A HIPAA enforcement discretion policy that provided temporary leniency to covered healthcare providers' use of telehealth ended Aug. 9 at 11:59 p.m.
HHS' Office for Civil Rights implemented the policy during the COVID-19 pandemic, and it protected healthcare providers from penalties for HIPAA violations when providing telehealth services, so long as they were making a genuine effort to protect patient information, according to an Aug. 9 report from the American Hospital Association.
The policy allowed providers to offer telehealth services through platforms that were not typically permitted under HIPAA. Providers were allowed to use platforms provided by vendors that did not have a signed business associate agreement ensuring the protection of patient data, according to an Aug. 10 report from The HIPAA Journal.
The policy expired on May 11, and providers were given a 90-day transition period. The transition period has officially ended, so healthcare providers now must make certain their telehealth services are provided through platforms that are entirely compliant with HIPAA rules to avoid financial penalties.
OCR has offered providers guidance on how to abide by HIPAA rules with the use of audio-only telehealth services. The AHA has advocated for flexibilities surrounding hospitals' abilities to comply with HIPAA privacy rules, specifically a permanent option for telehealth coverage under Medicare.