In my July 23, 2020 blog post, I used the familiar characters in the beloved fable The Three Little Pigs to illustrate the importance of building a secure and compliant telehealth delivery system. I explained that, despite the Office for Civil Rights’ (OCR) announcement of enforcement discretion during the public health emergency (PHE), healthcare providers should establish HIPAA-compliant telehealth delivery systems before enforcement discretion ended. Because the PHE may soon be over, that message bears repeating.
On October 15, 2021, the Department of Health and Human Services (DHHS) extended the declaration of a PHE for another 90 days. This is the seventh such extension since the PHE was originally declared. In July of 2020, I was confident that DHHS would extend the PHE through the end of 2020 (thus also extending enforcement discretion). That’s precisely why I wrote the blog post on telehealth when I did. While the remaining five months of 2020 was not a lot of time to properly evaluate and implement a HIPAA-compliant telehealth delivery system, it was doable.
The question now is whether DHHS will renew the PHE declaration again in early 2022. No one knows for sure, but I have my doubts. If the PHE is not extended, OCR’s enforcement discretion likely ends along with it. And even if the PHE is extended for another 90 days, the likelihood of further renewal wanes with each extension.
What does this mean for healthcare providers that have been offering non-compliant telehealth services in reliance on OCR’s enforcement discretion? It means that time is running out.
As detailed in my July 2020 blog post, building a HIPAA-compliant telehealth delivery system requires a deliberative “construction” process. It includes assessing the entire telehealth delivery experience with the same level of consideration given to the layout of a medical office space. Further, providers will need to perform a security risk analysis of the telehealth platform, implement policies and procedures regarding telehealth delivery, engage in business associate agreements with telehealth vendors, and train staff and patients.
A year and a half ago, I advised that “[t]elehealth is here to stay, and enforcement discretion surely will not last forever. Don’t be left scrambling to comply once DHHS and OCR resume enforcement. Take the time to lay the necessary bricks now. As we learned from the Three Little Pigs – hastily built structures will not last.”
I repeat that message today with a bit more urgency than in the summer of 2020. Bring on the bricks and mortar!