HIPAA Enforcement Discretion Ends When Public Health Emergency Expires on May 11

April 19, 2023

RELATED:  End of COVID-19 Emergency: Legal Implications for Healthcare Providers (May 1, 2023)


The Department of Health and Human Services’ Office for Civil Rights (OCR) announced the expiration of its enforcement discretion related to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), due to the end of the COVID-19 public health emergency (PHE).

During the PHE, OCR issued four Notifications of Enforcement Discretion regarding how the OCR would exercise HIPAA enforcement discretion to allow healthcare providers flexibility while delivering services. As the PHE is scheduled to come to an end, OCR’s enforcement discretion will expire at 11:59 p.m. on May 11, 2023, with the expiration of the PHE.

Although HIPAA still applied during the PHE, OCR allowed compliance with HIPAA to be relaxed in certain contexts to facilitate the delivery of patient care. The OCR’s four Notifications provided for enforcement discretion for telehealth services, community-based testing sites, uses and disclosures by business associates, and online scheduling of individual appointments for COVID-19 vaccinations.

To best support the healthcare industry after the PHE, OCR is allowing a 90-day transition period for telehealth services to be provided in full compliance with HIPAA, but this 90-day transition period does not apply to the three other Notifications. This transition period for telehealth will commence May 12, 2023, and expire at 11:59 p.m. on Aug. 9, 2023. For the other three Notifications, the relaxed enforcement will expire May 11, 2023.

1. OCR Enforcement Discretion Regarding Telehealth

On March 17, 2020, OCR issued a Notification announcing that it would exercise enforcement discretion with respect to telehealth services offered during the PHE. Under this Notification, OCR would not impose penalties for noncompliance with HIPAA’s regulatory requirements, provided that the noncompliance was in connection with the good-faith provision of telehealth services using a nonpublic-facing remote communication technology.

The OCR had recognized that some of the remote communication technologies used by providers might not fully comply with HIPAA. Without endorsing a particular vendor, OCR explained that providers must use nonpublic-facing audio and video technologies such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype, but providers should not use public-facing technologies such as Facebook Live, Twitch or TikTok (as these are not private and are widely shared). A discussion of this prior Notification is available in a previous McGuireWoods article.

While the PHE will end at 11:59 p.m. on May 11, 2023, the OCR will provide a 90-day transition period to allow providers additional time to come into compliance with HIPAA regarding telehealth services. During this transition period, OCR’s enforcement discretion will continue, and OCR will not impose penalties for HIPAA noncompliance related to the good-faith provision of telehealth services. The OCR expects providers to use this transition period to choose and implement HIPAA-compliant telehealth technology. The OCR has provided certain guidance on HIPAA and audio only telehealth that is applicable during the PHE and when the Notification is no longer in effect. 

2. OCR Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites

Additionally, in connection with the good-faith operation of community-based testing sites, on April 9, 2020, OCR issued a Notification stating that it would exercise enforcement discretion and would not impose penalties for HIPAA noncompliance. For this Notification, community-based testing sites include mobile, drive-through and walk-up sites providing COVID-19 testing. A discussion of this prior Notification is available in a previous McGuireWoods article.

This Notification will expire with the end of the PHE at 11:59 p.m. on May 11, 2023.

3. OCR Enforcement Discretion for Business Associates

On April 2, 2020, OCR issued a Notification announcing its exercise of enforcement discretion with respect to the Privacy Rule as it relates to the use and disclosure of protected health information (PHI) by business associates in order to aid federal and state health authorities and oversight agencies in addressing the COVID-19 crisis.

The HIPAA Privacy Rule permits a business associate to use and disclose PHI for public health and oversight purposes only if permitted under the business associate agreement with the covered entity. Under this Notification, OCR relaxed its enforcement against business associates for the use and disclosure of PHI even if not provided for in the business associate agreement, provided that (1) the business associate’s use or disclosure of PHI was in good faith and was made for public health activities or health oversight activities, and (2) the business associate notified the covered entity within 10 days of the use or disclosure of PHI. A discussion of this prior Notification is available in a previous McGuireWoods article.

This Notification will expire with the end of the PHE at 11:59 p.m. on May 11, 2023.

4. OCR Enforcement Discretion for Online Scheduling Applications for COVID-19 Vaccinations

Finally, OCR issued a Notification to inform the public of its exercise of enforcement discretion regarding online or web-based scheduling applications (WBSAs) used for scheduling COVID-19 vaccinations. For the purposes of the Notification, a WBSA is a nonpublic-facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination. A WBSA does not include an appointment scheduling technology that connects directly to electronic health records systems used by covered entities. This enforcement discretion applied so long as WBSAs were used in good faith during the PHE.

This Notification will expire with the end of the PHE at 11:59 p.m. on May 11, 2023.

Please contact the authors for additional guidance on how the end of the public health emergency will affect the delivery of patient care and related rules. 


McGuireWoods has published additional thought leadership analyzing how companies across industries can address crucial business and legal issues related to COVID-19.

Subscribe