COVID-19 has made 2020 feel like both the shortest and longest year ever, and if rising cases are any indication it’s not likely to let up anytime soon. You may have already expected our ‘new normal’ of mask-wearing, keeping a 6-foot distance, and HIPAA waivers to be here for the long haul, and the recent Department of Health and Human Services (HHS) extension of the National Public Health Emergency solidifies that notion.

Just last week the HHS announced the renewal of the National Public Health Emergency and an extension of limited HIPAA waivers until October 23, 2020. This declaration means more than continued social distancing rules, and also extends the many other waivers and flexibilities issued by the HHS in the initial response to the pandemic. These waivers work to mitigate the risks to the health of the general public while assisting healthcare providers with the necessary accommodations to protect their practice and continue serving their patients. To give a recap on everything that’s been changed or updated in lieu of COVID-19:

• HIPAA policies already outlined for a Public Health Emergency were put into effect
• Enforcement discretions were made for the provision of telehealth services
• Protected Health Information (PHI) disclosure permissions were extended to both providers and their business associates  

In addition to the specific waivers granted in response to the pandemic, practices should be aware of additional guidance covering the expansion of cyber security attacks in response to increased remote operations, reminders on restrictions of sharing patient information to the media, and proactively safeguarding against the recent rise in patient complaints due to COVID-19. 

As part of the recent extension of HIPAA waivers, the HHS has specified a 90-day period until waivers are expected to be lifted. Practice’s now have a clear timeframe of when they need to implement HIPAA compliant solutions for tools like telehealth which may currently be done using a non-compliant software. To prevent a HIPAA violation as these waivers end in October, it’s important that your practice proactively prepares by:

• If you choose to continue use of telehealth services, implement a HIPAA compliant telehealth provider as soon as possible. This will ensure the greatest protection of your patients’ secure information now, even with waivers active, and easily transition your practice back to regular HIPAA enforcement when waivers are lifted. 
• Ensure that you are properly safeguarding your electronically managed health data, regardless of a pandemic, but especially as cyber threats continue to rise. Having more than just a HIPAA compliant Electronic Health Records (EHR) system and implementing the necessary technical security measures to protect against cyberattacks will be huge factors to maintaining the security of your patient’s information and preventing HIPAA violations.

While these HIPAA regulation flexibilities have been extended, they aren’t going to last forever. Keeping your practice one step ahead will make all the difference in your ability to avoid any HIPAA violations or fines as standard regulations take effect again. If HIPAA hasn’t been your number one priority over the past few months, you should start now and use this 90-day extension to ensure you have a complete compliance program in place, especially as 2020 continues to fly by.