OCR to Have Enforcement Discretion Concerning the Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments

The Department of Health and Human Services’ Office for Civil Rights has announced that it will exercise enforcement discretion and will not issue financial fines on HIPAA-covered entities or business associates in case of violations of the HIPAA Rules connected with the good faith use of online or web-based scheduling applications (WBSAs) for making individual sessions for COVID-19 vaccinations.

The notice of enforcement discretion covers the use of WBSAs for the limited role of booking individual visits for COVID-19 shots for the duration of the COVID-19 public health emergency. The notification is in force right away, is retroactive to December 11, 2020, and will continue to be in effect throughout the COVID-19 national public health emergency.

A WBSA is a non-public facing internet or web-based app that enables individual meetings to be booked in connection with large scale COVID-19 vaccination. The goal of a WBSA is to permit covered healthcare companies to quickly timetable huge numbers of appointments for COVID-19 vaccinations.

A WBSA, and the information created, obtained, kept, or transmitted by the WBSA, will just be accessible to the intended parties, such as the healthcare organization or pharmacy giving the vaccinations, an authorized person booking sessions, or a WBSA staff member that must have access to the solution and/or records for delivering technical assistance.

The notice of enforcement discretion will not apply to an appointment scheduling program that connects directly to electronic health record (EHR) systems.

A WBSA may not fulfill all specifications of the HIPAA Guidelines and would consequently not be allowed for use in association with electronic protected health information (ePHI) under standard situations. It is additionally probable that the vendor of a WBSA may not know that their application is being utilized by healthcare organizations in correlation with ePHI, which would hence categorize the vendor as a business associate under HIPAA.

Although the notice of enforcement discretion is in force, OCR is not going to charge penalties against HIPAA covered entities, their business associates, and WBSA vendors that satisfy the description of a business associate as per the HIPAA Policies for good faith uses of WBSAs for booking COVID-19 vaccination schedules.

Though penalties will not be issued, OCR encourages using acceptable safeguards to protect the privacy of individuals and the protection of ePHI. It means the ePHI gathered and inputted into the WBSA must be restricted to the minimum required information, encryption technology ought to be employed in case available, and all privacy configurations ought to be enabled. That includes modifying the calendar display to hide names or just display initials. If a vendor saves ePHI, the storage must only be short-term and ePHI must be destroyed no later than 30 days after the scheduled appointment. The WBSA vendor must be directed not to expose any ePHI in a manner that is not in line with the HIPAA Rules.

These sensible safety measures are advised by OCR, although not implementing the suggested reasonable safeguards won’t, in itself, mean a covered health care provider or its business associate failed to act in good faith in view of this Notification.

Bad faith uses that are not covered by the notification are listed below:

  • Use of a WBSA where the vendor does not allow its usage for managing healthcare services.
  • Utilizing the WBSA for arranging appointments apart from COVID-19 vaccinations.
  • Employing a solution that does not feature access controls to restrict access to ePHI to permitted people.
  • Screening persons for COVID-19 prior to personal healthcare appointments.
    Using public-facing WBSAs.

OCR is utilizing all available ways to make the administration of COVID-19 vaccines efficient and safe to all people as much as possible.