On February 24, 2021, the Office for Civil Rights at the U.S. Department of Health and Human Services (“OCR”) announced that it will not impose penalties against covered entities or their business associates that use online and web-based scheduling applications (collectively “WBSAs”) that are not HIPAA compliant, when the WSBAs are used for scheduling individual appointments for COVID-19 vaccinations. The moratorium on penalties is only applicable during the nationwide public health emergency and only to covered entities and business associates that act in good faith when using WBSAs.
OCR announced that its decision was based on health care providers’ need to quickly schedule appointments for a large number of people, and its recognition that some WBSAs may not be HIPAA compliant. The moratorium on penalties also applies to vendors of WBSAs whose technology is used by covered entities and business associates to schedule vaccination appointments.
Despite the moratorium on penalties, OCR encouraged providers to implement reasonable safeguards to protect the security and privacy of protected health information (“PHI”) such as (1) using encryption technology, (2) ensuring that storage of any PHI by a vendor is temporary, (3) enabling all available privacy settings in a WBSA, and (4) using and disclosing only the minimum necessary PHI.