The Office of Civil Rights (OCR) issued a notice yesterday stating that it will not impose penalties for HIPAA non-compliance in connection with a covered entity health care provider’s or business associate’s good faith use of online or web-based scheduling applications (WBSAs) for the scheduling of appointments for COVID-19 vaccinations during the public health emergency. The notice is retroactively effective to December 11, 2020. OCR highlights to covered health care providers and business associates that its temporary lifting of HIPAA penalties applies only to scheduling of COVID-19 vaccinations and to no other activities.
A WBSA is a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination. “Non-public facing” means that a WBSA, as a default, allows only the intended parties (e.g., a health care provider and the individual scheduling the appointment, and a WBSA workforce member for technical support) to access the WBSA data. Importantly, a WBSA does not include appointment scheduling technology that connects directly to a covered entity’s electronic health record (EHR). In other words, OCR may still impose penalties for HIPAA non-compliance related to use of a COVID-19 scheduling application that connects directly to the EHR.
OCR does recommend that covered entities and their business associates implement reasonable safeguards when using WBSAs, including:
- Complying with HIPAA’s minimum necessary rule when scheduling COVID-19 vaccine appointments;
- Using encryption to protect PHI;
- Enabling all available privacy settings, such as adjusting the WSBA’s calendar display settings to show initials instead of full names;
- Ensuring storage of PHI by the WSBA vendor is temporary; and
- Ensure the WSBA complies with HIPAA with respect to use and disclosure of electronic PHI.
OCR notes that failure to implement the above safeguards does not necessarily mean that an entity failed to act in good faith.