The National Health Emergency Ended 6 Months Ago: HIPAA Compliance Can No Longer Wait


The Biden administration officially ended the COVID-19 Public Health Emergency (PHE) over six months ago. But many healthcare enterprises still have not addressed the implications this has on HIPAA compliance.  

During the pandemic, the Office of Civil Rights (OCR) announced a range of exceptions and waivers to help healthcare organizations adapt their services and share data on the virus. With the PHE long-since over, covered entities are now under pressure to update their processes to realign practices with HIPAA regulations, otherwise, they could face serious penalties.  

Read on for an in-depth look at which processes must be updated and how your organization can ensure compliance in the post-PHE environment. 

Which Processes Must Change Post-PHE? 

The Handling of Protected Health Information (PHI) 

In April 2020, OCR declared that it would relax its enforcement of HIPAA regulations related to the use of Protected Health Information (PHI). This allowed covered entities and business associates to share patient data with federal public authorities and health oversight agencies in good faith without attaining patient authorization.  

However, this waiver has been lifted, and all handling of patient data must once again adhere to the strict privacy rules of HIPAA.  

For example: when the Center for Disease Control and Prevention requests data to monitor the changing risk of COVID-19 and its variants, covered entities will have to seek and document clear patient authorization. 

Leveraging Telehealth Technology 

Multiple organizations announced waivers related to telehealth during the PHE. The OCR allowed organizations to use technology that did not meet HIPAA requirements, while all states and Washington, D.C., waived certain aspects of state licensing so that doctors could administer telehealth across state lines. 

Both waivers have now been removed. Given that 80% of US adults now use telehealth, covered entities will have to ensure their telehealth technology meets HIPAA requirements to continue safely offering remote care. 

Online COVID Vaccine Booster Appointments 

The OCR exercised discretion to allow online scheduling for COVID vaccines, in a bid to accelerate the process. However, if covered entities wish to allow patients to book future COVID vaccine boosters online, they will have to ensure the booking system meets HIPAA requirements by: 

  • Requiring users to share the minimum necessary personal information 
  • Using encryption technology to protect PHI 
  • Enabling privacy settings for users 
  • Ensuring that PHI is only stored temporarily 
  • And ensuring that the web-based scheduling application vendor is compliant with HIPAA  

Ultimately, many covered entities rapidly adopted processes during the Public Health Emergency, some of which may now violate HIPAA – and a careful audit of their operations is required to ensure HIPAA compliance. 

3 Key Steps to Ensure Post-PHE HIPAA Compliance

1. Procure Compliant Technology

From online scheduling platforms to telehealth technology, covered entities may require new technology to ensure HIPAA compliance. The first step is therefore to audit existing systems to check if they need to be replaced. 

All telehealth technology must:  

  • Feature strong access controls 
  • Securely store and protect all ePHI through encryption 
  • Be sourced from a provider that undertakes regular HIPAA Security Risk Assessments (SRA)

2. Document Process Changes

Every process change should be carefully documented to ensure compliance and prepare for any future audit. This will likely include changes to PHI disclosure by business associates; processes for patient authorization around the sharing of COVID-related PHI; and new digital safeguards related to COVID testing and online vaccine scheduling. 

This should follow HIPAA best practices.: Ccovered entities must know the 18 HIPAA identifiers and ensure every record containing any of them remains confidential and is accessible to the relevant individual. 

3. Update Your HIPAA Security Risk Assessment

After several years, the end of the PHE will be most acutely felt while completing annual HIPAA security risk assessments (SRAs). A successful SRA should document technical, physical, and administrative controls; any gaps that can make their data more vulnerable to disclosure; and provide plans for remediation. 

If a covered entity has not performed an SRA since the pandemic, a fair amount of work will be required to “catch up” with non-compliant processes, in addition to changes to PHI controls that naturally occur over time. Our team of assessors can help you resolve these issues and clarify your post-pandemic HIPAA security posture. 

That is why a growing number of organizations are turning to Intraprise Health and HIPAA One®: the simple, automated and affordable solution that helps you understand and identify risk, evaluate compliance and successfully complete your SRA faster with less confusion. 

Adapt Your SRA to Post-Pandemic Compliance Using HIPAA One® 

Covered entities that are unsure how the end of the PHE impacts their SRA need HIPAA One® to demystify the process and avoid noncompliance. With a single, affordable solution you gain everything you need to ensure a seamless transition back to normal HIPAA compliance and make the entire SRA process easy.