Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency, 22380-22382 [2023-07824]
Download as PDF
22380
Federal Register / Vol. 88, No. 71 / Thursday, April 13, 2023 / Rules and Regulations
AIRAC date
City
Airport
MA
MA
MA
MA
MA
WI
New Bedford ..................
New Bedford ..................
New Bedford ..................
New Bedford ..................
New Bedford ..................
Chetek ...........................
New Bedford Rgnl .........
New Bedford Rgnl .........
New Bedford Rgnl .........
New Bedford Rgnl .........
New Bedford Rgnl .........
Chetek Muni/Southworth
3/5769
3/5770
3/5771
3/5772
3/5773
3/7769
3/3/23
3/3/23
3/3/23
3/3/23
3/3/23
2/22/23
20–Apr–23 .........
MI
Saginaw .........................
3/7825
2/22/23
20–Apr–23 .........
PA
State College .................
Saginaw County/H W
Browne.
University Park ..............
ILS OR LOC RWY 5, Amdt 26A.
LOC BC RWY 23, Amdt 13.
RNAV (GPS) RWY 23, Amdt 1.
RNAV (GPS) RWY 5, Amdt 1C.
RNAV (GPS) RWY 14, Orig-D.
Takeoff Minimums and Obstacle
DP, Orig-A.
RNAV (GPS) RWY 10, Amdt 1A.
3/9474
2/27/23
ILS OR LOC RWY 24, Amdt 9D.
20–Apr–23
20–Apr–23
20–Apr–23
20–Apr–23
20–Apr–23
20–Apr–23
State
.........
.........
.........
.........
.........
.........
[FR Doc. 2023–07633 Filed 4–12–23; 8:45 am]
BILLING CODE 4910–13–P
DEPARTMENT OF HOMELAND
SECURITY
Coast Guard
33 CFR Part 165
[Docket No. USCG–2023–0180]
Safety Zone; Fireworks Display;
Chesapeake Bay, Norfolk, VA
Coast Guard, Department of
Homeland Security (DHS).
ACTION: Notification of enforcement of
regulation.
AGENCY:
The Coast Guard will enforce
a safety zone for the Shore Thing
Independence Day Celebration on June
30, 2023, in Virginia Beach, VA, to
protect against hazards associated with
a fireworks display and provide for the
safety of life on navigable waterways
during this event. Our regulation for
marine events within the Fifth Coast
Guard District identifies the regulated
area for this event in Norfolk, VA.
During the enforcement period, entry of
vessels or persons into this zone is
prohibited unless specifically
authorized by the Captain of the Port
Virginia.
SUMMARY:
The regulations in 33 CFR
165.506 will be enforced for the location
identified as Item 3 in table 3 to
paragraph (h)(3) from 9:30 p.m. until
9:45 p.m. on June 30, 2023.
FOR FURTHER INFORMATION CONTACT: If
you have questions about this
notification of enforcement, call or
email LCDR Ashley Holm, Chief,
Waterways Management Division,
Sector Virginia, U.S. Coast Guard;
telephone 757–668–5580 email
Ashley.E.Holm@uscg.mil.
SUPPLEMENTARY INFORMATION: The Coast
Guard will enforce the safety zone in 33
CFR 165.506 for Shore Thing
Independence Day Celebration regulated
area from 9:30 p.m. to 9:45 p.m. on June
FDC No.
30, 2023. This action is being taken to
provide for the safety of life on
navigable waterways during this event,
which will feature live fireworks. Our
regulation for marine events within the
Fifth Coast Guard District, § 165.506,
specifies the location of the regulated
area for the Shore Thing Independence
Day Celebration, which encompasses
portions of the Chesapeake Bay located
near Ocean View Fishing Pier. During
the enforcement period, neither persons
nor vessels may enter, remain in, or
transit through the safety zone unless
specifically authorized by the Captain of
the Port Virginia.
In addition to this notification of
enforcement in the Federal Register, the
Coast Guard plans to provide
notification of this enforcement period
via the Local Notice to Mariners and
marine information broadcasts.
Dated: March 16, 2023.
Jennifer A. Stockwell,
Captain, U.S. Coast Guard, Captain of the
Port Virginia.
[FR Doc. 2023–07749 Filed 4–12–23; 8:45 am]
BILLING CODE 9110–04–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
lotter on DSK11XQN23PROD with RULES1
DATES:
VerDate Sep<11>2014
15:58 Apr 12, 2023
Jkt 259001
Notice of Expiration of Certain
Notifications of Enforcement
Discretion Issued in Response to the
COVID–19 Nationwide Public Health
Emergency
Office for Civil Rights (OCR),
Office of the Secretary, HHS.
ACTION: Expiration of Notifications of
Enforcement Discretion and transition
period for telehealth.
AGENCY:
This document is to inform
the public that four Notifications of
Enforcement Discretion
(‘‘Notifications’’) issued by the U.S.
Department of Health and Human
Services (HHS), Office for Civil Rights
FDC Date
Subject
(OCR) regarding how the Privacy,
Security, and Breach Notification Rules
(‘‘HIPAA Rules’’) promulgated under
the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and
the Health Information Technology for
Economic and Clinical Health (HITECH)
Act will be applied to certain violations
during the COVID–19 nationwide public
health emergency (‘‘COVID–19 PHE’’),
will expire upon expiration of the
COVID–19 PHE, which is currently
scheduled for 11:59 p.m. on May 11,
2023. Accordingly, upon expiration of
the COVID–19 PHE, the Notifications
will not provide a basis for OCR to
exercise enforcement discretion with
respect to imposing penalties for
violations of the HIPAA Rules. OCR will
continue to exercise enforcement
discretion consistent with the
Notifications for violations of the
HIPAA Rules that occurred during the
period that each Notification was in
effect. In addition, OCR is affording
covered health care providers a 90calendar day transition period to come
into compliance with the HIPAA Rules
with respect to their provision of
telehealth using non-public facing
remote communication technologies.
DATES: The Notifications of Enforcement
Discretion addressed in this document
expire at 11:59 p.m. on May 11, 2023.
The 90-calendar day transition period
with respect to telehealth will expire at
11:59 p.m. on August 9, 2023.
FOR FURTHER INFORMATION CONTACT:
Marissa Gordon-Nguyen at (202) 619–
0403 or (800) 537–7697 (TDD).
SUPPLEMENTARY INFORMATION: In 2020
and 2021, OCR issued four Notifications
of Enforcement Discretion
(‘‘Notifications’’) regarding how the
Privacy, Security, Breach Notification,
and Enforcement Rules (‘‘HIPAA
Rules’’) promulgated under the Health
Insurance Portability and
Accountability Act of 1996 1 (HIPAA)
SUMMARY:
PO 00000
Frm 00026
Fmt 4700
Sfmt 4700
1 Subtitle F of title II of HIPAA (Pub. L. 104–191,
100 Stat. 2548 (August 21, 1996)) added a new part
C to title XI of the Social Security Act, Public Law
74–271, 49 Stat. 620 (August 14, 1935), (see sections
1171–1179 of the Social Security Act (codified at
42 U.S.C. 1320d–1320d–8)). Due to the public
E:\FR\FM\13APR1.SGM
13APR1
Federal Register / Vol. 88, No. 71 / Thursday, April 13, 2023 / Rules and Regulations
and the HITECH Act 2 would be applied
to certain violations during the COVID–
19 PHE. OCR is informing the public
that these Notifications, which were
published in the Federal Register on
April 7, 2020, April 21, 2020, May 18,
2020, and February 24, 2021, expire
upon expiration of the COVID–19 PHE,
which is currently scheduled for 11:59
p.m. on May 11, 2023. Accordingly, at
that time, the Notifications will no
longer provide a basis for the exercise of
enforcement discretion in how OCR
imposes penalties for violations of
requirements under the HIPAA Rules.
OCR will continue to exercise
enforcement discretion consistent with
the Notifications for violations of the
HIPAA Rules that occurred during the
period that each Notification was in
effect. With respect to the Notification
of Enforcement Discretion for
Telehealth Remote Communications
During the COVID–19 PHE issued on
April 21, 2020, with an effective
beginning date of March 17, 2020,
covered health care providers will be
afforded a 90-calendar day transition
period until 11:59 p.m. on August 9,
2023, to come into compliance with the
HIPAA Rules in their provision of
telehealth. During the transition period,
OCR will continue to exercise its
enforcement discretion and will not
impose penalties on covered health care
providers for noncompliance with the
HIPAA Rules in connection with the
good faith provision of telehealth.
lotter on DSK11XQN23PROD with RULES1
I. Background
OCR is responsible for enforcing
certain regulations issued under HIPAA
and the HITECH Act to protect the
privacy and security of protected health
information (PHI), collectively known as
the HIPAA Rules.
During the COVID–19 nationwide
public health emergency that the HHS
Secretary declared under section 319 of
the Public Health Service Act,3 OCR
health emergency posed by COVID–19, the HHS
Office for Civil Rights (OCR) exercised its
enforcement discretion under the conditions
outlined in the four Notifications of Enforcement
Discretion. OCR believes that this guidance is a
statement of agency policy not subject to the notice
and comment requirements of the Administrative
Procedure Act (APA). 5 U.S.C. 553(b)(3)(A). OCR
additionally finds that, even if this guidance were
subject to the public participation provisions of the
APA, prior notice and comment for this guidance
is impracticable, and there is good cause to issue
this guidance without prior public comment and
without a delayed effective date. 5 U.S.C.
553(b)(3)(B) and (d)(3).
2 The HITECH Act was enacted as title XIII of
division A and title IV of division B of the
American Recovery and Reinvestment Act of 2009,
Public Law 111–5, 123 Stat. 226 (February 17,
2009).
3 See Renewal of Determination That a Public
Health Emergency Exists by the HHS Secretary
VerDate Sep<11>2014
15:58 Apr 12, 2023
Jkt 259001
announced that it would exercise
enforcement discretion to not impose
penalties for violations of certain
regulatory requirements under the
HIPAA Rules by covered entities 4 and
their business associates 5 (collectively,
‘‘regulated entities’’), to the extent
specified in each of the four
Notifications published in the Federal
Register on April 7, 2020, April 21,
2020, May 18, 2020, and February 24,
2021. OCR’s enforcement discretion
applied to specific obligations under the
HIPAA Rules and permitted regulated
entities, as applicable, the flexibility to
respond effectively to the public health
emergency.
The Notifications stated that they
would remain in effect until the
Secretary of HHS declared that the
COVID–19 PHE no longer existed or
upon the expiration date of the declared
COVID–19 PHE, including any
extensions,6 whichever occurred first.
The HHS Secretary has announced that
he does not plan to renew the COVID–
19 PHE when it expires at 11:59 p.m. on
May 11, 2023.7 Thus, assuming the PHE
ends on that date, the Notifications will
no longer be in effect as of May 12,
2023.8
II. Notifications of Enforcement
Discretion Effective and Ending Dates;
Transition Period for Telehealth
The effective and ending dates of each
Notification are provided below. OCR
will continue to exercise enforcement
discretion consistent with the
Notifications for violations of the
HIPAA Rules that occurred during the
period that each Notification was in
effect.
(1) Enforcement Discretion Under
HIPAA To Allow Uses and Disclosures
of Protected Health Information by
Business Associates for Public Health
and Health Oversight Activities in
Response to COVID–19.9 In this
Notification, OCR announced that it
would exercise its enforcement
discretion to not impose penalties for
violations of certain provisions of the
(February 9, 2023), https://aspr.hhs.gov/legal/PHE/
Pages/COVID19-9Feb2023.aspx.
4 See 45 CFR 160.103 (definition of ‘‘Covered
entity’’).
5 See 45 CFR 160.103 (definition of ‘‘Business
associate’’).
6 As determined by 42 U.S.C. 247d.
7 See HHS, Fact Sheet: COVID–19 Public Health
Emergency Transition Roadmap (Feb. 9, 2023),
https://www.hhs.gov/about/news/2023/02/09/factsheet-covid-19-public-health-emergency-transitionroadmap.html.
8 The public health emergency determination is
currently expected to end at 11:59 p.m. on May 11,
2023. See Renewal of Determination That a Public
Health Emergency Exists by the HHS Secretary,
supra note 4.
9 85 FR 19392 (April 7, 2020).
PO 00000
Frm 00027
Fmt 4700
Sfmt 4700
22381
HIPAA Privacy Rule by covered health
care providers or their business
associates for uses and disclosures of
PHI by business associates for public
health and health oversight activities.
Specifically, the enforcement discretion
covered Privacy Rule provisions 45 CFR
164.502(a)(3), 45 CFR 164.502(e)(2), 45
CFR 164.504(e)(1) and (5) if certain
parameters were met.
This Notification has been in effect
since April 7, 2020, and expires at 11:59
p.m. on May 11, 2023.
(2) Enforcement Discretion Regarding
COVID–19 Community-Based Testing
Sites (CBTS) During the COVID–19
Nationwide Public Health Emergency.10
In this Notification, OCR announced
that it would exercise its enforcement
discretion to not impose penalties for
noncompliance with the HIPAA Rules
by covered health care providers,
including some large pharmacy chains,
and their business associates, in
connection with the good faith
participation in the operation of
COVID–19 specimen collection and
testing sites (‘‘Community-Based
Testing Sites’’ or CBTS). For purposes of
this Notification, a CBTS includes
mobile, drive-through, or walk-up sites
that only provide COVID–19 specimen
collection or testing services to the
public.
This Notification has been in effect
since March 13, 2020, and expires at
11:59 p.m. on May 11, 2023.
(3) Enforcement Discretion Regarding
Online or Web-Based Scheduling
Applications for the Scheduling of
Individual Appointments for COVID–19
Vaccination During the COVID–19
Nationwide Public Health Emergency.11
In this Notification, OCR announced
that it would exercise its enforcement
discretion to not impose penalties for
noncompliance with the HIPAA Rules
by covered health care providers,
including some large pharmacy chains
and public health authorities,12 or their
business associates, in connection with
the good faith use of online or web10 85
FR 29637 (May 18, 2020).
FR 11139 (February 24, 2021).
12 See 45 CFR 164.501 (definition of ‘‘Public
health authority’’). The HIPAA Rules apply to a
public health authority only if it is a HIPAA
regulated entity. For example, a county health
department that administers a health plan, or
provides health care services for which it conducts
standard electronic transactions (e.g., checking
eligibility for coverage, billing insurance), is a
HIPAA covered entity. A public health authority
that does not meet the definition of a regulated
entity is not subject to the HIPAA Rules. See also
HHS HIPAA FAQ # 358, ‘‘Are state, county or local
health departments required to comply with the
HIPAA Privacy Rule?’’ https://www.hhs.gov/hipaa/
for-professionals/faq/358/are-state-county-or-localhealth-departments-required-to-comply-with-hipaa/
index.html.
11 86
E:\FR\FM\13APR1.SGM
13APR1
22382
Federal Register / Vol. 88, No. 71 / Thursday, April 13, 2023 / Rules and Regulations
based scheduling applications
(collectively, WBSAs) for the limited
purpose of scheduling individual
appointments for COVID–19
vaccinations. For purposes of this
Notification, a WBSA is a non-public
facing online or web-based application
that provides scheduling of individual
appointments for services in connection
with large-scale COVID–19 vaccination.
This Notification has been in effect
since December 11, 2020, and expires at
11:59 p.m. on May 11, 2023.
(4) Notification of Enforcement
Discretion for Telehealth Remote
Communications During the COVID–19
Nationwide Public Health Emergency
(‘‘Telehealth Notification’’).13 In this
Notification, OCR announced that it
would exercise its enforcement
discretion and would not impose
HIPAA penalties for noncompliance
with the regulatory requirements under
the HIPAA Rules in connection with the
good faith provision of telehealth using
a non-public facing remote
communication technology. This
exercise of discretion applied to
telehealth provided for any reason,
regardless of whether the telehealth
service was related to the diagnosis and
treatment of health conditions related to
COVID–19.
The Telehealth Notification has been
in effect since March 17, 2020, and
expires at 11:59 p.m. on May 11, 2023;
OCR is providing a 90-calendar day
transition period for covered health care
providers to come into compliance with
lotter on DSK11XQN23PROD with RULES1
13 85
FR 22024 (April 21, 2020).
VerDate Sep<11>2014
15:58 Apr 12, 2023
Jkt 259001
the HIPAA Rules with respect to their
provision of telehealth. The transition
period will be in effect beginning on
May 12, 2023, and will expire at 11:59
p.m. on August 9, 2023.
During the 90-calendar day transition
period, OCR will continue to exercise its
enforcement discretion and will not
impose penalties on covered health care
providers for noncompliance with the
HIPAA Rules in connection with the
good faith provision of telehealth. These
regulatory requirements remain the
same as they were before the COVID–19
PHE; however, OCR recognizes that
regulated entities that began using
remote communication technologies for
telehealth for the first time during the
COVID–19 PHE may need additional
time to come into compliance.
Therefore, covered health care providers
may use this transition period, as
necessary, to adjust their telehealth
practices to come into compliance, such
as by choosing a telehealth technology
vendor that will enter into a business
associate agreement and comply with
applicable requirements of the HIPAA
Rules. Covered entities may also review
and update as necessary any policies
and practices developed and
implemented prior to the COVID–19
PHE for compliance with the HIPAA
Rules. To assist covered entities, OCR
has published FAQs and guidance on
HIPAA and telehealth.14 OCR will
14 See HIPAA and Telehealth, U.S. Dep’t of
Health and Human Servs., https://www.hhs.gov/
hipaa/for-professionals/special-topics/telehealth/
index.html.
PO 00000
Frm 00028
Fmt 4700
Sfmt 9990
provide additional guidance on
telehealth remote communications to
help covered health care providers come
into compliance during this transition
period.
OCR will no longer use the Telehealth
Notification as a basis to exercise its
discretion in enforcing the HIPAA
Rules, as they apply to the provision of
telehealth, for noncompliance that
occurs after 11:59 p.m. on August 9,
2023. Beginning on August 10, 2023,
OCR will continue to exercise
enforcement discretion consistent with
the Telehealth Notification with respect
to noncompliance that may occur
during the 90-calendar day transition
period (i.e., noncompliance occurring
from May 12, 2023, through August 9,
2023).
III. Collection of Information
Requirements
This announcement of the expiration
of the Notifications of Enforcement
Discretion creates no legal obligations
and no legal rights. Because this notice
imposes no information collection
requirements, it need not be reviewed
by the Office of Management and
Budget under the Paperwork Reduction
Act of 1995 (44 U.S.C. 3501 et seq.).
Dated: April 7, 2023.
Melanie Fontes Rainer,
Director, Office for Civil Rights, U.S.
Department of Health and Human Services.
[FR Doc. 2023–07824 Filed 4–11–23; 8:45 am]
BILLING CODE 4153–01–P
E:\FR\FM\13APR1.SGM
13APR1
Agencies
[Federal Register Volume 88, Number 71 (Thursday, April 13, 2023)]
[Rules and Regulations]
[Pages 22380-22382]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-07824]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
Notice of Expiration of Certain Notifications of Enforcement
Discretion Issued in Response to the COVID-19 Nationwide Public Health
Emergency
AGENCY: Office for Civil Rights (OCR), Office of the Secretary, HHS.
ACTION: Expiration of Notifications of Enforcement Discretion and
transition period for telehealth.
-----------------------------------------------------------------------
SUMMARY: This document is to inform the public that four Notifications
of Enforcement Discretion (``Notifications'') issued by the U.S.
Department of Health and Human Services (HHS), Office for Civil Rights
(OCR) regarding how the Privacy, Security, and Breach Notification
Rules (``HIPAA Rules'') promulgated under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) and the Health
Information Technology for Economic and Clinical Health (HITECH) Act
will be applied to certain violations during the COVID-19 nationwide
public health emergency (``COVID-19 PHE''), will expire upon expiration
of the COVID-19 PHE, which is currently scheduled for 11:59 p.m. on May
11, 2023. Accordingly, upon expiration of the COVID-19 PHE, the
Notifications will not provide a basis for OCR to exercise enforcement
discretion with respect to imposing penalties for violations of the
HIPAA Rules. OCR will continue to exercise enforcement discretion
consistent with the Notifications for violations of the HIPAA Rules
that occurred during the period that each Notification was in effect.
In addition, OCR is affording covered health care providers a 90-
calendar day transition period to come into compliance with the HIPAA
Rules with respect to their provision of telehealth using non-public
facing remote communication technologies.
DATES: The Notifications of Enforcement Discretion addressed in this
document expire at 11:59 p.m. on May 11, 2023. The 90-calendar day
transition period with respect to telehealth will expire at 11:59 p.m.
on August 9, 2023.
FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 619-
0403 or (800) 537-7697 (TDD).
SUPPLEMENTARY INFORMATION: In 2020 and 2021, OCR issued four
Notifications of Enforcement Discretion (``Notifications'') regarding
how the Privacy, Security, Breach Notification, and Enforcement Rules
(``HIPAA Rules'') promulgated under the Health Insurance Portability
and Accountability Act of 1996 \1\ (HIPAA)
[[Page 22381]]
and the HITECH Act \2\ would be applied to certain violations during
the COVID-19 PHE. OCR is informing the public that these Notifications,
which were published in the Federal Register on April 7, 2020, April
21, 2020, May 18, 2020, and February 24, 2021, expire upon expiration
of the COVID-19 PHE, which is currently scheduled for 11:59 p.m. on May
11, 2023. Accordingly, at that time, the Notifications will no longer
provide a basis for the exercise of enforcement discretion in how OCR
imposes penalties for violations of requirements under the HIPAA Rules.
OCR will continue to exercise enforcement discretion consistent with
the Notifications for violations of the HIPAA Rules that occurred
during the period that each Notification was in effect. With respect to
the Notification of Enforcement Discretion for Telehealth Remote
Communications During the COVID-19 PHE issued on April 21, 2020, with
an effective beginning date of March 17, 2020, covered health care
providers will be afforded a 90-calendar day transition period until
11:59 p.m. on August 9, 2023, to come into compliance with the HIPAA
Rules in their provision of telehealth. During the transition period,
OCR will continue to exercise its enforcement discretion and will not
impose penalties on covered health care providers for noncompliance
with the HIPAA Rules in connection with the good faith provision of
telehealth.
---------------------------------------------------------------------------
\1\ Subtitle F of title II of HIPAA (Pub. L. 104-191, 100 Stat.
2548 (August 21, 1996)) added a new part C to title XI of the Social
Security Act, Public Law 74-271, 49 Stat. 620 (August 14, 1935),
(see sections 1171-1179 of the Social Security Act (codified at 42
U.S.C. 1320d-1320d-8)). Due to the public health emergency posed by
COVID-19, the HHS Office for Civil Rights (OCR) exercised its
enforcement discretion under the conditions outlined in the four
Notifications of Enforcement Discretion. OCR believes that this
guidance is a statement of agency policy not subject to the notice
and comment requirements of the Administrative Procedure Act (APA).
5 U.S.C. 553(b)(3)(A). OCR additionally finds that, even if this
guidance were subject to the public participation provisions of the
APA, prior notice and comment for this guidance is impracticable,
and there is good cause to issue this guidance without prior public
comment and without a delayed effective date. 5 U.S.C. 553(b)(3)(B)
and (d)(3).
\2\ The HITECH Act was enacted as title XIII of division A and
title IV of division B of the American Recovery and Reinvestment Act
of 2009, Public Law 111-5, 123 Stat. 226 (February 17, 2009).
---------------------------------------------------------------------------
I. Background
OCR is responsible for enforcing certain regulations issued under
HIPAA and the HITECH Act to protect the privacy and security of
protected health information (PHI), collectively known as the HIPAA
Rules.
During the COVID-19 nationwide public health emergency that the HHS
Secretary declared under section 319 of the Public Health Service
Act,\3\ OCR announced that it would exercise enforcement discretion to
not impose penalties for violations of certain regulatory requirements
under the HIPAA Rules by covered entities \4\ and their business
associates \5\ (collectively, ``regulated entities''), to the extent
specified in each of the four Notifications published in the Federal
Register on April 7, 2020, April 21, 2020, May 18, 2020, and February
24, 2021. OCR's enforcement discretion applied to specific obligations
under the HIPAA Rules and permitted regulated entities, as applicable,
the flexibility to respond effectively to the public health emergency.
---------------------------------------------------------------------------
\3\ See Renewal of Determination That a Public Health Emergency
Exists by the HHS Secretary (February 9, 2023), https://aspr.hhs.gov/legal/PHE/Pages/COVID19-9Feb2023.aspx.
\4\ See 45 CFR 160.103 (definition of ``Covered entity'').
\5\ See 45 CFR 160.103 (definition of ``Business associate'').
---------------------------------------------------------------------------
The Notifications stated that they would remain in effect until the
Secretary of HHS declared that the COVID-19 PHE no longer existed or
upon the expiration date of the declared COVID-19 PHE, including any
extensions,\6\ whichever occurred first. The HHS Secretary has
announced that he does not plan to renew the COVID-19 PHE when it
expires at 11:59 p.m. on May 11, 2023.\7\ Thus, assuming the PHE ends
on that date, the Notifications will no longer be in effect as of May
12, 2023.\8\
---------------------------------------------------------------------------
\6\ As determined by 42 U.S.C. 247d.
\7\ See HHS, Fact Sheet: COVID-19 Public Health Emergency
Transition Roadmap (Feb. 9, 2023), https://www.hhs.gov/about/news/2023/02/09/fact-sheet-covid-19-public-health-emergency-transition-roadmap.html.
\8\ The public health emergency determination is currently
expected to end at 11:59 p.m. on May 11, 2023. See Renewal of
Determination That a Public Health Emergency Exists by the HHS
Secretary, supra note 4.
---------------------------------------------------------------------------
II. Notifications of Enforcement Discretion Effective and Ending Dates;
Transition Period for Telehealth
The effective and ending dates of each Notification are provided
below. OCR will continue to exercise enforcement discretion consistent
with the Notifications for violations of the HIPAA Rules that occurred
during the period that each Notification was in effect.
(1) Enforcement Discretion Under HIPAA To Allow Uses and
Disclosures of Protected Health Information by Business Associates for
Public Health and Health Oversight Activities in Response to COVID-
19.\9\ In this Notification, OCR announced that it would exercise its
enforcement discretion to not impose penalties for violations of
certain provisions of the HIPAA Privacy Rule by covered health care
providers or their business associates for uses and disclosures of PHI
by business associates for public health and health oversight
activities. Specifically, the enforcement discretion covered Privacy
Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR
164.504(e)(1) and (5) if certain parameters were met.
---------------------------------------------------------------------------
\9\ 85 FR 19392 (April 7, 2020).
---------------------------------------------------------------------------
This Notification has been in effect since April 7, 2020, and
expires at 11:59 p.m. on May 11, 2023.
(2) Enforcement Discretion Regarding COVID-19 Community-Based
Testing Sites (CBTS) During the COVID-19 Nationwide Public Health
Emergency.\10\ In this Notification, OCR announced that it would
exercise its enforcement discretion to not impose penalties for
noncompliance with the HIPAA Rules by covered health care providers,
including some large pharmacy chains, and their business associates, in
connection with the good faith participation in the operation of COVID-
19 specimen collection and testing sites (``Community-Based Testing
Sites'' or CBTS). For purposes of this Notification, a CBTS includes
mobile, drive-through, or walk-up sites that only provide COVID-19
specimen collection or testing services to the public.
---------------------------------------------------------------------------
\10\ 85 FR 29637 (May 18, 2020).
---------------------------------------------------------------------------
This Notification has been in effect since March 13, 2020, and
expires at 11:59 p.m. on May 11, 2023.
(3) Enforcement Discretion Regarding Online or Web-Based Scheduling
Applications for the Scheduling of Individual Appointments for COVID-19
Vaccination During the COVID-19 Nationwide Public Health Emergency.\11\
In this Notification, OCR announced that it would exercise its
enforcement discretion to not impose penalties for noncompliance with
the HIPAA Rules by covered health care providers, including some large
pharmacy chains and public health authorities,\12\ or their business
associates, in connection with the good faith use of online or web-
[[Page 22382]]
based scheduling applications (collectively, WBSAs) for the limited
purpose of scheduling individual appointments for COVID-19
vaccinations. For purposes of this Notification, a WBSA is a non-public
facing online or web-based application that provides scheduling of
individual appointments for services in connection with large-scale
COVID-19 vaccination.
---------------------------------------------------------------------------
\11\ 86 FR 11139 (February 24, 2021).
\12\ See 45 CFR 164.501 (definition of ``Public health
authority''). The HIPAA Rules apply to a public health authority
only if it is a HIPAA regulated entity. For example, a county health
department that administers a health plan, or provides health care
services for which it conducts standard electronic transactions
(e.g., checking eligibility for coverage, billing insurance), is a
HIPAA covered entity. A public health authority that does not meet
the definition of a regulated entity is not subject to the HIPAA
Rules. See also HHS HIPAA FAQ # 358, ``Are state, county or local
health departments required to comply with the HIPAA Privacy Rule?''
https://www.hhs.gov/hipaa/for-professionals/faq/358/are-state-county-or-local-health-departments-required-to-comply-with-hipaa/.
---------------------------------------------------------------------------
This Notification has been in effect since December 11, 2020, and
expires at 11:59 p.m. on May 11, 2023.
(4) Notification of Enforcement Discretion for Telehealth Remote
Communications During the COVID-19 Nationwide Public Health Emergency
(``Telehealth Notification'').\13\ In this Notification, OCR announced
that it would exercise its enforcement discretion and would not impose
HIPAA penalties for noncompliance with the regulatory requirements
under the HIPAA Rules in connection with the good faith provision of
telehealth using a non-public facing remote communication technology.
This exercise of discretion applied to telehealth provided for any
reason, regardless of whether the telehealth service was related to the
diagnosis and treatment of health conditions related to COVID-19.
---------------------------------------------------------------------------
\13\ 85 FR 22024 (April 21, 2020).
---------------------------------------------------------------------------
The Telehealth Notification has been in effect since March 17,
2020, and expires at 11:59 p.m. on May 11, 2023; OCR is providing a 90-
calendar day transition period for covered health care providers to
come into compliance with the HIPAA Rules with respect to their
provision of telehealth. The transition period will be in effect
beginning on May 12, 2023, and will expire at 11:59 p.m. on August 9,
2023.
During the 90-calendar day transition period, OCR will continue to
exercise its enforcement discretion and will not impose penalties on
covered health care providers for noncompliance with the HIPAA Rules in
connection with the good faith provision of telehealth. These
regulatory requirements remain the same as they were before the COVID-
19 PHE; however, OCR recognizes that regulated entities that began
using remote communication technologies for telehealth for the first
time during the COVID-19 PHE may need additional time to come into
compliance. Therefore, covered health care providers may use this
transition period, as necessary, to adjust their telehealth practices
to come into compliance, such as by choosing a telehealth technology
vendor that will enter into a business associate agreement and comply
with applicable requirements of the HIPAA Rules. Covered entities may
also review and update as necessary any policies and practices
developed and implemented prior to the COVID-19 PHE for compliance with
the HIPAA Rules. To assist covered entities, OCR has published FAQs and
guidance on HIPAA and telehealth.\14\ OCR will provide additional
guidance on telehealth remote communications to help covered health
care providers come into compliance during this transition period.
---------------------------------------------------------------------------
\14\ See HIPAA and Telehealth, U.S. Dep't of Health and Human
Servs., https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/.
---------------------------------------------------------------------------
OCR will no longer use the Telehealth Notification as a basis to
exercise its discretion in enforcing the HIPAA Rules, as they apply to
the provision of telehealth, for noncompliance that occurs after 11:59
p.m. on August 9, 2023. Beginning on August 10, 2023, OCR will continue
to exercise enforcement discretion consistent with the Telehealth
Notification with respect to noncompliance that may occur during the
90-calendar day transition period (i.e., noncompliance occurring from
May 12, 2023, through August 9, 2023).
III. Collection of Information Requirements
This announcement of the expiration of the Notifications of
Enforcement Discretion creates no legal obligations and no legal
rights. Because this notice imposes no information collection
requirements, it need not be reviewed by the Office of Management and
Budget under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et
seq.).
Dated: April 7, 2023.
Melanie Fontes Rainer,
Director, Office for Civil Rights, U.S. Department of Health and Human
Services.
[FR Doc. 2023-07824 Filed 4-11-23; 8:45 am]
BILLING CODE 4153-01-P