Share this article on:
The Department of Health and Human Services’ Office for Civil Rights has announced it will be exercising enforcement discretion and will not impose financial penalties on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling individual appointments for COVID-19 vaccinations.
The notice of enforcement discretion applies to the use of WBSAs for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 public health emergency. The notification is effectively immediately, is retroactive to December 11, 2020, and will remain in effect for the duration of the COVID-19 nationwide public health emergency.
A WBSA is a non-public facing online or web-based application that allows individual appointments to be scheduled in connection with large scale COVID-19 vaccination. The purpose of a WBSA is to allow covered healthcare providers to rapidly schedule large numbers of appointments for COVID-19 vaccinations.
A WBSA, and the data created, received, maintained, or transmitted by the WBSA, should only be accessible to the intended parties, such as the healthcare provider or pharmacy providing the vaccinations, an authorized person scheduling appointments, or a WBSA workforce member that requires access to the solution and/or data for providing technical support.
The notice of enforcement discretion does not apply to an appointment scheduling application that connects directly to electronic health record (EHR) systems.
A WBSA may not meet all requirements of the HIPAA Rules and would therefore not be permitted for use in connection with electronic protected health information (ePHI) under normal circumstances. It is also possible that the vendor of a WBSA may not be aware that their solution is being used by healthcare providers in connection with ePHI, which would see the vendor classified as a business associate under HIPAA.
While the notice of enforcement discretion is in effect, OCR will not impose penalties against HIPAA covered entities, their business associates, and WBSA vendors that meet the definition of business associate under the HIPAA Rules for good faith uses of WBSAs for scheduling COVID-19 vaccination appointments.
While penalties will not be imposed, OCR encourages the use of reasonable safeguards to protect the privacy of individuals and the security of ePHI. That means the ePHI collected and entered into the WBSA should be limited to the minimum necessary information, encryption technology should be used if available, and all privacy settings should be enabled. That includes adjusting the calendar display to hide names or only show initials. If a vendor stores ePHI, the storage should only be temporary and ePHI should be destroyed no later than 30 days after the appointment. The WBSA vendor should be instructed not to disclose any ePHI in a manner inconsistent with the HIPAA Rules.
These reasonable safeguards are encouraged by OCR. “Failure to implement the recommended reasonable safeguards above will not, in itself, cause OCR to determine that a covered health care provider or its business associate failed to act in good faith for purposes of this Notification,” explained OCR in the notification.
Bad faith uses are not covered by the notification include:
- Use of a WBSA where the vendor prohibits its use for scheduling healthcare services.
- Using the WBSA for scheduling appointments other than COVID-19 vaccinations.
- Using a solution that does not have access controls to limit access to ePHI to authorized individuals.
- Screening individuals for COVID-19 prior to in-person healthcare visits.
- Use of public-facing WBSAs.
“OCR is using all available means to support the efficient and safe administration of COVID-19 vaccines to as many people as possible,” said March Bell, Acting OCR Director.