Post-PHE telehealth HIPAA enforcement begins in August; here's how practices can prepare
The Office for Civil Rights (OCR) announced that it will provide a 90-day transition period for physicians to move to HIPAA-compliant telehealth technologies after the COVID-19 public health emergency (PHE) ends May 11. This means OCR may start imposing penalties again on Aug. 10, after not doing so for certain HIPAA violations during the PHE-driven telehealth expansion.
When the COVID-19 public health emergency (PHE) expired May 11, many temporary policies initiated in response to the pandemic ceased or began to be phased out. This series intends to help practices weather the transition:
- Overview
- Medicaid continuous coverage "unwinding"
- Expiration of HIPAA enforcement discretion
- Telehealth
The transition period recognizes that physicians and other health care providers may need additional time to comply with HIPAA rules. Some might have to switch to a HIPAA-compliant telehealth vendor or revise policies to ensure compliance with HIPAA requirements. OCR also intends to provide additional guidance on telehealth remote communications during the transition period.
Here are three things practices can do today to prepare:
- Update your annual risk assessment documentation, and conduct a risk assessment of your telehealth program. There are several tools available from HealthIT.gov that can help, including the Security Risk Assessment Tool and Health IT Privacy and Security Resources for Providers. You can also contact your local Telehealth Resource Center with questions. (Note: An annual security risk assessment is a HIPAA requirement for all covered entities.)
- Verify that you are using a HIPAA-compliant telehealth platform that securely handles/transmits protected health information (PHI), and ensure you have a proper contract in place with any vendor that handles PHI. The U.S. Department of Health and Human Services (HHS) has additional information on business associate contracts for HIPAA-covered entities.
- Review your workflows and update practices that are not in line with HIPAA requirements, such as conducting telehealth visits on a mobile device. Audio-only encounters must be conducted using HIPAA-compliant technology. Services provided using a traditional landline are not subject to the HIPAA Security Rule because they do not electronically transmit information. However, phones that use electronic communication technologies, such as Voice over Internet Protocol (VoIP), are subject to HIPAA requirements. HHS also has more information about how HIPAA applies to audio-only telehealth.
— Erin Solis, AAFP Manager of Practice and Payment
Posted on May 2, 2023 by FPM Editors
Get "Quick Tips" in your inbox
Sign up to receive FPM's free, weekly e-newsletter, "Quick Tips & Insights," featuring practical, peer-reviewed advice for improving practice, enhancing the patient experience, and developing a rewarding career.
Other Blogs
- Getting Paid from FPM journal
- AFP Community Blog
- FPs on the Front Lines
- Fresh Perspectives
- In the Trenches
- Leader Voices
Disclaimer: The opinions and views expressed here are those of the authors and do not necessarily represent or reflect the opinions and views of the American Academy of Family Physicians. This blog is not intended to provide medical, financial, or legal advice. All comments are moderated and will be removed if they violate our Terms of Use.