On January 19, 2021, The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced via a Notification of Enforcement Discretion that it will not impose penalties against covered health care providers and their business associates for noncompliance with HIPAA in connection with the good faith use of online or web-based scheduling applications[1] (WBSAs) for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 public health emergency. The enforcement discretion further applies to WBSA vendors whose technology is used by these entities to schedule COVID-19 vaccination appointments regardless of whether the WBSA vendor knows that it meets the definition of a business associate under HIPAA. The Notification of Enforcement Discretion comes in recognition of providers’ need to quickly schedule large numbers of individuals for COVID-19 vaccination appointments.
The OCR’s enforcement discretion is limited in scope to the good faith use of a WBSA for scheduling appointments for individuals for COVID-19 vaccination during the public health emergency. Still, however, the OCR encourages covered health care providers and their business associates using WBSAs to implement reasonable safeguards to protect the privacy and security of individuals’ PHI. The OCR specifically recommends the following reasonable safeguards:
- Using and disclosing only the minimum PHI necessary for the purpose (for example, an individual’s name and phone number may be the minimum necessary PHI for scheduling the appointment);
- Using encryption technology to protect PHI;
- Enabling all available privacy settings (for example, adjusting WBSA calendar display settings, as needed, to hide names or show only individuals’ initials instead of full names on calendar screens);
- Ensuring that storage of any PHI (including metadata that constitutes PHI) by the vendor is only temporary (for example, the PHI is returned to the covered health care provider or destroyed as soon as practicable, but no later than 30 days after the appointment); and
- Ensuring the WBSA vendor does not use or disclose ePHI in a manner that is inconsistent with HIPAA (for example, does not engage in the sale of ePHI collected from individuals using the WBSA to schedule a COVID-19 vaccination).
Although the OCR specifically encourages covered health care providers and their business associates to implement the above safeguards, their failure to implement such safeguards will not, in itself, cause the OCR to determine that the covered health care provider or business associate failed to act in good faith for the purposes of the Notification of Enforcement Discretion. The OCR does, however, specifically list the following circumstances in which a covered health care provider or business associate would not be considered to be acting in good faith with respect to the use of a WBSA for COVID-19 vaccination appointment scheduling:
- Use of a WBSA whose terms of service prohibit the use of the WBSA for scheduling health care services or state that the WBSA may sell personal information that it collects;
- Use of a WBSA to conduct services other than scheduling appointments for COVID-19 vaccination (for example, to determine individuals’ eligibility for COVID-19 vaccination);
- Use of a WBSA without reasonable security safeguards (for example, access controls) to prevent the PHI from being readily accessed or viewed by unauthorized persons; and
- Use of a WBSA to screen individuals for COVID-19 prior to individuals’ in-person health care visits.
The Notification of Enforcement Discretion became effective immediately, has retroactive effect to December 11, 2020, and will remain in effect until the sooner of the Secretary of HHS’s determination that the public health emergency no longer exists or upon the expiration of the public health emergency.
[1] The Notification of Enforcement Discretion defines a WBSA as a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccinations. “Non-public” means that a WBSA, as a default, allows only the intended parties (for example, a covered health care provider, the individual or personal representative scheduling the appointment, and a WBSA workforce member, if needed to provide technical support) to access data created, received, maintained, or transmitted by the WBSA. A WBSA does not include appointment scheduling technology that connects directly to electronic health records systems used by covered health care providers.
