Telehealth HIPAA Compliance Flexibilities Extended as the Public Health Emergency Ends

During the COVID-19 public health emergency (PHE), many federal telehealth rules were made flexible to accommodate the need for continued access to health care, including allowing covered health-care providers to provide telehealth services to patients through remote technologies that may not have fully complied with the requirements of the Health Information Portability and Accountability Act of 1996 (HIPAA), as amended, including its implementing regulations.

Since March 17, 2020, the Office for Civil Rights (OCR), the agency tasked with enforcing HIPAA, has exercised enforcement discretion to not impose penalties for such noncompliance. On May 11, 2023, OCR’s enforcement discretion expired, and the U.S. Department of Health and Human Services (HHS) released a fact sheet that details how OCR will continue to support the use of telehealth after the PHE by providing a 90-calendar-day transition period for covered health-care providers to make any changes to operations required to provide telehealth in compliance with HIPAA. Thus, compliance enforcement will not resume until after August 9, 2023.