Skip to site content

Risk Matters: Telehealth Regulatory Changes Coming Soon

The expiration of the COVID-19 national public health emergency on May 11, 2023 brought a number of changes in healthcare. Among those changes was a significant shift in telehealth regulatory compliance risk. In March 2020, the US Department of Health and Human Services Office for Civil Rights (OCR) announced that it was exercising enforcement discretion and waiving potential penalties related to HIPAA violations for the use of "everyday communications technologies" in telehealth during the pandemic. These common video communication applications included Apple FaceTime, Facebook Messenger video chat, and other popular video chat applications.

However, with the expiration of the public health emergency, OCR is ending its enforcement discretion and waiver period after a 90-day transition between May 12 and August 9, 2023.  Following this transition period, OCR may once again impose penalties for the use of communication technologies that are not HIPAA compliant.  To be compliant, the application should be encrypted, and developers must sign a business associate agreement.  For practices and providers still relying on OCR's enforcement discretion and waiver, now is the time to become compliant with the proper use of communication technology in telehealth.

OCR has issued guidance on this topic which may be accessed here.

Additionally, SVMIC has a number of resources on this topic for its policyholders which are available in your Vantage® portal.





About The Author

Justin Joy is an attorney with Lewis, Thomason, King, Krieg & Waldrop, P.C. He has a variety of experience in the area of information privacy and cybersecurity including security incident investigation, breach response management, security awareness training, HIPAA policy drafting, and cyber risk consulting. He also provides counsel in healthcare liability defense, telemedicine, and healthcare compliance matters. As Lewis Thomason’s chief privacy officer, Justin promotes an awareness of privacy and security-related issues for the firm. Justin has earned the Certified Information Privacy Professional/United States (CIPP/US) and Certified Information Privacy Technologist (CIPT) credentials through the International Association of Privacy Professionals (IAPP).

The contents of The Sentinel are intended for educational/informational purposes only and do not constitute legal advice. Policyholders are urged to consult with their personal attorney for legal advice, as specific legal requirements may vary from state to state and/or change over time.

Apply Today

Our team is here to answer any questions you might have or to help you fill out a quote application.

need help?

We're always just an email or phone call away.

contact us