The Office of Civil Rights (OCR) issued a notice yesterday stating that it will not impose penalties for HIPAA non-compliance in connection with a covered entity health care provider’s or business associate’s good faith use of online or web-based scheduling applications (WBSAs) for the scheduling of appointments for COVID-19 vaccinations during the public health emergency.  The notice is retroactively effective to December 11, 2020. OCR highlights to covered health care providers and business associates that its temporary lifting of HIPAA penalties applies only to scheduling of COVID-19 vaccinations and to no other activities.

A WBSA is a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination. “Non-public facing” means that a WBSA, as a default, allows only the intended parties (e.g., a health care provider and the individual scheduling the appointment, and a WBSA workforce member for technical support) to access the WBSA data. Importantly, a WBSA does not include appointment scheduling technology that connects directly to a covered entity’s electronic health record (EHR). In other words, OCR may still impose penalties for HIPAA non-compliance related to use of a COVID-19 scheduling application that connects directly to the EHR.

OCR does recommend that covered entities and their business associates implement reasonable safeguards when using WBSAs, including:

  • Complying with HIPAA’s minimum necessary rule when scheduling COVID-19 vaccine appointments;
  • Using encryption to protect PHI;
  • Enabling all available privacy settings, such as adjusting the WSBA’s calendar display settings to show initials instead of full names;
  • Ensuring storage of PHI by the WSBA vendor is temporary; and
  • Ensure the WSBA complies with HIPAA with respect to use and disclosure of electronic PHI.

OCR notes that failure to implement the above safeguards does not necessarily mean that an entity failed to act in good faith.

Photo of Nathaniel Arden Nathaniel Arden

Nathaniel Arden is a member of Robinson+Cole’s Health Law Group. He advises hospitals, physician groups, community providers, and other health care entities on a wide variety of health law and business matters. He regularly assists clients with transactional and regulatory issues, including Medicare…

Nathaniel Arden is a member of Robinson+Cole’s Health Law Group. He advises hospitals, physician groups, community providers, and other health care entities on a wide variety of health law and business matters. He regularly assists clients with transactional and regulatory issues, including Medicare and Medicaid fraud and abuse, health information privacy and security, compliance, licensure, clinical trials and health care-related information technology issues. Read his full rc.com bio here.