Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency
Billing Code: 4153-01-P
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response
to the COVID-19 Nationwide Public Health Emergency
AGENCY: Office for Civil Rights (OCR), Office of the Secretary, HHS.
ACTION: Expiration of Notifications of Enforcement Discretion and transition period for
telehealth.
SUMMARY: This document is to inform the public that four Notifications of Enforcement
Discretion (“Notifications”) issued by the U.S. Department of Health and Human Services
(HHS), Office for Civil Rights (OCR) regarding how the Privacy, Security, and Breach
Notification Rules (“HIPAA Rules”) promulgated under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and
Clinical Health (HITECH) Act will be applied to certain violations during the COVID-19
nationwide public health emergency (“COVID-19 PHE”), will expire upon expiration of the
COVID-19 PHE, which is currently scheduled for 11:59 p.m. on May 11, 2023. Accordingly,
upon expiration of the COVID-19 PHE, the Notifications will not provide a basis for OCR to
exercise enforcement discretion with respect to imposing penalties for violations of the HIPAA
Rules. OCR will continue to exercise enforcement discretion consistent with the Notifications for
violations of the HIPAA Rules that occurred during the period that each Notification was in
effect. In addition, OCR is affording covered health care providers a 90-calendar day transition
period to come into compliance with the HIPAA Rules with respect to their provision of
telehealth using non-public facing remote communication technologies.
This document is scheduled to be published in the
Federal Register on 04/13/2023 and available online at
federalregister.gov/d/2023-07824, and on govinfo.gov
DATES: The Notifications of Enforcement Discretion addressed in this document expire at
11:59 p.m. on May 11, 2023. The 90-calendar day transition period with respect to telehealth
will expire at 11:59 p.m. on August 9, 2023.
FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 619–0403
or (800) 537–7697 (TDD).
SUPPLEMENTARY INFORMATION: In 2020 and 2021, OCR issued four Notifications of
Enforcement Discretion (“Notifications”) regarding how the Privacy, Security, Breach
Notification, and Enforcement Rules (“HIPAA Rules”) promulgated under the Health Insurance
Portability and Accountability Act of 19961
(HIPAA) and the HITECH Act2
would be applied to
certain violations during the COVID-19 PHE. OCR is informing the public that these
Notifications, which were published in the Federal Register on April 7, 2020, April 21, 2020,
May 18, 2020, and February 24, 2021, expire upon expiration of the COVID-19 PHE, which is
currently scheduled for 11:59 p.m. on May 11, 2023. Accordingly, at that time, the Notifications
will no longer provide a basis for the exercise of enforcement discretion in how OCR imposes
penalties for violations of requirements under the HIPAA Rules. OCR will continue to exercise
enforcement discretion consistent with the Notifications for violations of the HIPAA Rules that
occurred during the period that each Notification was in effect. With respect to the Notification
of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 PHE
issued on April 21, 2020, with an effective beginning date of March 17, 2020, covered health
care providers will be afforded a 90-calendar day transition period until 11:59 p.m. on August 9,
1
Subtitle F of title II of HIPAA (Pub. L. 104-191, 100 Stat. 2548 (August 21, 1996)) added a new part C to title XI
of the Social Security Act, Pub. L. 74-271, 49 Stat. 620 (August 14, 1935), (see sections 1171-1179 of the Social
Security Act (codified at 42 U.S.C. 1320d-1320d-8)). Due to the public health emergency posed by COVID-19, the
HHS Office for Civil Rights (OCR) exercised its enforcement discretion under the conditions outlined in the four
Notifications of Enforcement Discretion. OCR believes that this guidance is a statement of agency policy not subject
to the notice and comment requirements of the Administrative Procedure Act (APA). 5 U.S.C. 553(b)(3)(A). OCR
additionally finds that, even if this guidance were subject to the public participation provisions of the APA, prior
notice and comment for this guidance is impracticable, and there is good cause to issue this guidance without prior
public comment and without a delayed effective date. 5 U.S.C. 553(b)(3)(B) and (d)(3).
2
The HITECH Act was enacted as title XIII of division A and title IV of division B of the American Recovery and
Reinvestment Act of 2009, Pub. L. 111-5, 123 Stat. 226 (February 17, 2009).
2023, to come into compliance with the HIPAA Rules in their provision of telehealth. During the
transition period, OCR will continue to exercise its enforcement discretion and will not impose
penalties on covered health care providers for noncompliance with the HIPAA Rules in
connection with the good faith provision of telehealth.
I. Background
OCR is responsible for enforcing certain regulations issued under HIPAA and the
HITECH Act to protect the privacy and security of protected health information (PHI),
collectively known as the HIPAA Rules.
During the COVID-19 nationwide public health emergency that the HHS Secretary
declared under section 319 of the Public Health Service Act,3
OCR announced that it would
exercise enforcement discretion to not impose penalties for violations of certain regulatory
requirements under the HIPAA Rules by covered entities4
and their business associates5
(collectively, “regulated entities”), to the extent specified in each of the four Notifications
published in the Federal Register on April 7, 2020, April 21, 2020, May 18, 2020, and February
24, 2021. OCR’s enforcement discretion applied to specific obligations under the HIPAA Rules
and permitted regulated entities, as applicable, the flexibility to respond effectively to the public
health emergency.
The Notifications stated that they would remain in effect until the Secretary of HHS
declared that the COVID-19 PHE no longer existed or upon the expiration date of the declared
COVID-19 PHE, including any extensions,6
whichever occurred first. The HHS Secretary has
announced that he does not plan to renew the COVID-19 PHE when it expires at 11:59 p.m. on
3 See Renewal of Determination That a Public Health Emergency Exists by the HHS Secretary (February 9, 2023),
https://aspr.hhs.gov/legal/PHE/Pages/COVID19-9Feb2023.aspx.
4 See 45 CFR 160.103 (definition of “Covered entity”).
5 See 45 CFR 160.103 (definition of “Business associate”).
6
As determined by 42 U.S.C. 247d.
May 11, 2023.7
Thus, assuming the PHE ends on that date, the Notifications will no longer be in
effect as of May 12, 2023.8
II. Notifications of Enforcement Discretion Effective and Ending Dates; Transition Period
for Telehealth
The effective and ending dates of each Notification are provided below. OCR will
continue to exercise enforcement discretion consistent with the Notifications for violations of the
HIPAA Rules that occurred during the period that each Notification was in effect.
(1) Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected
Health Information by Business Associates for Public Health and Health Oversight Activities in
Response to COVID-19.
9
In this Notification, OCR announced that it would exercise its
enforcement discretion to not impose penalties for violations of certain provisions of the HIPAA
Privacy Rule by covered health care providers or their business associates for uses and
disclosures of PHI by business associates for public health and health oversight activities.
Specifically, the enforcement discretion covered Privacy Rule provisions 45 CFR 164.502(a)(3),
45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if certain parameters were met.
This Notification has been in effect since April 7, 2020, and expires at 11:59 p.m. on May
11, 2023.
(2) Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites
(CBTS) During the COVID-19 Nationwide Public Health Emergency.
10 In this Notification,
OCR announced that it would exercise its enforcement discretion to not impose penalties for
noncompliance with the HIPAA Rules by covered health care providers, including some large
pharmacy chains, and their business associates, in connection with the good faith participation in
the operation of COVID-19 specimen collection and testing sites (“Community-Based Testing
7
See HHS, Fact Sheet: COVID-19 Public Health Emergency Transition Roadmap (Feb. 9, 2023),
https://www.hhs.gov/about/news/2023/02/09/fact-sheet-covid-19-public-health-emergency-transition-roadmap.html.
8
The public health emergency determination is currently expected to end at 11:59 p.m. on May 11, 2023. See
Renewal of Determination That a Public Health Emergency Exists by the HHS Secretary, supra note 4.
9
85 FR 19392 (April 7, 2020).
10 85 FR 29637 (May 18, 2020).
Sites” or CBTS). For purposes of this Notification, a CBTS includes mobile, drive-through, or
walk-up sites that only provide COVID-19 specimen collection or testing services to the public.
This Notification has been in effect since March 13, 2020, and expires at 11:59 p.m. on
May 11, 2023.
(3) Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for
the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19
Nationwide Public Health Emergency.
11 In this Notification, OCR announced that it would
exercise its enforcement discretion to not impose penalties for noncompliance with the HIPAA
Rules by covered health care providers, including some large pharmacy chains and public health
authorities,12 or their business associates, in connection with the good faith use of online or webbased scheduling applications (collectively, WBSAs) for the limited purpose of scheduling
individual appointments for COVID-19 vaccinations. For purposes of this Notification, a WBSA
is a non-public facing online or web-based application that provides scheduling of individual
appointments for services in connection with large-scale COVID-19 vaccination.
This Notification has been in effect since December 11, 2020, and expires at 11:59 p.m.
on May 11, 2023.
(4) Notification of Enforcement Discretion for Telehealth Remote Communications
During the COVID–19 Nationwide Public Health Emergency (“Telehealth Notification”).
13 In
this Notification, OCR announced that it would exercise its enforcement discretion and would
not impose HIPAA penalties for noncompliance with the regulatory requirements under the
HIPAA Rules in connection with the good faith provision of telehealth using a non-public facing
11 86 FR 11139 (February 24, 2021).
12 See 45 CFR 164.501 (definition of “Public health authority”). The HIPAA Rules apply to a public health authority
only if it is a HIPAA regulated entity. For example, a county health department that administers a health plan, or
provides health care services for which it conducts standard electronic transactions (e.g., checking eligibility for
coverage, billing insurance), is a HIPAA covered entity. A public health authority that does not meet the definition
of a regulated entity is not subject to the HIPAA Rules. See also HHS HIPAA FAQ # 358, “Are state, county or
local health departments required to comply with the HIPAA Privacy Rule?” https://www.hhs.gov/hipaa/forprofessionals/faq/358/are-state-county-or-local-health-departments-required-to-comply-with-hipaa/index.html.
13 85 FR 22024 (April 21, 2020).
remote communication technology. This exercise of discretion applied to telehealth provided for
any reason, regardless of whether the telehealth service was related to the diagnosis and
treatment of health conditions related to COVID-19.
The Telehealth Notification has been in effect since March 17, 2020, and expires at 11:59
p.m. on May 11, 2023; OCR is providing a 90-calendar day transition period for covered health
care providers to come into compliance with the HIPAA Rules with respect to their provision of
telehealth. The transition period will be in effect beginning on May 12, 2023, and will expire at
11:59 p.m. on August 9, 2023.
During the 90-calendar day transition period, OCR will continue to exercise its
enforcement discretion and will not impose penalties on covered health care providers for
noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth.
These regulatory requirements remain the same as they were before the COVID-19 PHE;
however, OCR recognizes that regulated entities that began using remote communication
technologies for telehealth for the first time during the COVID-19 PHE may need additional time
to come into compliance. Therefore, covered health care providers may use this transition period,
as necessary, to adjust their telehealth practices to come into compliance, such as by choosing a
telehealth technology vendor that will enter into a business associate agreement and comply with
applicable requirements of the HIPAA Rules. Covered entities may also review and update as
necessary any policies and practices developed and implemented prior to the COVID-19 PHE for
compliance with the HIPAA Rules. To assist covered entities, OCR has published FAQs and
guidance on HIPAA and telehealth.14 OCR will provide additional guidance on telehealth remote
communications to help covered health care providers come into compliance during this
transition period.
14 See HIPAA and Telehealth, U.S. Dep’t of Health and Human Servs., https://www.hhs.gov/hipaa/forprofessionals/special-topics/telehealth/index.html.
OCR will no longer use the Telehealth Notification as a basis to exercise its discretion in
enforcing the HIPAA Rules, as they apply to the provision of telehealth, for noncompliance that
occurs after 11:59 p.m. on August 9, 2023. Beginning on August 10, 2023, OCR will continue to
exercise enforcement discretion consistent with the Telehealth Notification with respect to
noncompliance that may occur during the 90-calendar day transition period (i.e., noncompliance
occurring from May 12, 2023, through August 9, 2023).
III. Collection of Information Requirements
This announcement of the expiration of the Notifications of Enforcement Discretion
creates no legal obligations and no legal rights. Because this notice imposes no information
collection requirements, it need not be reviewed by the Office of Management and Budget under
the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).
Dated: April 7, 2023.
Melanie Fontes Rainer
Director, Office for Civil Rights, U.S. Department of Health and Human Services.
[FR Doc. 2023-07824 Filed: 4/11/2023 8:45 am; Publication Date: 4/13/2023]
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response
to the COVID-19 Nationwide Public Health Emergency
AGENCY: Office for Civil Rights (OCR), Office of the Secretary, HHS.
ACTION: Expiration of Notifications of Enforcement Discretion and transition period for
telehealth.
SUMMARY: This document is to inform the public that four Notifications of Enforcement
Discretion (“Notifications”) issued by the U.S. Department of Health and Human Services
(HHS), Office for Civil Rights (OCR) regarding how the Privacy, Security, and Breach
Notification Rules (“HIPAA Rules”) promulgated under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and
Clinical Health (HITECH) Act will be applied to certain violations during the COVID-19
nationwide public health emergency (“COVID-19 PHE”), will expire upon expiration of the
COVID-19 PHE, which is currently scheduled for 11:59 p.m. on May 11, 2023. Accordingly,
upon expiration of the COVID-19 PHE, the Notifications will not provide a basis for OCR to
exercise enforcement discretion with respect to imposing penalties for violations of the HIPAA
Rules. OCR will continue to exercise enforcement discretion consistent with the Notifications for
violations of the HIPAA Rules that occurred during the period that each Notification was in
effect. In addition, OCR is affording covered health care providers a 90-calendar day transition
period to come into compliance with the HIPAA Rules with respect to their provision of
telehealth using non-public facing remote communication technologies.
This document is scheduled to be published in the
Federal Register on 04/13/2023 and available online at
federalregister.gov/d/2023-07824, and on govinfo.gov
DATES: The Notifications of Enforcement Discretion addressed in this document expire at
11:59 p.m. on May 11, 2023. The 90-calendar day transition period with respect to telehealth
will expire at 11:59 p.m. on August 9, 2023.
FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 619–0403
or (800) 537–7697 (TDD).
SUPPLEMENTARY INFORMATION: In 2020 and 2021, OCR issued four Notifications of
Enforcement Discretion (“Notifications”) regarding how the Privacy, Security, Breach
Notification, and Enforcement Rules (“HIPAA Rules”) promulgated under the Health Insurance
Portability and Accountability Act of 19961
(HIPAA) and the HITECH Act2
would be applied to
certain violations during the COVID-19 PHE. OCR is informing the public that these
Notifications, which were published in the Federal Register on April 7, 2020, April 21, 2020,
May 18, 2020, and February 24, 2021, expire upon expiration of the COVID-19 PHE, which is
currently scheduled for 11:59 p.m. on May 11, 2023. Accordingly, at that time, the Notifications
will no longer provide a basis for the exercise of enforcement discretion in how OCR imposes
penalties for violations of requirements under the HIPAA Rules. OCR will continue to exercise
enforcement discretion consistent with the Notifications for violations of the HIPAA Rules that
occurred during the period that each Notification was in effect. With respect to the Notification
of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 PHE
issued on April 21, 2020, with an effective beginning date of March 17, 2020, covered health
care providers will be afforded a 90-calendar day transition period until 11:59 p.m. on August 9,
1
Subtitle F of title II of HIPAA (Pub. L. 104-191, 100 Stat. 2548 (August 21, 1996)) added a new part C to title XI
of the Social Security Act, Pub. L. 74-271, 49 Stat. 620 (August 14, 1935), (see sections 1171-1179 of the Social
Security Act (codified at 42 U.S.C. 1320d-1320d-8)). Due to the public health emergency posed by COVID-19, the
HHS Office for Civil Rights (OCR) exercised its enforcement discretion under the conditions outlined in the four
Notifications of Enforcement Discretion. OCR believes that this guidance is a statement of agency policy not subject
to the notice and comment requirements of the Administrative Procedure Act (APA). 5 U.S.C. 553(b)(3)(A). OCR
additionally finds that, even if this guidance were subject to the public participation provisions of the APA, prior
notice and comment for this guidance is impracticable, and there is good cause to issue this guidance without prior
public comment and without a delayed effective date. 5 U.S.C. 553(b)(3)(B) and (d)(3).
2
The HITECH Act was enacted as title XIII of division A and title IV of division B of the American Recovery and
Reinvestment Act of 2009, Pub. L. 111-5, 123 Stat. 226 (February 17, 2009).
2023, to come into compliance with the HIPAA Rules in their provision of telehealth. During the
transition period, OCR will continue to exercise its enforcement discretion and will not impose
penalties on covered health care providers for noncompliance with the HIPAA Rules in
connection with the good faith provision of telehealth.
I. Background
OCR is responsible for enforcing certain regulations issued under HIPAA and the
HITECH Act to protect the privacy and security of protected health information (PHI),
collectively known as the HIPAA Rules.
During the COVID-19 nationwide public health emergency that the HHS Secretary
declared under section 319 of the Public Health Service Act,3
OCR announced that it would
exercise enforcement discretion to not impose penalties for violations of certain regulatory
requirements under the HIPAA Rules by covered entities4
and their business associates5
(collectively, “regulated entities”), to the extent specified in each of the four Notifications
published in the Federal Register on April 7, 2020, April 21, 2020, May 18, 2020, and February
24, 2021. OCR’s enforcement discretion applied to specific obligations under the HIPAA Rules
and permitted regulated entities, as applicable, the flexibility to respond effectively to the public
health emergency.
The Notifications stated that they would remain in effect until the Secretary of HHS
declared that the COVID-19 PHE no longer existed or upon the expiration date of the declared
COVID-19 PHE, including any extensions,6
whichever occurred first. The HHS Secretary has
announced that he does not plan to renew the COVID-19 PHE when it expires at 11:59 p.m. on
3 See Renewal of Determination That a Public Health Emergency Exists by the HHS Secretary (February 9, 2023),
https://aspr.hhs.gov/legal/PHE/Pages/COVID19-9Feb2023.aspx.
4 See 45 CFR 160.103 (definition of “Covered entity”).
5 See 45 CFR 160.103 (definition of “Business associate”).
6
As determined by 42 U.S.C. 247d.
May 11, 2023.7
Thus, assuming the PHE ends on that date, the Notifications will no longer be in
effect as of May 12, 2023.8
II. Notifications of Enforcement Discretion Effective and Ending Dates; Transition Period
for Telehealth
The effective and ending dates of each Notification are provided below. OCR will
continue to exercise enforcement discretion consistent with the Notifications for violations of the
HIPAA Rules that occurred during the period that each Notification was in effect.
(1) Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected
Health Information by Business Associates for Public Health and Health Oversight Activities in
Response to COVID-19.
9
In this Notification, OCR announced that it would exercise its
enforcement discretion to not impose penalties for violations of certain provisions of the HIPAA
Privacy Rule by covered health care providers or their business associates for uses and
disclosures of PHI by business associates for public health and health oversight activities.
Specifically, the enforcement discretion covered Privacy Rule provisions 45 CFR 164.502(a)(3),
45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if certain parameters were met.
This Notification has been in effect since April 7, 2020, and expires at 11:59 p.m. on May
11, 2023.
(2) Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites
(CBTS) During the COVID-19 Nationwide Public Health Emergency.
10 In this Notification,
OCR announced that it would exercise its enforcement discretion to not impose penalties for
noncompliance with the HIPAA Rules by covered health care providers, including some large
pharmacy chains, and their business associates, in connection with the good faith participation in
the operation of COVID-19 specimen collection and testing sites (“Community-Based Testing
7
See HHS, Fact Sheet: COVID-19 Public Health Emergency Transition Roadmap (Feb. 9, 2023),
https://www.hhs.gov/about/news/2023/02/09/fact-sheet-covid-19-public-health-emergency-transition-roadmap.html.
8
The public health emergency determination is currently expected to end at 11:59 p.m. on May 11, 2023. See
Renewal of Determination That a Public Health Emergency Exists by the HHS Secretary, supra note 4.
9
85 FR 19392 (April 7, 2020).
10 85 FR 29637 (May 18, 2020).
Sites” or CBTS). For purposes of this Notification, a CBTS includes mobile, drive-through, or
walk-up sites that only provide COVID-19 specimen collection or testing services to the public.
This Notification has been in effect since March 13, 2020, and expires at 11:59 p.m. on
May 11, 2023.
(3) Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for
the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19
Nationwide Public Health Emergency.
11 In this Notification, OCR announced that it would
exercise its enforcement discretion to not impose penalties for noncompliance with the HIPAA
Rules by covered health care providers, including some large pharmacy chains and public health
authorities,12 or their business associates, in connection with the good faith use of online or webbased scheduling applications (collectively, WBSAs) for the limited purpose of scheduling
individual appointments for COVID-19 vaccinations. For purposes of this Notification, a WBSA
is a non-public facing online or web-based application that provides scheduling of individual
appointments for services in connection with large-scale COVID-19 vaccination.
This Notification has been in effect since December 11, 2020, and expires at 11:59 p.m.
on May 11, 2023.
(4) Notification of Enforcement Discretion for Telehealth Remote Communications
During the COVID–19 Nationwide Public Health Emergency (“Telehealth Notification”).
13 In
this Notification, OCR announced that it would exercise its enforcement discretion and would
not impose HIPAA penalties for noncompliance with the regulatory requirements under the
HIPAA Rules in connection with the good faith provision of telehealth using a non-public facing
11 86 FR 11139 (February 24, 2021).
12 See 45 CFR 164.501 (definition of “Public health authority”). The HIPAA Rules apply to a public health authority
only if it is a HIPAA regulated entity. For example, a county health department that administers a health plan, or
provides health care services for which it conducts standard electronic transactions (e.g., checking eligibility for
coverage, billing insurance), is a HIPAA covered entity. A public health authority that does not meet the definition
of a regulated entity is not subject to the HIPAA Rules. See also HHS HIPAA FAQ # 358, “Are state, county or
local health departments required to comply with the HIPAA Privacy Rule?” https://www.hhs.gov/hipaa/forprofessionals/faq/358/are-state-county-or-local-health-departments-required-to-comply-with-hipaa/index.html.
13 85 FR 22024 (April 21, 2020).
remote communication technology. This exercise of discretion applied to telehealth provided for
any reason, regardless of whether the telehealth service was related to the diagnosis and
treatment of health conditions related to COVID-19.
The Telehealth Notification has been in effect since March 17, 2020, and expires at 11:59
p.m. on May 11, 2023; OCR is providing a 90-calendar day transition period for covered health
care providers to come into compliance with the HIPAA Rules with respect to their provision of
telehealth. The transition period will be in effect beginning on May 12, 2023, and will expire at
11:59 p.m. on August 9, 2023.
During the 90-calendar day transition period, OCR will continue to exercise its
enforcement discretion and will not impose penalties on covered health care providers for
noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth.
These regulatory requirements remain the same as they were before the COVID-19 PHE;
however, OCR recognizes that regulated entities that began using remote communication
technologies for telehealth for the first time during the COVID-19 PHE may need additional time
to come into compliance. Therefore, covered health care providers may use this transition period,
as necessary, to adjust their telehealth practices to come into compliance, such as by choosing a
telehealth technology vendor that will enter into a business associate agreement and comply with
applicable requirements of the HIPAA Rules. Covered entities may also review and update as
necessary any policies and practices developed and implemented prior to the COVID-19 PHE for
compliance with the HIPAA Rules. To assist covered entities, OCR has published FAQs and
guidance on HIPAA and telehealth.14 OCR will provide additional guidance on telehealth remote
communications to help covered health care providers come into compliance during this
transition period.
14 See HIPAA and Telehealth, U.S. Dep’t of Health and Human Servs., https://www.hhs.gov/hipaa/forprofessionals/special-topics/telehealth/index.html.
OCR will no longer use the Telehealth Notification as a basis to exercise its discretion in
enforcing the HIPAA Rules, as they apply to the provision of telehealth, for noncompliance that
occurs after 11:59 p.m. on August 9, 2023. Beginning on August 10, 2023, OCR will continue to
exercise enforcement discretion consistent with the Telehealth Notification with respect to
noncompliance that may occur during the 90-calendar day transition period (i.e., noncompliance
occurring from May 12, 2023, through August 9, 2023).
III. Collection of Information Requirements
This announcement of the expiration of the Notifications of Enforcement Discretion
creates no legal obligations and no legal rights. Because this notice imposes no information
collection requirements, it need not be reviewed by the Office of Management and Budget under
the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).
Dated: April 7, 2023.
Melanie Fontes Rainer
Director, Office for Civil Rights, U.S. Department of Health and Human Services.
[FR Doc. 2023-07824 Filed: 4/11/2023 8:45 am; Publication Date: 4/13/2023]
