SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

How to Maintain HIPAA Compliance in a Post-Pandemic World

Healthcare Assessments

We all likely remember how COVID-19 overwhelmed healthcare systems and workers across the globe. It was a crazy time of momentous struggle as the world tried to adjust to dealing with a new deadly virus—and we’re still not completely out of it. 

That would’ve been enough to deal with, but this latest global pandemic also led to a heightened burden in trying to balance delivering quality healthcare to so many patients while also protecting their electronic protected health information (ePHI). To address that strain on the healthcare system, the Department of Health and Human Services (HHS) modified the enforcement of HIPAA compliance.

In March and April of 2020, HHS announced temporary flexibilities through  Notices of Enforcement Discretion (NEDs) with the aim to help organizations handle the challenges of testing and treating COVID-19 patients. Though we all continue to move toward a post-pandemic world, these NEDs remain in effect but they soon won’t be.

As experienced HIPAA auditors well used to evaluating how organizations comply with this regulation, we’re going to break down each NED, their flexibilities, and what you need to do to readjust your HIPAA compliance for a post-pandemic world.

What are the 4 Notices of (HIPAA) Enforcement Discretion of 2020?

Though these four NEDs provided important flexibilities for HIPAA-regulated organizations during the COVID-19 pandemic, the HHS declared an end to the public health emergency (PHE), effective May 11, 2023.

As such, healthcare organizations subject to these notices need to be prepared to revert to pre-pandemic levels of adherence to HIPAA guidelines without the flexibilities of these NEDs, which addressed several specific areas of providing healthcare services.

NED for Business Associates

Allowed For:

Further data sharing beyond what was covered in Business Associate Agreements (BAAs).

Why Was It Necessary?

During the pandemic, health oversight agencies and public health authorities sometimes asked Business Associates to provide or use PHI (e.g., for data analysis) to support the COVID-19 response.

These uses and disclosures may not have been described in their preexisting business associate agreements, but if a Business Associated did so in a way that was covered by this NED, the Office of Civil Rights (OCR) would not take enforcement action against the Business Associate or the Covered Entity that provided the PHI.

What Happens Now:

If you’re a Business Associate that has been disclosing or using PHI pursuant to this NED, you may need to work with your Covered Entity partners to amend your existing Business Associate Agreements (BAAs) to permit the future use or disclosure of PHI by the Business Associate to or for a public health or health oversight agency for COVID-19 related purposes.

 NED for COVID-19 Community-Based Testing Sites (CBTS)

Allowed For:

Violations of the HIPAA Rules in connection with the “good faith” operation of a COVID-19 CBTS, which included “mobile, drive-through, or walk-up sites that only provide COVID–19 specimen collection or testing services to the public.”

Why Was It Necessary?

This NED made it easier to set up these sites, which was important for increasing access to COVID-19 testing (though their unique setup made it more challenging to maintain patient privacy and protect PHI).

What Happens Now:

Since the once widespread use of CBTSs for COVID-19 testing has ended, this should reduce any burden associated with preparing for the end of the NED for CBTSs.

NED for Scheduling COVID-19 Vaccination Events

Allowed For:

The use of non-public-facing, web-based scheduling applications to make COVID-19 vaccination appointments, provided the covered healthcare provider or Business Associate using the application acted in good faith.

Why Was It Necessary?

As the COVID-19 vaccine became more widely available, local health departments and other HIPAA-covered healthcare providers needed to be able to hold large-scale vaccination events efficiently, which meant using scheduling applications that may not have met the security standards for protecting PHI under HIPAA.

This NED temporarily excused covered entities and their business associates from some of those requirements for the limited purpose of supporting the scheduling of COVID-19 vaccination appointments.

What Happens Now:

As the demand for the vaccine has slowed down, organizations should be able to integrate scheduling COVID-19 immunization appointments into their normal workflows. 

As such, HIPAA-covered providers must assure that technologies used to collect or maintain ePHI do satisfy those security standards that were relaxed prior. Further, vendors of electronic systems for collecting or maintaining ePHI for appointments or other purposes must enter into a BAA with HIPAA-covered healthcare providers and must comply with parts of the HIPAA regulations.

 NED for Telehealth

Allowed For:

Use of common video conferencing or other communication platforms to deliver telehealth services without assessing and addressing vulnerabilities or requiring platform vendors to agree to certain security standards as required under HIPAA.

Why Was It Necessary?

During the COVID-19 pandemic social distancing, isolation, quarantine, and stay-at-home orders impacted the availability of in-person, non-emergency healthcare appointments, making telehealth a common—if not the only—way for healthcare providers to serve their patients.

What Happens Now:

From May 12, 2023, to 11:59 p.m. on August 9, 2023, covered healthcare providers have a 90-calendar day period to transition back into full compliance with the HIPAA Rules with respect to the provision of telehealth. Noncompliance that occurs in connection with the good faith provision of telehealth during the 90-calendar-day transition period will not be punished by the OCR.

On August 10, 2023, all providers will be expected to have returned to pre-COVID privacy and security policies related to telehealth use—any practice using popular video chat applications or any other non-compliant platform will be at risk for potential HIPAA violations.

 

How to Get Telehealth Services Back into HIPAA Compliance

Of the four, the end of the NED for telehealth may be the most challenging to navigate, as—unlike the others that were narrowly focused on services that relate directly to COVID-19—this one created flexibility to support the delivery of all healthcare services.

That’s why providers should start thinking now about how they will transition the telehealth components of their practices away from technology that will no longer be allowed before the transition period ends.

To help with that, here are four key HIPAA compliance steps to consider:

1. Conduct a Security Risk Analysis of the Telehealth Platform.

 

The HIPAA Security Rule requires a risk analysis of systems that touch ePHI and includes a telehealth delivery system.  Perform a risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of your collected ePHI to understand the areas you will need to strengthen your telehealth platform’s compliance.  

In getting started, the ONC/OCR SRA Tool may be able to help you. 

2. Update Policies and Procedures.

As you work back to compliance, it’s important to have a policy that you only use approved telehealth delivery systems for virtual visits.  Further policies may also be necessary to address:

  • The required use of certain optional settings (e.g., enabling a waiting room setting)
  • The prohibition of the use of other settings (e.g., recording visits)
  • Secure access to the system (e.g., strong passwords or the use of multi-factor authentication) 

In addition to these that address technical issues, we also recommend documenting guidelines addressing how and where you deliver a telehealth visit to ensure maximum privacy.

 

3. Obtain a BAA with Your Telehealth Platform Vendor.

 

Under HIPAA, a healthcare provider must have an agreement with all business associates that makes the vendor responsible for compliance with standards under HIPAA—even under the NED, HHS encouraged providers to obtain BAAs with telehealth platform vendors regardless of the enforcement discretion at the time.

But now as it becomes fully necessary once again, some mainstream platform providers take the view that they serve merely as a conduit for the transfer of information. But telehealth platform vendors do qualify as business associates, so they will need to sign an agreement. 

4. Conduct HIPAA Training for the Telehealth Platform.

 

And finally, as with all things related to HIPAA, training is key. As the healthcare space and HIPAA compliance expectations return to a relative normal, you’ll need to ensure your staff understands:

  • The various technical aspects of the telehealth platform selected;
  • How to use it in a manner that protects patient privacy; and
  • The policies and procedures surrounding its use. 

Moving Forward with HIPAA Compliance

When the COVID-19 pandemic swept across the globe, enforcers of HIPAA recognized that, in such a state of emergency, certain flexibilities in security regulations became necessary to serve the public suffering from the virus. Now that the public emergency is ending, you’ll need to ensure your HIPAA compliance is back to normal standards.

Though you now have a starting point for shoring up the areas relaxed by the published NEDs, you should take care to avoid other recent HIPAA issues as well, and our other content can help:

You may also be interested in engaging a third party to perform a HIPAA audit for a more complete assessment of your HIPAA compliance. To learn more about that process or our more focused HIPAA Express service, please contact us.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.