380"

"Rules and Regulations"

Agency: "Office for Civil Rights (OCR), Office of the Secretary, HHS."

SUMMARY: This document is to inform the public that four Notifications of Enforcement Discretion ("Notifications") issued by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) regarding how the Privacy, Security, and Breach Notification Rules ("HIPAA Rules") promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act will be applied to certain violations during the COVID-19 nationwide public health emergency ("COVID-19 PHE"), will expire upon expiration of the COVID-19 PHE, which is currently scheduled for 11:59 p.m. on May 11, 2023. Accordingly, upon expiration of the COVID-19 PHE, the Notifications will not provide a basis for OCR to exercise enforcement discretion with respect to imposing penalties for violations of the HIPAA Rules. OCR will continue to exercise enforcement discretion consistent with the Notifications for violations of the HIPAA Rules that occurred during the period that each Notification was in effect. In addition, OCR is affording covered health care providers a 90-calendar day transition period to come into compliance with the HIPAA Rules with respect to their provision of telehealth using non-public facing remote communication technologies.

   DATES: The Notifications of Enforcement Discretion addressed in this document expire at 11:59 p.m. on May 11, 2023. The 90-calendar day transition period with respect to telehealth will expire at 11:59 p.m. on August 9, 2023.

   FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 619-0403 or (800) 537-7697 (TDD).

   SUPPLEMENTARY INFORMATION: In 2020 and 2021, OCR issued four Notifications of Enforcement Discretion ("Notifications") regarding how the Privacy, Security, Breach Notification, and Enforcement Rules ("HIPAA Rules") promulgated under the Health Insurance Portability and Accountability Act of 1996 /1/ (HIPAA) and the HITECH Act /2/ would be applied to certain violations during the COVID-19 PHE. OCR is informing the public that these Notifications, which were published in the Federal Register on April 7, 2020, April 21, 2020, May 18, 2020, and February 24, 2021, expire upon expiration of the COVID-19 PHE, which is currently scheduled for 11:59 p.m. on May 11, 2023. Accordingly, at that time, the Notifications will no longer provide a basis for the exercise of enforcement discretion in how OCR imposes penalties for violations of requirements under the HIPAA Rules. OCR will continue to exercise enforcement discretion consistent with the Notifications for violations of the HIPAA Rules that occurred during the period that each Notification was in effect. With respect to the Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 PHE issued on April 21, 2020, with an effective beginning date of March 17, 2020, covered health care providers will be afforded a 90-calendar day transition period until 11:59 p.m. on August 9, 2023, to come into compliance with the HIPAA Rules in their provision of telehealth. During the transition period, OCR will continue to exercise its enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth.

   FOOTNOTE 1 Subtitle F of title II of HIPAA (Pub. L. 104-191, 100 Stat. 2548 (August 21, 1996)) added a new part C to title XI of the Social Security Act, Public Law 74-271, 49 Stat. 620 (August 14, 1935), (see sections 1171-1179 of the Social Security Act (codified at 42 U.S.C. 1320d-1320d-8)). Due to the public health emergency posed by COVID-19, the HHS Office for Civil Rights (OCR) exercised its enforcement discretion under the conditions outlined in the four Notifications of Enforcement Discretion. OCR believes that this guidance is a statement of agency policy not subject to the notice and comment requirements of the Administrative Procedure Act (APA). 5 U.S.C. 553(b)(3)(A). OCR additionally finds that, even if this guidance were subject to the public participation provisions of the APA, prior notice and comment for this guidance is impracticable, and there is good cause to issue this guidance without prior public comment and without a delayed effective date. 5 U.S.C. 553(b)(3)(B) and (d)(3). END FOOTNOTE

   FOOTNOTE 2 The HITECH Act was enacted as title XIII of division A and title IV of division B of the American Recovery and Reinvestment Act of 2009, Public Law 111-5, 123 Stat. 226 (February 17, 2009). END FOOTNOTE

I. Background

OCR is responsible for enforcing certain regulations issued under HIPAA and the HITECH Act to protect the privacy and security of protected health information (PHI), collectively known as the HIPAA Rules.

During the COVID-19 nationwide public health emergency that the HHS Secretary declared under section 319 of the Public Health Service Act, /3/ OCR announced that it would exercise enforcement discretion to not impose penalties for violations of certain regulatory requirements under the HIPAA Rules by covered entities /4/ and their business associates /5/ (collectively, "regulated entities"), to the extent specified in each of the four Notifications published in the Federal Register on April 7, 2020, April 21, 2020, May 18, 2020, and February 24, 2021. OCR's enforcement discretion applied to specific obligations under the HIPAA Rules and permitted regulated entities, as applicable, the flexibility to respond effectively to the public health emergency.

   FOOTNOTE 3 See Renewal of Determination That a Public Health Emergency Exists by the HHS Secretary (February 9, 2023), https://aspr.hhs.gov/legal/PHE/Pages/COVID19-9Feb2023.aspx. END FOOTNOTE

   FOOTNOTE 4 See 45 CFR 160.103 (definition of "Covered entity"). END FOOTNOTE

   FOOTNOTE 5 See 45 CFR 160.103 (definition of "Business associate"). END FOOTNOTE

The Notifications stated that they would remain in effect until the Secretary of HHS declared that the COVID-19 PHE no longer existed or upon the expiration date of the declared COVID-19 PHE, including any extensions, /6/ whichever occurred first. The HHS Secretary has announced that he does not plan to renew the COVID-19 PHE when it expires at 11:59 p.m. on May 11, 2023. /7/ Thus, assuming the PHE ends on that date, the Notifications will no longer be in effect as of May 12, 2023. /8/

   FOOTNOTE 6 As determined by 42 U.S.C. 247d. END FOOTNOTE

   FOOTNOTE 7 See HHS, Fact Sheet: COVID-19 Public Health Emergency Transition Roadmap (Feb. 9, 2023), https://www.hhs.gov/about/news/2023/02/09/fact-sheet-covid-19-public-health-emergency-transition-roadmap.html. END FOOTNOTE

   FOOTNOTE 8 The public health emergency determination is currently expected to end at 11:59 p.m. on May 11, 2023. See Renewal of Determination That a Public Health Emergency Exists by the HHS Secretary, supra note 4. END FOOTNOTE

II. Notifications of Enforcement Discretion Effective and Ending Dates; Transition Period for Telehealth

The effective and ending dates of each Notification are provided below. OCR will continue to exercise enforcement discretion consistent with the Notifications for violations of the HIPAA Rules that occurred during the period that each Notification was in effect.

(1) Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19. /9/ In this Notification, OCR announced that it would exercise its enforcement discretion to not impose penalties for violations of certain provisions of the HIPAA Privacy Rule by covered health care providers or their business associates for uses and disclosures of PHI by business associates for public health and health oversight activities. Specifically, the enforcement discretion covered Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if certain parameters were met.

   FOOTNOTE 9 85 FR 19392 (April 7, 2020). END FOOTNOTE

This Notification has been in effect since April 7, 2020, and expires at 11:59 p.m. on May 11, 2023.

(2) Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites (CBTS) During the COVID-19 Nationwide Public Health Emergency. /10/ In this Notification, OCR announced that it would exercise its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules by covered health care providers, including some large pharmacy chains, and their business associates, in connection with the good faith participation in the operation of COVID-19 specimen collection and testing sites ("Community-Based Testing Sites" or CBTS). For purposes of this Notification, a CBTS includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.

   FOOTNOTE 10 85 FR 29637 (May 18, 2020). END FOOTNOTE

This Notification has been in effect since March 13, 2020, and expires at 11:59 p.m. on May 11, 2023.

(3) Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency. /11/ In this Notification, OCR announced that it would exercise its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules by covered health care providers, including some large pharmacy chains and public health authorities, /12/ or their business associates, in connection with the good faith use of online or web-based scheduling applications (collectively, WBSAs) for the limited purpose of scheduling individual appointments for COVID-19 vaccinations. For purposes of this Notification, a WBSA is a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination.

   FOOTNOTE 11 86 FR 11139 (February 24, 2021). END FOOTNOTE

   FOOTNOTE 12 See 45 CFR 164.501 (definition of "Public health authority"). The HIPAA Rules apply to a public health authority only if it is a HIPAA regulated entity. For example, a county health department that administers a health plan, or provides health care services for which it conducts standard electronic transactions (e.g., checking eligibility for coverage, billing insurance), is a HIPAA covered entity. A public health authority that does not meet the definition of a regulated entity is not subject to the HIPAA Rules. See also HHS HIPAA FAQ # 358, "Are state, county or local health departments required to comply with the HIPAA Privacy Rule?" https://www.hhs.gov/hipaa/for-professionals/faq/358/are-state-county-or-local-health-departments-required-to-comply-with-hipaa/index.html. END FOOTNOTE

This Notification has been in effect since December 11, 2020, and expires at 11:59 p.m. on May 11, 2023.

(4) Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency ("Telehealth Notification"). /13/ In this Notification, OCR announced that it would exercise its enforcement discretion and would not impose HIPAA penalties for noncompliance with the regulatory requirements under the HIPAA Rules in connection with the good faith provision of telehealth using a non-public facing remote communication technology. This exercise of discretion applied to telehealth provided for any reason, regardless of whether the telehealth service was related to the diagnosis and treatment of health conditions related to COVID-19.

   FOOTNOTE 13 85 FR 22024 (April 21, 2020). END FOOTNOTE

The Telehealth Notification has been in effect since March 17, 2020, and expires at 11:59 p.m. on May 11, 2023; OCR is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. The transition period will be in effect beginning on May 12, 2023, and will expire at 11:59 p.m. on August 9, 2023.

During the 90-calendar day transition period, OCR will continue to exercise its enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth. These regulatory requirements remain the same as they were before the COVID-19 PHE; however, OCR recognizes that regulated entities that began using remote communication technologies for telehealth for the first time during the COVID-19 PHE may need additional time to come into compliance. Therefore, covered health care providers may use this transition period, as necessary, to adjust their telehealth practices to come into compliance, such as by choosing a telehealth technology vendor that will enter into a business associate agreement and comply with applicable requirements of the HIPAA Rules. Covered entities may also review and update as necessary any policies and practices developed and implemented prior to the COVID-19 PHE for compliance with the HIPAA Rules. To assist covered entities, OCR has published FAQs and guidance on HIPAA and telehealth. /14/ OCR will provide additional guidance on telehealth remote communications to help covered health care providers come into compliance during this transition period.

   FOOTNOTE 14 See HIPAA and Telehealth, U.S. Dep't of Health and Human Servs., https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html. END FOOTNOTE

OCR will no longer use the Telehealth Notification as a basis to exercise its discretion in enforcing the HIPAA Rules, as they apply to the provision of telehealth, for noncompliance that occurs after 11:59 p.m. on August 9, 2023. Beginning on August 10, 2023, OCR will continue to exercise enforcement discretion consistent with the Telehealth Notification with respect to noncompliance that may occur during the 90-calendar day transition period (i.e., noncompliance occurring from May 12, 2023, through August 9, 2023).

III. Collection of Information Requirements

This announcement of the expiration of the Notifications of Enforcement Discretion creates no legal obligations and no legal rights. Because this notice imposes no information collection requirements, it need not be reviewed by the Office of Management and Budget under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).

   Dated: April 7, 2023.

Melanie Fontes Rainer,

Director, Office for Civil Rights, U.S. Department of Health and Human Services.

[FR Doc. 2023-07824 Filed 4-11-23; 8:45 am]

BILLING CODE 4153-01-P