HIPAA is still in effect, and HIPAA Covered Entities and Business Associates remain legally required to comply with the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, with enforcement administered by the U.S. Department of Health and Human Services Office for Civil Rights.
HIPAA is a federal statute enacted in 1996 and implemented through regulations that set national standards for the use, disclosure, safeguarding, and breach reporting of protected health information. The HIPAA Privacy Rule regulates when protected health information may be used or disclosed and requires administrative policies that support permitted uses, individual rights, and workforce controls. The HIPAA Security Rule applies to electronic protected health information and requires administrative, physical, and technical safeguards to preserve confidentiality, integrity, and availability. The HIPAA Breach Notification Rule establishes notification obligations following certain impermissible uses or disclosures and certain security incidents involving unsecured protected health information.
HIPAA did not expire during the COVID-19 public health emergency. During that period, the Office for Civil Rights issued limited enforcement discretion for defined circumstances, including telehealth provided in good faith using specific remote communication technologies. Those enforcement discretion notifications ended with the expiration of the public health emergency on May 11, 2023, with a time-limited transition period that ended on August 9, 2023. After those dates, regulated entities returned to standard compliance expectations for telehealth and related communications under the HIPAA Rules.
Current federal rulemaking activity does not suspend existing obligations. When the U.S. Department of Health and Human Services proposes revisions to the HIPAA Security Rule, the existing HIPAA Security Rule remains enforceable until any final rule becomes effective and applicable. Organizations should treat HIPAA as continuously applicable and operationalize compliance through documented policies and procedures, workforce training, access controls, risk analysis and risk management processes, incident response, and vendor governance through business associate agreements where required.