The expiration of the COVID-19 national public health emergency on May 11, 2023 brought a number of changes in healthcare. Among those changes was a significant shift in telehealth regulatory compliance risk. In March 2020, the US Department of Health and Human Services Office for Civil Rights (OCR) announced that it was exercising enforcement discretion and waiving potential penalties related to HIPAA violations for the use of "everyday communications technologies" in telehealth during the pandemic. These common video communication applications included Apple FaceTime, Facebook Messenger video chat, and other popular video chat applications.
However, with the expiration of the public health emergency, OCR is ending its enforcement discretion and waiver period after a 90-day transition between May 12 and August 9, 2023. Following this transition period, OCR may once again impose penalties for the use of communication technologies that are not HIPAA compliant. To be compliant, the application should be encrypted, and developers must sign a business associate agreement. For practices and providers still relying on OCR's enforcement discretion and waiver, now is the time to become compliant with the proper use of communication technology in telehealth.
OCR has issued guidance on this topic which may be accessed here.
Additionally, SVMIC has a number of resources on this topic for its policyholders which are available in your Vantage® portal.
Justin Joy is an attorney with Lewis, Thomason, King, Krieg & Waldrop, P.C. He has a variety of experience in the area of information privacy and cybersecurity including security incident investigation, breach response management, security awareness training, HIPAA policy drafting, and cyber risk consulting. He also provides counsel in healthcare liability defense, telemedicine, and healthcare compliance matters. As Lewis Thomason’s chief privacy officer, Justin promotes an awareness of privacy and security-related issues for the firm. Justin has earned the Certified Information Privacy Professional/United States (CIPP/US) and Certified Information Privacy Technologist (CIPT) credentials through the International Association of Privacy Professionals (IAPP).
We're always just an email or phone call away.contact us