Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency

This document is to inform the public that four Notifications of Enforcement Discretion ("Notifications") issued by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) regarding how the Privacy, Security, and Breach Notification Rules ("HIPAA Rules") promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act will be applied to certain violations during the COVID-19 nationwide public health emergency ("COVID-19 PHE"), will expire upon expiration of the COVID-19 PHE, which is currently scheduled for 11:59 p.m. on May 11, 2023. Accordingly, upon expiration of the COVID-19 PHE, the Notifications will not provide a basis for OCR to exercise enforcement discretion with respect to imposing penalties for violations of the HIPAA Rules. OCR will continue to exercise enforcement discretion consistent with the Notifications for violations of the HIPAA Rules that occurred during the period that each Notification was in effect. In addition, OCR is affording covered health care providers a 90- calendar day transition period to come into compliance with the HIPAA Rules with respect to their provision of telehealth using non-public facing remote communication technologies.