On August 9, 2023, at 11:59 pm, the designated timeframe for ensuring that telehealth services adhere to full HIPAA compliance concluded. Healthcare providers are now obligated to guarantee that their telehealth services are conducted through platforms that completely adhere to the regulations outlined in the HIPAA Rules.
The leniency policy for enforcing telehealth regulations was initially put into motion in response to the COVID-19 pandemic. The Office for Civil Rights (OCR) made it known that it would refrain from imposing penalties and sanctions for violations of HIPAA in connection with the sincere provision of telehealth services. This applied as long as non-public facing remote communication technologies were employed for delivering these services. This essentially allowed the use of communication platforms that wouldn’t typically align with HIPAA requirements. Such platforms could include those offered by vendors who didn’t commit to business associate agreements for their products.
This period of leniency remained in effect throughout the duration of the COVID-19 Public Health Emergency (PHE). However, once the PHE concluded, OCR announced a 90-day transitional phase. This period was designed to grant healthcare providers the time needed to ensure that their communication tools were brought in line with HIPAA regulations or to switch to alternative communication tools that fully met HIPAA requirements. With the expiration of both the leniency period and the transitional phase, healthcare providers are now strictly required to utilize communication tools that are fully compliant with HIPAA regulations for delivering telehealth services. Failure to do so could result in financial penalties.
OCR has issued comprehensive guidance to assist healthcare providers in offering audio-only telehealth services while ensuring adherence to the HIPAA Rules. This guidance contains responses to frequently raised inquiries about HIPAA and telehealth and can be accessed on the official HHS website.