Practices that perform telehealth services on platforms that are not HIPAA secure have a few hours to switch to a secure platform or stop performing real-time audio/visual telehealth services. The HHS Office for Civil Rights’ (OCR), enforcement discretion that allowed telehealth via certain platforms that don’t meet HIPAA’s strict standards is set to end at 11:59 p.m. on August 9 (
PBN Blog, 4/13/23).
The end of the enforcement discretion could catch some providers off guard. Many providers can perform telehealth services under waivers that went into effect during the COVID-19 public health emergency (PHE). For example, Congress extended several PHE waivers that expanded telehealth access for Medicare patients. The extensions allow providers to continue to perform hundreds of services by telehealth for Medicare patients in the U.S. regardless of where the patient is located (
PBN Blog, 5/11/23).
Congress did not extend the HIPAA enforcement discretion, which applies across the healthcare spectrum.
Providers should note that they can continue to perform telephone (audio-only) services for Medicare patients so long as they do not record or store any part of the call.
The security rule only applies when the practice or a third party retains electronic protected health information (ePHI). “If the service involves electronically creating, using or otherwise storing patient information for or on behalf of the provider, the HIPAA security rule would apply,” explained Sara Shanti, partner with Sheppard Mullin in Chicago (
PBN 4/24/23, subscription required).