On January 19, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Enforcement Discretion (Notice) announcing that it will not impose penalties for noncompliance with HIPAA against covered health care providers and their business associates in connection with the good faith use of online or web-based scheduling applications (WBSAs) for the limited purpose of scheduling of individual appointments for COVID-19 vaccinations. The enforcement discretion also applies to all WBSA vendors providing the technology used by these entities in these efforts, regardless of whether the vendor has actual or constructive knowledge that it meets the definition of a business associate under HIPAA.
The Notice covers those WBSAs that are “non-public facing,” meaning that the WBSA, by default, only allows the intended parties (e.g., a covered health care provider, the individual or personal representative scheduling the appointment, and a WBSA workforce member, if needed to provide technical support) to access data created, received, maintained, or transmitted by the WBSA.
OCR is encouraging covered health care providers and their business associates using WBSAs to implement the following reasonable recommended safeguards to protect the privacy and security of individuals’ PHI:
-
Using and disclosing only the minimum PHI necessary. For example, an individual’s name and phone number may be the minimum necessary PHI for scheduling the appointment via the WBSA.
-
Using encryption technology to safeguard PHI.
-
Enabling all available privacy settings on the WBSA. For example, adjusting the WBSA calendar display settings, as needed, to hide names or show only an individuals’ initials instead of their full name on the calendar screen.
-
Ensuring that storage of any PHI by the WBSA vendor is temporary. For example, returning the PHI to the covered health care provider or destroying it as soon as practicable.
-
Ensuring the WBSA vendor does not use or disclose PHI in a manner that is inconsistent with HIPAA. For example, prohibiting the WBSA vendor from selling PHI collected from individuals using the WBSA to schedule a COVID-19 vaccination.
While OCR encourages health care providers and their business associates to implement these safeguards, failure to do so will not, in and of itself, cause OCR to determine that an entity failed to act in good faith. However, health care providers and their business associates should note that this Notice does not apply to the following circumstances:
-
Using a WBSA other than for scheduling COVID-19 vaccinations. For example, the use of a WBSA to determine an individual’s eligibility to receive a COVID-19 vaccination or to screen individuals for COVID-19 before an in-person health care visit is not included within the scope of the OCR’s exercise of enforcement discretion.
-
Using a WBSA that includes technology that connects directly to an EHR system.
-
Using a WBSA whose terms of service prohibit the use of the WBSA for scheduling health care services or state that the WBSA may sell personal information that it collects.
-
Using a WBSA that does not employ reasonable security safeguards to prevent the PHI from being readily accessed or viewed by unauthorized persons.
In addition, the Notice does not address or appear to impact HIPAA’s requirement for covered entities to distribute a notice of privacy practices and obtain a written acknowledgment of receipt of the same.
The Notice is effective immediately and retroactive to of December 11, 2020; it will remain in effect until the Secretary of HHS determines the public health emergency no longer exists or upon the expiration date of the public health emergency, whichever occurs first.