Well, we knew it might happen sometime.  We saw the silver lining of COVID-19 these past few years in the form of relaxed rules by the government to allow for the easier implementation and proliferation of telehealth to help with the pandemic.  

But on April 11, the U.S. Department of Health and Human Services and its Office for Civil Rights announced that those previous notifications regarding relaxed HIPAA enforcement that, in part, supported telehealth use during the pandemic, are now being revoked on May 11 due to the expiration of the COVID-19 Public Health Emergency (PHE).  

That means providers have 90 days (from May 12, 2023, to Aug. 9, 2023) to come back into compliance with all HIPAA rules despite the use of relaxed telehealth measures over the last three years. Let’s break this down a bit.

Previously, on March 17, 2020, OCR decided to affirmatively loosen HIPAA enforcement amidst the COVID-19 pandemic:

We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities. 

That was from Roger Severino, OCR Director in a March 17, 2020 news release, “OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency.”

Also on March 17, 2020, OCR/HHS announced and officially published its HIPAA enforcement discretion, effective March 17, 2020, waiving all potential penalties for HIPAA violations against covered entities that serve patients through telehealth communications technologies in an effort, presumably, to foster remote video communication products and telehealth services to patients during the COVID-19 pandemic. 

This waiver of penalties and sanctions applied to all covered entities, including nursing homes.  That meant that skilled nursing facilities could have physicians (who were unwilling to come into a facility for fear of COVID-19) to provide telehealth remotely at the resident’s bedside using modalities such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. Gone was the need for ultra-secure, HIPAA-compliant telemedicine feeds that were a barrier to the proliferation of telemedicine in nursing homes in the past.  Residents were able to use simple FaceTime and receive the care they needed at the bedside remotely.

Surprisingly, this OCR telehealth waiver applied not only to telehealth services provided to treat patients or residents related to COVID-19, but also to ALL telehealth provided by covered entities for any reason during the COVID-19 public health emergency.  So since that March 17, 2020, announcement, nursing homes and other covered entities have been free to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide PHE. This relaxation of rules was a boon to telehealth implementation, and patients and residents loved it, resulting in greater access and efficiency of care through telehealth over the pandemic.  

But all good things come to an end. Now, facilities have to ramp up and make sure their telehealth devices and modalities used during the pandemic are back up and fully secure and compliant with HIPAA.

That means no more unsecure video chats, video modalities, social media or Face Time can be utilized for purposes of telehealth unless they follow the strict HIPAA Privacy and Security Rules. And facilities have until Aug. 9, 2023 to get back in compliance.   

This means that nursing homes will no longer be able to utilize unsecure iPads, smart phones or other technology for telehealth services unless they meet the stringent HIPAA patient privacy and security requirements after Aug. 9, 2023.  This will require nursing homes to evaluate their current telehealth modalities used in the facility, and review current uses of telehealth with vendors, physicians, hospitals and other providers. 

Then facilities must update their agreements, policies and procedures, and software technology itself in order to ensure compliance with HIPAA Privacy and Security Rules. Providers are encouraged to start this process as soon as possible to avoid fines and penalties by OCR after Aug. 9. 

Neville M. Bilimoria is a partner in the Chicago office of the Health Law Practice Group and member of the Post-Acute Care And Senior Services Subgroup at Duane Morris LLP; [email protected].

The opinions expressed in McKnight’s Long-Term Care News guest submissions are the author’s and are not necessarily those of McKnight’s Long-Term Care News or its editors.