Written in collaboration with Melissa Chaplik, JD Candidate 2024
The COVID-19 Public Health Emergency (PHE) is ending on May 11, 2023, and so are HIPAA compliance flexibilities for telehealth. Here’s to hoping that the first two episodes of Telehealth, Privacy and The Three Little Pigs inspired action. In the first episode, I warned:
Telehealth is here to stay, and enforcement discretion surely will not last forever. Don’t be left scrambling to comply once DHHS and OCR resume enforcement. Take the time to lay the necessary bricks now. As we learned from the Three Little Pigs – hastily built structures will not last.
In the second episode, a year and a half later, I repeated that message “with a bit more urgency than in the summer of 2020. Bring on the bricks and mortar!” Time is almost up.
In March 2020, the Department of Health and Human Services (DHHS) and its Office for Civil Rights (OCR) announced that it would not impose penalties for HIPAA noncompliance related to telehealth delivery. This move permitted healthcare providers to use common video conferencing or other communication platforms, like FaceTime, Zoom and Skype, to deliver telehealth services without assessing and addressing vulnerabilities or requiring platform vendors to agree to sign business associate agreements.
At the time, enforcement discretion was critical for access to care. Seemingly overnight, healthcare providers switched from in-person delivery to telehealth delivery using readily available tools and technology. It simply was not possible to implement a HIPAA-compliant telehealth system, perform a risk analysis on the system and get necessary business associate agreements without interrupting care.
As detailed in Episode One, there are both HIPAA Privacy Rule and Security Rule compliance requirements. I identified four key HIPAA compliance areas: (1) a security risk analysis; (2) policies and procedures; (3) business associate agreements; and (4) training. Further, I emphasized the importance of using a deliberative construction process when building a telehealth delivery system to meet the provider’s specific needs.
Meeting HIPAA compliance obligations will take time, which is why I encouraged providers to begin this process before the end of the PHE. Fortunately, there is still time before the PHE’s end on May 11, 2023. All providers should assess their telehealth systems as I described in Episode One and address any compliance gaps as quickly as possible.
Given the length of the PHE (over three years), OCR likely will have little sympathy for providers with telehealth systems that do not comply with HIPAA after May 11, 2023.