Skip to main content

All OCR Enforcement Waivers Expired; Are Your Telehealth Services HIPAA Compliant?

In a Report on Patient Privacy article, Members Dianne Bourque and Lara Compton shed light on the termination of HIPAA enforcement discretions post-COVID-19. The HHS Office for Civil Rights officially reinstated its authority over telehealth on August 9, necessitating a rapid reassessment of compliance for covered entities and business associates.

Dianne and Lara emphasized swift action, highlighting the need for vendor due diligence, security assessments, and employee training to ensure a seamless transition to HIPAA compliance. They cautioned against overlooking challenges posed by expedited onboarding of new vendors, especially in the telehealth context, stressing the need for thorough assessments to address potential compliance gaps.

They said, "The telehealth flexibilities that are being extended and made permanent aren't specific to HIPAA and thus do not change HIPAA compliance requirements. However, providers [can] take advantage of permanent telehealth flexibilities, such as the ongoing ability to use audio-only platforms for behavioral/mental healthcare. [If they do so, they still must] consider HIPAA compliance and ensure that services are provided in accordance with HIPAA privacy, security and other requirements on a going-forward basis."


Report on Patient Privacy