April 18, 2023
Throughout the federal public health emergency (PHE), the Office of Civil Rights (OCR) has not imposed penalties for noncompliance with the regulatory requirements of the Health Insurance Portability and Accountability Act (HIPAA) rules for the good faith provision of telehealth services during the PHE. This period of enforcement discretion will end on May 11, 2023, when the PHE ends, and the HIPAA rules go back into full effect. However, OCR is providing a 90-calendar day transition period for HIPAA covered entities to come back into compliance with the HIPAA rules related to the provision of telehealth. The transition period will begin May 12, 2023, and will end August 9, 2023. OCR will not impose penalties during this transition period.
ASHA strongly advises that audiologists and SLPs who are covered entities and are using telehealth as a form of service delivery ensure they are complying with HIPAA standards as soon as possible, due to the possibility of serious consequences for noncompliance after August 9, 2023. The Department of Health and Human Services (HHS) provides more information about how OCR enforces the HIPAA rules and examples of cases where health care providers were found noncompliant.
OCR is the agency at HHS that enforces HIPAA law and regulations. During the federal PHE, OCR released several notifications alerting providers and consumers that they would suspend enforcement of certain key elements of the HIPAA law. Therefore, OCR would not punish a provider for violation of the HIPAA rules as long as they were delivering services in good faith during the PHE. HHS even offered information about what would constitute provision of services in bad faith. OCR announced the notification of enforcement discretion [PDF] related to telehealth services on March 17, 2020, which notified HIPAA covered entities that OCR would not impose penalties for noncompliance with the regulatory requirements of the HIPAA rules for telehealth services provided during the PHE.
For details about coming into HIPAA compliance, please see HHS’s HIPAA FAQs for Professionals. ASHA also provides information on what to expect at the end of the federal PHE. For questions, please contact ASHA’s health care and education policy team at firstname.lastname@example.org.