On January 19, 2021, the Office for Civil Rights ("OCR") at the U.S. Department of Health and Human Services ("HHS") announced that it will exercise its enforcement discretion and will not impose penalties for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (collectively, "WBSAs") when used for scheduling individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency. The enforcement discretion takes effect immediately but has retroactive effect to December 11, 2020. The Notification of Enforcement Discretion for Use of Online or Web-Based Scheduling Applications during the COVID-19 Nationwide Public Health Emergency may be found at https://www.hhs.gov/sites/default/files/hipaa-vaccine-ned.pdf.
During the COVID-19 national emergency, many covered health care providers, particularly large pharmacy chains and public health authorities, or business associates acting on the providers' behalf, are choosing to use a WBSA for the limited purpose of scheduling individual appointments for COVID-19 vaccinations. A WBSA is a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination. It is important to note that for purposes of this enforcement discretion, "non-public facing" means the WBSA allows only the intended parties (e.g., a covered health care provider, the individual or personal representative scheduling the appointment, and a WBSA workforce member) to access data created, received, maintained, or transmitted by the WBSA. A WBSA does not include appointment scheduling technology that connects directly to the electronic health records system used by the covered entity.
During the COVID-19 public health emergency, many health care providers need to quickly schedule large numbers of individuals for appointments for COVID-19 vaccinations and may use WBSAs to schedule such appointments. Some of these applications may not fully comply with the requirements of the HIPAA Rules. Additionally, the vendors of such applications may not be aware that HIPAA-covered health care providers are using the scheduling software. OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with regulatory requirements under the HIPAA Rules against covered health care providers and their business associates, including WBSA vendors, in connection with the good faith use of a WBSA for scheduling appointments for individuals for COVID-19 vaccination during the COVID-19 nationwide public health emergency.
The OCR's Notification also applies to all vendors of WBSAs whose technology is being used regardless of whether the WBSA vendor has actual or constructive knowledge that it meets the definition of a business associate under the HIPAA Rules. However, OCR encourages covered health care providers and their business associates using WBSAs to implement reasonable safeguards to protect the privacy and security of individuals' PHI. Such safeguards include using and disclosing only the minimum PHI necessary such as the individual's name and phone number, using encryption technology to protect PHI, enabling all available privacy settings to hide names or show only individuals' initials instead of full names, and ensuring that storage of any PHI by the vendor is only temporary.
OCR's enforcement discretion does not apply to activities of a covered entity or its business associates other than the scheduling of COVID-19 vaccinations. Activities such as the handling of PHI unrelated to the scheduling of COVID-19 vaccinations are not included within the scope of the enforcement discretion. Additionally, the enforcement discretion does not apply when the covered entity or business associate fails to act in good faith. Examples of failing to act in good faith include the WBSA selling personal information, conducting services other than scheduling appointments for COVID-19 vaccination, a lack of reasonable security safeguards to prevent the PHI from being readily accessed or viewed by unauthorized persons or using the WBSA to screen individuals for COVID-19 prior to individuals' in-person health care visits.
Notwithstanding the restrictions, OCR's exercise of enforcement discretion with the use of WBSAs for the scheduling of individual appointments for COVID-19 vaccinations should greatly assist the scheduling and administration of vaccines.
Jim Hoover is a partner at Burr & Forman LLP and works exclusively within the firm's Health Care Practice Group and predominantly handles healthcare litigation matters.