Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency, 22380-22382 [2023-07824]

Download as PDF 22380 Federal Register / Vol. 88, No. 71 / Thursday, April 13, 2023 / Rules and Regulations AIRAC date City Airport MA MA MA MA MA WI New Bedford .................. New Bedford .................. New Bedford .................. New Bedford .................. New Bedford .................. Chetek ........................... New Bedford Rgnl ......... New Bedford Rgnl ......... New Bedford Rgnl ......... New Bedford Rgnl ......... New Bedford Rgnl ......... Chetek Muni/Southworth 3/5769 3/5770 3/5771 3/5772 3/5773 3/7769 3/3/23 3/3/23 3/3/23 3/3/23 3/3/23 2/22/23 20–Apr–23 ......... MI Saginaw ......................... 3/7825 2/22/23 20–Apr–23 ......... PA State College ................. Saginaw County/H W Browne. University Park .............. ILS OR LOC RWY 5, Amdt 26A. LOC BC RWY 23, Amdt 13. RNAV (GPS) RWY 23, Amdt 1. RNAV (GPS) RWY 5, Amdt 1C. RNAV (GPS) RWY 14, Orig-D. Takeoff Minimums and Obstacle DP, Orig-A. RNAV (GPS) RWY 10, Amdt 1A. 3/9474 2/27/23 ILS OR LOC RWY 24, Amdt 9D. 20–Apr–23 20–Apr–23 20–Apr–23 20–Apr–23 20–Apr–23 20–Apr–23 State ......... ......... ......... ......... ......... ......... [FR Doc. 2023–07633 Filed 4–12–23; 8:45 am] BILLING CODE 4910–13–P DEPARTMENT OF HOMELAND SECURITY Coast Guard 33 CFR Part 165 [Docket No. USCG–2023–0180] Safety Zone; Fireworks Display; Chesapeake Bay, Norfolk, VA Coast Guard, Department of Homeland Security (DHS). ACTION: Notification of enforcement of regulation. AGENCY: The Coast Guard will enforce a safety zone for the Shore Thing Independence Day Celebration on June 30, 2023, in Virginia Beach, VA, to protect against hazards associated with a fireworks display and provide for the safety of life on navigable waterways during this event. Our regulation for marine events within the Fifth Coast Guard District identifies the regulated area for this event in Norfolk, VA. During the enforcement period, entry of vessels or persons into this zone is prohibited unless specifically authorized by the Captain of the Port Virginia. SUMMARY: The regulations in 33 CFR 165.506 will be enforced for the location identified as Item 3 in table 3 to paragraph (h)(3) from 9:30 p.m. until 9:45 p.m. on June 30, 2023. FOR FURTHER INFORMATION CONTACT: If you have questions about this notification of enforcement, call or email LCDR Ashley Holm, Chief, Waterways Management Division, Sector Virginia, U.S. Coast Guard; telephone 757–668–5580 email Ashley.E.Holm@uscg.mil. SUPPLEMENTARY INFORMATION: The Coast Guard will enforce the safety zone in 33 CFR 165.506 for Shore Thing Independence Day Celebration regulated area from 9:30 p.m. to 9:45 p.m. on June FDC No. 30, 2023. This action is being taken to provide for the safety of life on navigable waterways during this event, which will feature live fireworks. Our regulation for marine events within the Fifth Coast Guard District, § 165.506, specifies the location of the regulated area for the Shore Thing Independence Day Celebration, which encompasses portions of the Chesapeake Bay located near Ocean View Fishing Pier. During the enforcement period, neither persons nor vessels may enter, remain in, or transit through the safety zone unless specifically authorized by the Captain of the Port Virginia. In addition to this notification of enforcement in the Federal Register, the Coast Guard plans to provide notification of this enforcement period via the Local Notice to Mariners and marine information broadcasts. Dated: March 16, 2023. Jennifer A. Stockwell, Captain, U.S. Coast Guard, Captain of the Port Virginia. [FR Doc. 2023–07749 Filed 4–12–23; 8:45 am] BILLING CODE 9110–04–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Parts 160 and 164 lotter on DSK11XQN23PROD with RULES1 DATES: VerDate Sep<11>2014 15:58 Apr 12, 2023 Jkt 259001 Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID–19 Nationwide Public Health Emergency Office for Civil Rights (OCR), Office of the Secretary, HHS. ACTION: Expiration of Notifications of Enforcement Discretion and transition period for telehealth. AGENCY: This document is to inform the public that four Notifications of Enforcement Discretion (‘‘Notifications’’) issued by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights FDC Date Subject (OCR) regarding how the Privacy, Security, and Breach Notification Rules (‘‘HIPAA Rules’’) promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act will be applied to certain violations during the COVID–19 nationwide public health emergency (‘‘COVID–19 PHE’’), will expire upon expiration of the COVID–19 PHE, which is currently scheduled for 11:59 p.m. on May 11, 2023. Accordingly, upon expiration of the COVID–19 PHE, the Notifications will not provide a basis for OCR to exercise enforcement discretion with respect to imposing penalties for violations of the HIPAA Rules. OCR will continue to exercise enforcement discretion consistent with the Notifications for violations of the HIPAA Rules that occurred during the period that each Notification was in effect. In addition, OCR is affording covered health care providers a 90calendar day transition period to come into compliance with the HIPAA Rules with respect to their provision of telehealth using non-public facing remote communication technologies. DATES: The Notifications of Enforcement Discretion addressed in this document expire at 11:59 p.m. on May 11, 2023. The 90-calendar day transition period with respect to telehealth will expire at 11:59 p.m. on August 9, 2023. FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 619– 0403 or (800) 537–7697 (TDD). SUPPLEMENTARY INFORMATION: In 2020 and 2021, OCR issued four Notifications of Enforcement Discretion (‘‘Notifications’’) regarding how the Privacy, Security, Breach Notification, and Enforcement Rules (‘‘HIPAA Rules’’) promulgated under the Health Insurance Portability and Accountability Act of 1996 1 (HIPAA) SUMMARY: PO 00000 Frm 00026 Fmt 4700 Sfmt 4700 1 Subtitle F of title II of HIPAA (Pub. L. 104–191, 100 Stat. 2548 (August 21, 1996)) added a new part C to title XI of the Social Security Act, Public Law 74–271, 49 Stat. 620 (August 14, 1935), (see sections 1171–1179 of the Social Security Act (codified at 42 U.S.C. 1320d–1320d–8)). Due to the public E:\FR\FM\13APR1.SGM 13APR1 Federal Register / Vol. 88, No. 71 / Thursday, April 13, 2023 / Rules and Regulations and the HITECH Act 2 would be applied to certain violations during the COVID– 19 PHE. OCR is informing the public that these Notifications, which were published in the Federal Register on April 7, 2020, April 21, 2020, May 18, 2020, and February 24, 2021, expire upon expiration of the COVID–19 PHE, which is currently scheduled for 11:59 p.m. on May 11, 2023. Accordingly, at that time, the Notifications will no longer provide a basis for the exercise of enforcement discretion in how OCR imposes penalties for violations of requirements under the HIPAA Rules. OCR will continue to exercise enforcement discretion consistent with the Notifications for violations of the HIPAA Rules that occurred during the period that each Notification was in effect. With respect to the Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID–19 PHE issued on April 21, 2020, with an effective beginning date of March 17, 2020, covered health care providers will be afforded a 90-calendar day transition period until 11:59 p.m. on August 9, 2023, to come into compliance with the HIPAA Rules in their provision of telehealth. During the transition period, OCR will continue to exercise its enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth. lotter on DSK11XQN23PROD with RULES1 I. Background OCR is responsible for enforcing certain regulations issued under HIPAA and the HITECH Act to protect the privacy and security of protected health information (PHI), collectively known as the HIPAA Rules. During the COVID–19 nationwide public health emergency that the HHS Secretary declared under section 319 of the Public Health Service Act,3 OCR health emergency posed by COVID–19, the HHS Office for Civil Rights (OCR) exercised its enforcement discretion under the conditions outlined in the four Notifications of Enforcement Discretion. OCR believes that this guidance is a statement of agency policy not subject to the notice and comment requirements of the Administrative Procedure Act (APA). 5 U.S.C. 553(b)(3)(A). OCR additionally finds that, even if this guidance were subject to the public participation provisions of the APA, prior notice and comment for this guidance is impracticable, and there is good cause to issue this guidance without prior public comment and without a delayed effective date. 5 U.S.C. 553(b)(3)(B) and (d)(3). 2 The HITECH Act was enacted as title XIII of division A and title IV of division B of the American Recovery and Reinvestment Act of 2009, Public Law 111–5, 123 Stat. 226 (February 17, 2009). 3 See Renewal of Determination That a Public Health Emergency Exists by the HHS Secretary VerDate Sep<11>2014 15:58 Apr 12, 2023 Jkt 259001 announced that it would exercise enforcement discretion to not impose penalties for violations of certain regulatory requirements under the HIPAA Rules by covered entities 4 and their business associates 5 (collectively, ‘‘regulated entities’’), to the extent specified in each of the four Notifications published in the Federal Register on April 7, 2020, April 21, 2020, May 18, 2020, and February 24, 2021. OCR’s enforcement discretion applied to specific obligations under the HIPAA Rules and permitted regulated entities, as applicable, the flexibility to respond effectively to the public health emergency. The Notifications stated that they would remain in effect until the Secretary of HHS declared that the COVID–19 PHE no longer existed or upon the expiration date of the declared COVID–19 PHE, including any extensions,6 whichever occurred first. The HHS Secretary has announced that he does not plan to renew the COVID– 19 PHE when it expires at 11:59 p.m. on May 11, 2023.7 Thus, assuming the PHE ends on that date, the Notifications will no longer be in effect as of May 12, 2023.8 II. Notifications of Enforcement Discretion Effective and Ending Dates; Transition Period for Telehealth The effective and ending dates of each Notification are provided below. OCR will continue to exercise enforcement discretion consistent with the Notifications for violations of the HIPAA Rules that occurred during the period that each Notification was in effect. (1) Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID–19.9 In this Notification, OCR announced that it would exercise its enforcement discretion to not impose penalties for violations of certain provisions of the (February 9, 2023), https://aspr.hhs.gov/legal/PHE/ Pages/COVID19-9Feb2023.aspx. 4 See 45 CFR 160.103 (definition of ‘‘Covered entity’’). 5 See 45 CFR 160.103 (definition of ‘‘Business associate’’). 6 As determined by 42 U.S.C. 247d. 7 See HHS, Fact Sheet: COVID–19 Public Health Emergency Transition Roadmap (Feb. 9, 2023), https://www.hhs.gov/about/news/2023/02/09/factsheet-covid-19-public-health-emergency-transitionroadmap.html. 8 The public health emergency determination is currently expected to end at 11:59 p.m. on May 11, 2023. See Renewal of Determination That a Public Health Emergency Exists by the HHS Secretary, supra note 4. 9 85 FR 19392 (April 7, 2020). PO 00000 Frm 00027 Fmt 4700 Sfmt 4700 22381 HIPAA Privacy Rule by covered health care providers or their business associates for uses and disclosures of PHI by business associates for public health and health oversight activities. Specifically, the enforcement discretion covered Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if certain parameters were met. This Notification has been in effect since April 7, 2020, and expires at 11:59 p.m. on May 11, 2023. (2) Enforcement Discretion Regarding COVID–19 Community-Based Testing Sites (CBTS) During the COVID–19 Nationwide Public Health Emergency.10 In this Notification, OCR announced that it would exercise its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules by covered health care providers, including some large pharmacy chains, and their business associates, in connection with the good faith participation in the operation of COVID–19 specimen collection and testing sites (‘‘Community-Based Testing Sites’’ or CBTS). For purposes of this Notification, a CBTS includes mobile, drive-through, or walk-up sites that only provide COVID–19 specimen collection or testing services to the public. This Notification has been in effect since March 13, 2020, and expires at 11:59 p.m. on May 11, 2023. (3) Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID–19 Vaccination During the COVID–19 Nationwide Public Health Emergency.11 In this Notification, OCR announced that it would exercise its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules by covered health care providers, including some large pharmacy chains and public health authorities,12 or their business associates, in connection with the good faith use of online or web10 85 FR 29637 (May 18, 2020). FR 11139 (February 24, 2021). 12 See 45 CFR 164.501 (definition of ‘‘Public health authority’’). The HIPAA Rules apply to a public health authority only if it is a HIPAA regulated entity. For example, a county health department that administers a health plan, or provides health care services for which it conducts standard electronic transactions (e.g., checking eligibility for coverage, billing insurance), is a HIPAA covered entity. A public health authority that does not meet the definition of a regulated entity is not subject to the HIPAA Rules. See also HHS HIPAA FAQ # 358, ‘‘Are state, county or local health departments required to comply with the HIPAA Privacy Rule?’’ https://www.hhs.gov/hipaa/ for-professionals/faq/358/are-state-county-or-localhealth-departments-required-to-comply-with-hipaa/ index.html. 11 86 E:\FR\FM\13APR1.SGM 13APR1 22382 Federal Register / Vol. 88, No. 71 / Thursday, April 13, 2023 / Rules and Regulations based scheduling applications (collectively, WBSAs) for the limited purpose of scheduling individual appointments for COVID–19 vaccinations. For purposes of this Notification, a WBSA is a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID–19 vaccination. This Notification has been in effect since December 11, 2020, and expires at 11:59 p.m. on May 11, 2023. (4) Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency (‘‘Telehealth Notification’’).13 In this Notification, OCR announced that it would exercise its enforcement discretion and would not impose HIPAA penalties for noncompliance with the regulatory requirements under the HIPAA Rules in connection with the good faith provision of telehealth using a non-public facing remote communication technology. This exercise of discretion applied to telehealth provided for any reason, regardless of whether the telehealth service was related to the diagnosis and treatment of health conditions related to COVID–19. The Telehealth Notification has been in effect since March 17, 2020, and expires at 11:59 p.m. on May 11, 2023; OCR is providing a 90-calendar day transition period for covered health care providers to come into compliance with lotter on DSK11XQN23PROD with RULES1 13 85 FR 22024 (April 21, 2020). VerDate Sep<11>2014 15:58 Apr 12, 2023 Jkt 259001 the HIPAA Rules with respect to their provision of telehealth. The transition period will be in effect beginning on May 12, 2023, and will expire at 11:59 p.m. on August 9, 2023. During the 90-calendar day transition period, OCR will continue to exercise its enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth. These regulatory requirements remain the same as they were before the COVID–19 PHE; however, OCR recognizes that regulated entities that began using remote communication technologies for telehealth for the first time during the COVID–19 PHE may need additional time to come into compliance. Therefore, covered health care providers may use this transition period, as necessary, to adjust their telehealth practices to come into compliance, such as by choosing a telehealth technology vendor that will enter into a business associate agreement and comply with applicable requirements of the HIPAA Rules. Covered entities may also review and update as necessary any policies and practices developed and implemented prior to the COVID–19 PHE for compliance with the HIPAA Rules. To assist covered entities, OCR has published FAQs and guidance on HIPAA and telehealth.14 OCR will 14 See HIPAA and Telehealth, U.S. Dep’t of Health and Human Servs., https://www.hhs.gov/ hipaa/for-professionals/special-topics/telehealth/ index.html. PO 00000 Frm 00028 Fmt 4700 Sfmt 9990 provide additional guidance on telehealth remote communications to help covered health care providers come into compliance during this transition period. OCR will no longer use the Telehealth Notification as a basis to exercise its discretion in enforcing the HIPAA Rules, as they apply to the provision of telehealth, for noncompliance that occurs after 11:59 p.m. on August 9, 2023. Beginning on August 10, 2023, OCR will continue to exercise enforcement discretion consistent with the Telehealth Notification with respect to noncompliance that may occur during the 90-calendar day transition period (i.e., noncompliance occurring from May 12, 2023, through August 9, 2023). III. Collection of Information Requirements This announcement of the expiration of the Notifications of Enforcement Discretion creates no legal obligations and no legal rights. Because this notice imposes no information collection requirements, it need not be reviewed by the Office of Management and Budget under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). Dated: April 7, 2023. Melanie Fontes Rainer, Director, Office for Civil Rights, U.S. Department of Health and Human Services. [FR Doc. 2023–07824 Filed 4–11–23; 8:45 am] BILLING CODE 4153–01–P E:\FR\FM\13APR1.SGM 13APR1

Agencies

[Federal Register Volume 88, Number 71 (Thursday, April 13, 2023)]
[Rules and Regulations]
[Pages 22380-22382]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-07824]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164


Notice of Expiration of Certain Notifications of Enforcement 
Discretion Issued in Response to the COVID-19 Nationwide Public Health 
Emergency

AGENCY: Office for Civil Rights (OCR), Office of the Secretary, HHS.

ACTION: Expiration of Notifications of Enforcement Discretion and 
transition period for telehealth.

-----------------------------------------------------------------------

SUMMARY: This document is to inform the public that four Notifications 
of Enforcement Discretion (``Notifications'') issued by the U.S. 
Department of Health and Human Services (HHS), Office for Civil Rights 
(OCR) regarding how the Privacy, Security, and Breach Notification 
Rules (``HIPAA Rules'') promulgated under the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) and the Health 
Information Technology for Economic and Clinical Health (HITECH) Act 
will be applied to certain violations during the COVID-19 nationwide 
public health emergency (``COVID-19 PHE''), will expire upon expiration 
of the COVID-19 PHE, which is currently scheduled for 11:59 p.m. on May 
11, 2023. Accordingly, upon expiration of the COVID-19 PHE, the 
Notifications will not provide a basis for OCR to exercise enforcement 
discretion with respect to imposing penalties for violations of the 
HIPAA Rules. OCR will continue to exercise enforcement discretion 
consistent with the Notifications for violations of the HIPAA Rules 
that occurred during the period that each Notification was in effect. 
In addition, OCR is affording covered health care providers a 90-
calendar day transition period to come into compliance with the HIPAA 
Rules with respect to their provision of telehealth using non-public 
facing remote communication technologies.

DATES: The Notifications of Enforcement Discretion addressed in this 
document expire at 11:59 p.m. on May 11, 2023. The 90-calendar day 
transition period with respect to telehealth will expire at 11:59 p.m. 
on August 9, 2023.

FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 619-
0403 or (800) 537-7697 (TDD).

SUPPLEMENTARY INFORMATION: In 2020 and 2021, OCR issued four 
Notifications of Enforcement Discretion (``Notifications'') regarding 
how the Privacy, Security, Breach Notification, and Enforcement Rules 
(``HIPAA Rules'') promulgated under the Health Insurance Portability 
and Accountability Act of 1996 \1\ (HIPAA)

[[Page 22381]]

and the HITECH Act \2\ would be applied to certain violations during 
the COVID-19 PHE. OCR is informing the public that these Notifications, 
which were published in the Federal Register on April 7, 2020, April 
21, 2020, May 18, 2020, and February 24, 2021, expire upon expiration 
of the COVID-19 PHE, which is currently scheduled for 11:59 p.m. on May 
11, 2023. Accordingly, at that time, the Notifications will no longer 
provide a basis for the exercise of enforcement discretion in how OCR 
imposes penalties for violations of requirements under the HIPAA Rules. 
OCR will continue to exercise enforcement discretion consistent with 
the Notifications for violations of the HIPAA Rules that occurred 
during the period that each Notification was in effect. With respect to 
the Notification of Enforcement Discretion for Telehealth Remote 
Communications During the COVID-19 PHE issued on April 21, 2020, with 
an effective beginning date of March 17, 2020, covered health care 
providers will be afforded a 90-calendar day transition period until 
11:59 p.m. on August 9, 2023, to come into compliance with the HIPAA 
Rules in their provision of telehealth. During the transition period, 
OCR will continue to exercise its enforcement discretion and will not 
impose penalties on covered health care providers for noncompliance 
with the HIPAA Rules in connection with the good faith provision of 
telehealth.
---------------------------------------------------------------------------

    \1\ Subtitle F of title II of HIPAA (Pub. L. 104-191, 100 Stat. 
2548 (August 21, 1996)) added a new part C to title XI of the Social 
Security Act, Public Law 74-271, 49 Stat. 620 (August 14, 1935), 
(see sections 1171-1179 of the Social Security Act (codified at 42 
U.S.C. 1320d-1320d-8)). Due to the public health emergency posed by 
COVID-19, the HHS Office for Civil Rights (OCR) exercised its 
enforcement discretion under the conditions outlined in the four 
Notifications of Enforcement Discretion. OCR believes that this 
guidance is a statement of agency policy not subject to the notice 
and comment requirements of the Administrative Procedure Act (APA). 
5 U.S.C. 553(b)(3)(A). OCR additionally finds that, even if this 
guidance were subject to the public participation provisions of the 
APA, prior notice and comment for this guidance is impracticable, 
and there is good cause to issue this guidance without prior public 
comment and without a delayed effective date. 5 U.S.C. 553(b)(3)(B) 
and (d)(3).
    \2\ The HITECH Act was enacted as title XIII of division A and 
title IV of division B of the American Recovery and Reinvestment Act 
of 2009, Public Law 111-5, 123 Stat. 226 (February 17, 2009).
---------------------------------------------------------------------------

I. Background

    OCR is responsible for enforcing certain regulations issued under 
HIPAA and the HITECH Act to protect the privacy and security of 
protected health information (PHI), collectively known as the HIPAA 
Rules.
    During the COVID-19 nationwide public health emergency that the HHS 
Secretary declared under section 319 of the Public Health Service 
Act,\3\ OCR announced that it would exercise enforcement discretion to 
not impose penalties for violations of certain regulatory requirements 
under the HIPAA Rules by covered entities \4\ and their business 
associates \5\ (collectively, ``regulated entities''), to the extent 
specified in each of the four Notifications published in the Federal 
Register on April 7, 2020, April 21, 2020, May 18, 2020, and February 
24, 2021. OCR's enforcement discretion applied to specific obligations 
under the HIPAA Rules and permitted regulated entities, as applicable, 
the flexibility to respond effectively to the public health emergency.
---------------------------------------------------------------------------

    \3\ See Renewal of Determination That a Public Health Emergency 
Exists by the HHS Secretary (February 9, 2023), https://aspr.hhs.gov/legal/PHE/Pages/COVID19-9Feb2023.aspx.
    \4\ See 45 CFR 160.103 (definition of ``Covered entity'').
    \5\ See 45 CFR 160.103 (definition of ``Business associate'').
---------------------------------------------------------------------------

    The Notifications stated that they would remain in effect until the 
Secretary of HHS declared that the COVID-19 PHE no longer existed or 
upon the expiration date of the declared COVID-19 PHE, including any 
extensions,\6\ whichever occurred first. The HHS Secretary has 
announced that he does not plan to renew the COVID-19 PHE when it 
expires at 11:59 p.m. on May 11, 2023.\7\ Thus, assuming the PHE ends 
on that date, the Notifications will no longer be in effect as of May 
12, 2023.\8\
---------------------------------------------------------------------------

    \6\ As determined by 42 U.S.C. 247d.
    \7\ See HHS, Fact Sheet: COVID-19 Public Health Emergency 
Transition Roadmap (Feb. 9, 2023), https://www.hhs.gov/about/news/2023/02/09/fact-sheet-covid-19-public-health-emergency-transition-roadmap.html.
    \8\ The public health emergency determination is currently 
expected to end at 11:59 p.m. on May 11, 2023. See Renewal of 
Determination That a Public Health Emergency Exists by the HHS 
Secretary, supra note 4.
---------------------------------------------------------------------------

II. Notifications of Enforcement Discretion Effective and Ending Dates; 
Transition Period for Telehealth

    The effective and ending dates of each Notification are provided 
below. OCR will continue to exercise enforcement discretion consistent 
with the Notifications for violations of the HIPAA Rules that occurred 
during the period that each Notification was in effect.
    (1) Enforcement Discretion Under HIPAA To Allow Uses and 
Disclosures of Protected Health Information by Business Associates for 
Public Health and Health Oversight Activities in Response to COVID-
19.\9\ In this Notification, OCR announced that it would exercise its 
enforcement discretion to not impose penalties for violations of 
certain provisions of the HIPAA Privacy Rule by covered health care 
providers or their business associates for uses and disclosures of PHI 
by business associates for public health and health oversight 
activities. Specifically, the enforcement discretion covered Privacy 
Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 
164.504(e)(1) and (5) if certain parameters were met.
---------------------------------------------------------------------------

    \9\ 85 FR 19392 (April 7, 2020).
---------------------------------------------------------------------------

    This Notification has been in effect since April 7, 2020, and 
expires at 11:59 p.m. on May 11, 2023.
    (2) Enforcement Discretion Regarding COVID-19 Community-Based 
Testing Sites (CBTS) During the COVID-19 Nationwide Public Health 
Emergency.\10\ In this Notification, OCR announced that it would 
exercise its enforcement discretion to not impose penalties for 
noncompliance with the HIPAA Rules by covered health care providers, 
including some large pharmacy chains, and their business associates, in 
connection with the good faith participation in the operation of COVID-
19 specimen collection and testing sites (``Community-Based Testing 
Sites'' or CBTS). For purposes of this Notification, a CBTS includes 
mobile, drive-through, or walk-up sites that only provide COVID-19 
specimen collection or testing services to the public.
---------------------------------------------------------------------------

    \10\ 85 FR 29637 (May 18, 2020).
---------------------------------------------------------------------------

    This Notification has been in effect since March 13, 2020, and 
expires at 11:59 p.m. on May 11, 2023.
    (3) Enforcement Discretion Regarding Online or Web-Based Scheduling 
Applications for the Scheduling of Individual Appointments for COVID-19 
Vaccination During the COVID-19 Nationwide Public Health Emergency.\11\ 
In this Notification, OCR announced that it would exercise its 
enforcement discretion to not impose penalties for noncompliance with 
the HIPAA Rules by covered health care providers, including some large 
pharmacy chains and public health authorities,\12\ or their business 
associates, in connection with the good faith use of online or web-

[[Page 22382]]

based scheduling applications (collectively, WBSAs) for the limited 
purpose of scheduling individual appointments for COVID-19 
vaccinations. For purposes of this Notification, a WBSA is a non-public 
facing online or web-based application that provides scheduling of 
individual appointments for services in connection with large-scale 
COVID-19 vaccination.
---------------------------------------------------------------------------

    \11\ 86 FR 11139 (February 24, 2021).
    \12\ See 45 CFR 164.501 (definition of ``Public health 
authority''). The HIPAA Rules apply to a public health authority 
only if it is a HIPAA regulated entity. For example, a county health 
department that administers a health plan, or provides health care 
services for which it conducts standard electronic transactions 
(e.g., checking eligibility for coverage, billing insurance), is a 
HIPAA covered entity. A public health authority that does not meet 
the definition of a regulated entity is not subject to the HIPAA 
Rules. See also HHS HIPAA FAQ # 358, ``Are state, county or local 
health departments required to comply with the HIPAA Privacy Rule?'' 
https://www.hhs.gov/hipaa/for-professionals/faq/358/are-state-county-or-local-health-departments-required-to-comply-with-hipaa/.
---------------------------------------------------------------------------

    This Notification has been in effect since December 11, 2020, and 
expires at 11:59 p.m. on May 11, 2023.
    (4) Notification of Enforcement Discretion for Telehealth Remote 
Communications During the COVID-19 Nationwide Public Health Emergency 
(``Telehealth Notification'').\13\ In this Notification, OCR announced 
that it would exercise its enforcement discretion and would not impose 
HIPAA penalties for noncompliance with the regulatory requirements 
under the HIPAA Rules in connection with the good faith provision of 
telehealth using a non-public facing remote communication technology. 
This exercise of discretion applied to telehealth provided for any 
reason, regardless of whether the telehealth service was related to the 
diagnosis and treatment of health conditions related to COVID-19.
---------------------------------------------------------------------------

    \13\ 85 FR 22024 (April 21, 2020).
---------------------------------------------------------------------------

    The Telehealth Notification has been in effect since March 17, 
2020, and expires at 11:59 p.m. on May 11, 2023; OCR is providing a 90-
calendar day transition period for covered health care providers to 
come into compliance with the HIPAA Rules with respect to their 
provision of telehealth. The transition period will be in effect 
beginning on May 12, 2023, and will expire at 11:59 p.m. on August 9, 
2023.
    During the 90-calendar day transition period, OCR will continue to 
exercise its enforcement discretion and will not impose penalties on 
covered health care providers for noncompliance with the HIPAA Rules in 
connection with the good faith provision of telehealth. These 
regulatory requirements remain the same as they were before the COVID-
19 PHE; however, OCR recognizes that regulated entities that began 
using remote communication technologies for telehealth for the first 
time during the COVID-19 PHE may need additional time to come into 
compliance. Therefore, covered health care providers may use this 
transition period, as necessary, to adjust their telehealth practices 
to come into compliance, such as by choosing a telehealth technology 
vendor that will enter into a business associate agreement and comply 
with applicable requirements of the HIPAA Rules. Covered entities may 
also review and update as necessary any policies and practices 
developed and implemented prior to the COVID-19 PHE for compliance with 
the HIPAA Rules. To assist covered entities, OCR has published FAQs and 
guidance on HIPAA and telehealth.\14\ OCR will provide additional 
guidance on telehealth remote communications to help covered health 
care providers come into compliance during this transition period.
---------------------------------------------------------------------------

    \14\ See HIPAA and Telehealth, U.S. Dep't of Health and Human 
Servs., https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/.
---------------------------------------------------------------------------

    OCR will no longer use the Telehealth Notification as a basis to 
exercise its discretion in enforcing the HIPAA Rules, as they apply to 
the provision of telehealth, for noncompliance that occurs after 11:59 
p.m. on August 9, 2023. Beginning on August 10, 2023, OCR will continue 
to exercise enforcement discretion consistent with the Telehealth 
Notification with respect to noncompliance that may occur during the 
90-calendar day transition period (i.e., noncompliance occurring from 
May 12, 2023, through August 9, 2023).

III. Collection of Information Requirements

    This announcement of the expiration of the Notifications of 
Enforcement Discretion creates no legal obligations and no legal 
rights. Because this notice imposes no information collection 
requirements, it need not be reviewed by the Office of Management and 
Budget under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et 
seq.).

    Dated: April 7, 2023.
Melanie Fontes Rainer,
Director, Office for Civil Rights, U.S. Department of Health and Human 
Services.
[FR Doc. 2023-07824 Filed 4-11-23; 8:45 am]
BILLING CODE 4153-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.