[Federal Register Volume 88, Number 71 (Thursday, April 13, 2023)]
[Rules and Regulations]
[Pages 22380-22382]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-07824]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164


Notice of Expiration of Certain Notifications of Enforcement 
Discretion Issued in Response to the COVID-19 Nationwide Public Health 
Emergency

AGENCY: Office for Civil Rights (OCR), Office of the Secretary, HHS.

ACTION: Expiration of Notifications of Enforcement Discretion and 
transition period for telehealth.

-----------------------------------------------------------------------

SUMMARY: This document is to inform the public that four Notifications 
of Enforcement Discretion (``Notifications'') issued by the U.S. 
Department of Health and Human Services (HHS), Office for Civil Rights 
(OCR) regarding how the Privacy, Security, and Breach Notification 
Rules (``HIPAA Rules'') promulgated under the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) and the Health 
Information Technology for Economic and Clinical Health (HITECH) Act 
will be applied to certain violations during the COVID-19 nationwide 
public health emergency (``COVID-19 PHE''), will expire upon expiration 
of the COVID-19 PHE, which is currently scheduled for 11:59 p.m. on May 
11, 2023. Accordingly, upon expiration of the COVID-19 PHE, the 
Notifications will not provide a basis for OCR to exercise enforcement 
discretion with respect to imposing penalties for violations of the 
HIPAA Rules. OCR will continue to exercise enforcement discretion 
consistent with the Notifications for violations of the HIPAA Rules 
that occurred during the period that each Notification was in effect. 
In addition, OCR is affording covered health care providers a 90-
calendar day transition period to come into compliance with the HIPAA 
Rules with respect to their provision of telehealth using non-public 
facing remote communication technologies.

DATES: The Notifications of Enforcement Discretion addressed in this 
document expire at 11:59 p.m. on May 11, 2023. The 90-calendar day 
transition period with respect to telehealth will expire at 11:59 p.m. 
on August 9, 2023.

FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 619-
0403 or (800) 537-7697 (TDD).

SUPPLEMENTARY INFORMATION: In 2020 and 2021, OCR issued four 
Notifications of Enforcement Discretion (``Notifications'') regarding 
how the Privacy, Security, Breach Notification, and Enforcement Rules 
(``HIPAA Rules'') promulgated under the Health Insurance Portability 
and Accountability Act of 1996 \1\ (HIPAA)

[[Page 22381]]

and the HITECH Act \2\ would be applied to certain violations during 
the COVID-19 PHE. OCR is informing the public that these Notifications, 
which were published in the Federal Register on April 7, 2020, April 
21, 2020, May 18, 2020, and February 24, 2021, expire upon expiration 
of the COVID-19 PHE, which is currently scheduled for 11:59 p.m. on May 
11, 2023. Accordingly, at that time, the Notifications will no longer 
provide a basis for the exercise of enforcement discretion in how OCR 
imposes penalties for violations of requirements under the HIPAA Rules. 
OCR will continue to exercise enforcement discretion consistent with 
the Notifications for violations of the HIPAA Rules that occurred 
during the period that each Notification was in effect. With respect to 
the Notification of Enforcement Discretion for Telehealth Remote 
Communications During the COVID-19 PHE issued on April 21, 2020, with 
an effective beginning date of March 17, 2020, covered health care 
providers will be afforded a 90-calendar day transition period until 
11:59 p.m. on August 9, 2023, to come into compliance with the HIPAA 
Rules in their provision of telehealth. During the transition period, 
OCR will continue to exercise its enforcement discretion and will not 
impose penalties on covered health care providers for noncompliance 
with the HIPAA Rules in connection with the good faith provision of 
telehealth.
---------------------------------------------------------------------------

    \1\ Subtitle F of title II of HIPAA (Pub. L. 104-191, 100 Stat. 
2548 (August 21, 1996)) added a new part C to title XI of the Social 
Security Act, Public Law 74-271, 49 Stat. 620 (August 14, 1935), 
(see sections 1171-1179 of the Social Security Act (codified at 42 
U.S.C. 1320d-1320d-8)). Due to the public health emergency posed by 
COVID-19, the HHS Office for Civil Rights (OCR) exercised its 
enforcement discretion under the conditions outlined in the four 
Notifications of Enforcement Discretion. OCR believes that this 
guidance is a statement of agency policy not subject to the notice 
and comment requirements of the Administrative Procedure Act (APA). 
5 U.S.C. 553(b)(3)(A). OCR additionally finds that, even if this 
guidance were subject to the public participation provisions of the 
APA, prior notice and comment for this guidance is impracticable, 
and there is good cause to issue this guidance without prior public 
comment and without a delayed effective date. 5 U.S.C. 553(b)(3)(B) 
and (d)(3).
    \2\ The HITECH Act was enacted as title XIII of division A and 
title IV of division B of the American Recovery and Reinvestment Act 
of 2009, Public Law 111-5, 123 Stat. 226 (February 17, 2009).
---------------------------------------------------------------------------

I. Background

    OCR is responsible for enforcing certain regulations issued under 
HIPAA and the HITECH Act to protect the privacy and security of 
protected health information (PHI), collectively known as the HIPAA 
Rules.
    During the COVID-19 nationwide public health emergency that the HHS 
Secretary declared under section 319 of the Public Health Service 
Act,\3\ OCR announced that it would exercise enforcement discretion to 
not impose penalties for violations of certain regulatory requirements 
under the HIPAA Rules by covered entities \4\ and their business 
associates \5\ (collectively, ``regulated entities''), to the extent 
specified in each of the four Notifications published in the Federal 
Register on April 7, 2020, April 21, 2020, May 18, 2020, and February 
24, 2021. OCR's enforcement discretion applied to specific obligations 
under the HIPAA Rules and permitted regulated entities, as applicable, 
the flexibility to respond effectively to the public health emergency.
---------------------------------------------------------------------------

    \3\ See Renewal of Determination That a Public Health Emergency 
Exists by the HHS Secretary (February 9, 2023), https://aspr.hhs.gov/legal/PHE/Pages/COVID19-9Feb2023.aspx.
    \4\ See 45 CFR 160.103 (definition of ``Covered entity'').
    \5\ See 45 CFR 160.103 (definition of ``Business associate'').
---------------------------------------------------------------------------

    The Notifications stated that they would remain in effect until the 
Secretary of HHS declared that the COVID-19 PHE no longer existed or 
upon the expiration date of the declared COVID-19 PHE, including any 
extensions,\6\ whichever occurred first. The HHS Secretary has 
announced that he does not plan to renew the COVID-19 PHE when it 
expires at 11:59 p.m. on May 11, 2023.\7\ Thus, assuming the PHE ends 
on that date, the Notifications will no longer be in effect as of May 
12, 2023.\8\
---------------------------------------------------------------------------

    \6\ As determined by 42 U.S.C. 247d.
    \7\ See HHS, Fact Sheet: COVID-19 Public Health Emergency 
Transition Roadmap (Feb. 9, 2023), https://www.hhs.gov/about/news/2023/02/09/fact-sheet-covid-19-public-health-emergency-transition-roadmap.html.
    \8\ The public health emergency determination is currently 
expected to end at 11:59 p.m. on May 11, 2023. See Renewal of 
Determination That a Public Health Emergency Exists by the HHS 
Secretary, supra note 4.
---------------------------------------------------------------------------

II. Notifications of Enforcement Discretion Effective and Ending Dates; 
Transition Period for Telehealth

    The effective and ending dates of each Notification are provided 
below. OCR will continue to exercise enforcement discretion consistent 
with the Notifications for violations of the HIPAA Rules that occurred 
during the period that each Notification was in effect.
    (1) Enforcement Discretion Under HIPAA To Allow Uses and 
Disclosures of Protected Health Information by Business Associates for 
Public Health and Health Oversight Activities in Response to COVID-
19.\9\ In this Notification, OCR announced that it would exercise its 
enforcement discretion to not impose penalties for violations of 
certain provisions of the HIPAA Privacy Rule by covered health care 
providers or their business associates for uses and disclosures of PHI 
by business associates for public health and health oversight 
activities. Specifically, the enforcement discretion covered Privacy 
Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 
164.504(e)(1) and (5) if certain parameters were met.
---------------------------------------------------------------------------

    \9\ 85 FR 19392 (April 7, 2020).
---------------------------------------------------------------------------

    This Notification has been in effect since April 7, 2020, and 
expires at 11:59 p.m. on May 11, 2023.
    (2) Enforcement Discretion Regarding COVID-19 Community-Based 
Testing Sites (CBTS) During the COVID-19 Nationwide Public Health 
Emergency.\10\ In this Notification, OCR announced that it would 
exercise its enforcement discretion to not impose penalties for 
noncompliance with the HIPAA Rules by covered health care providers, 
including some large pharmacy chains, and their business associates, in 
connection with the good faith participation in the operation of COVID-
19 specimen collection and testing sites (``Community-Based Testing 
Sites'' or CBTS). For purposes of this Notification, a CBTS includes 
mobile, drive-through, or walk-up sites that only provide COVID-19 
specimen collection or testing services to the public.
---------------------------------------------------------------------------

    \10\ 85 FR 29637 (May 18, 2020).
---------------------------------------------------------------------------

    This Notification has been in effect since March 13, 2020, and 
expires at 11:59 p.m. on May 11, 2023.
    (3) Enforcement Discretion Regarding Online or Web-Based Scheduling 
Applications for the Scheduling of Individual Appointments for COVID-19 
Vaccination During the COVID-19 Nationwide Public Health Emergency.\11\ 
In this Notification, OCR announced that it would exercise its 
enforcement discretion to not impose penalties for noncompliance with 
the HIPAA Rules by covered health care providers, including some large 
pharmacy chains and public health authorities,\12\ or their business 
associates, in connection with the good faith use of online or web-

[[Page 22382]]

based scheduling applications (collectively, WBSAs) for the limited 
purpose of scheduling individual appointments for COVID-19 
vaccinations. For purposes of this Notification, a WBSA is a non-public 
facing online or web-based application that provides scheduling of 
individual appointments for services in connection with large-scale 
COVID-19 vaccination.
---------------------------------------------------------------------------

    \11\ 86 FR 11139 (February 24, 2021).
    \12\ See 45 CFR 164.501 (definition of ``Public health 
authority''). The HIPAA Rules apply to a public health authority 
only if it is a HIPAA regulated entity. For example, a county health 
department that administers a health plan, or provides health care 
services for which it conducts standard electronic transactions 
(e.g., checking eligibility for coverage, billing insurance), is a 
HIPAA covered entity. A public health authority that does not meet 
the definition of a regulated entity is not subject to the HIPAA 
Rules. See also HHS HIPAA FAQ # 358, ``Are state, county or local 
health departments required to comply with the HIPAA Privacy Rule?'' 
https://www.hhs.gov/hipaa/for-professionals/faq/358/are-state-county-or-local-health-departments-required-to-comply-with-hipaa/index.html.
---------------------------------------------------------------------------

    This Notification has been in effect since December 11, 2020, and 
expires at 11:59 p.m. on May 11, 2023.
    (4) Notification of Enforcement Discretion for Telehealth Remote 
Communications During the COVID-19 Nationwide Public Health Emergency 
(``Telehealth Notification'').\13\ In this Notification, OCR announced 
that it would exercise its enforcement discretion and would not impose 
HIPAA penalties for noncompliance with the regulatory requirements 
under the HIPAA Rules in connection with the good faith provision of 
telehealth using a non-public facing remote communication technology. 
This exercise of discretion applied to telehealth provided for any 
reason, regardless of whether the telehealth service was related to the 
diagnosis and treatment of health conditions related to COVID-19.
---------------------------------------------------------------------------

    \13\ 85 FR 22024 (April 21, 2020).
---------------------------------------------------------------------------

    The Telehealth Notification has been in effect since March 17, 
2020, and expires at 11:59 p.m. on May 11, 2023; OCR is providing a 90-
calendar day transition period for covered health care providers to 
come into compliance with the HIPAA Rules with respect to their 
provision of telehealth. The transition period will be in effect 
beginning on May 12, 2023, and will expire at 11:59 p.m. on August 9, 
2023.
    During the 90-calendar day transition period, OCR will continue to 
exercise its enforcement discretion and will not impose penalties on 
covered health care providers for noncompliance with the HIPAA Rules in 
connection with the good faith provision of telehealth. These 
regulatory requirements remain the same as they were before the COVID-
19 PHE; however, OCR recognizes that regulated entities that began 
using remote communication technologies for telehealth for the first 
time during the COVID-19 PHE may need additional time to come into 
compliance. Therefore, covered health care providers may use this 
transition period, as necessary, to adjust their telehealth practices 
to come into compliance, such as by choosing a telehealth technology 
vendor that will enter into a business associate agreement and comply 
with applicable requirements of the HIPAA Rules. Covered entities may 
also review and update as necessary any policies and practices 
developed and implemented prior to the COVID-19 PHE for compliance with 
the HIPAA Rules. To assist covered entities, OCR has published FAQs and 
guidance on HIPAA and telehealth.\14\ OCR will provide additional 
guidance on telehealth remote communications to help covered health 
care providers come into compliance during this transition period.
---------------------------------------------------------------------------

    \14\ See HIPAA and Telehealth, U.S. Dep't of Health and Human 
Servs., https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html.
---------------------------------------------------------------------------

    OCR will no longer use the Telehealth Notification as a basis to 
exercise its discretion in enforcing the HIPAA Rules, as they apply to 
the provision of telehealth, for noncompliance that occurs after 11:59 
p.m. on August 9, 2023. Beginning on August 10, 2023, OCR will continue 
to exercise enforcement discretion consistent with the Telehealth 
Notification with respect to noncompliance that may occur during the 
90-calendar day transition period (i.e., noncompliance occurring from 
May 12, 2023, through August 9, 2023).

III. Collection of Information Requirements

    This announcement of the expiration of the Notifications of 
Enforcement Discretion creates no legal obligations and no legal 
rights. Because this notice imposes no information collection 
requirements, it need not be reviewed by the Office of Management and 
Budget under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et 
seq.).

    Dated: April 7, 2023.
Melanie Fontes Rainer,
Director, Office for Civil Rights, U.S. Department of Health and Human 
Services.
[FR Doc. 2023-07824 Filed 4-11-23; 8:45 am]
BILLING CODE 4153-01-P