HIPAA Enforcement Discretion for Good Faith Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments

The Office for Civil Rights (OCR) of the Department of Health and Human Services has announced it will be exercising enforcement discretion and will not impose penalties for HIPAA violations related to the good faith use of online or web-based scheduling applications (WBSAs) for arranging COVID-19 vaccination appointments.

The notification of enforcement discretion is retroactive to December 11, 2020 and will apply until the Secretary of the HHS declares the nationwide COVID-19 public health emergency is over.

WBSAs are defined as non-public facing online or web-based applications that allow covered healthcare providers to schedule large numbers of individual appointments as part of a COVID-19 vaccination program; however, WBSAs that link directly to electronic health record (EHR) systems are not covered by the Notification.

The reason for the notification of enforcement discretion is to facilitate the mass COVID-19 vaccination program, which is essential to bring the COVID-19 public health emergency to an end. “OCR is using all available means to support the efficient and safe administration of COVID-19 vaccines to as many people as possible,” said March Bell, Acting OCR Director.

The notification of enforcement discretion applies to all HIPAA-covered healthcare providers, business associates, and vendors of WBSAs, all of which will avoid financial penalties for HIPAA violations related to the good faith use of WBSAs for arranging COVID-19 vaccination appointments.

There are some caveats, however. WBSAs must have access controls to only allow authorized individuals to access data created, received, maintained, or transmitted by the WBSA. Those individuals may include healthcare providers or business associates involved in arranging or administering COVID-19 vaccines, individuals scheduling appointments, and WBSA workforce members that require access for providing technical support.

The WBSA may only be used for scheduling COVID-19 vaccinations, not any other healthcare appointments, otherwise HIPAA Rules would apply, and violations would be subject to penalties.

A WBSA vendor may be classed as a business associate under HIPAA but may not be aware that their solution is being used for scheduling COVID-19 vaccination appointments. The solution may also not be completely compliant with the HIPAA Rules, hence the issuing of the Notification.

The Notification only applies to good faith uses of a non-public facing WBSA. OCR warned that the Notification does not apply if a WBSA vendor has prohibited the use of the solution in connection with healthcare appointments, for arranging appointments for any healthcare visits other than COVID-19 vaccinations, using a solution that is public facing or does not have access controls, or using a WBSA for screening individuals for COVID-19 prior to in-person healthcare visits.

OCR will not be imposing financial penalties, but still encourages the implementation of reasonable safeguards to ensure patient privacy and the security of ePHI. Reasonable safeguards include the use of encryption for transmitted or stored data, limiting ePHI to the minimum necessary information, ensuring ePHI stored by the WBSA vendor is deleted within 30 days of an appointment, advising the WBSA about the HIPAA Rules concerning disclosures of ePHI, and ensuring all privacy settings on the solution enabled.