OCR will not impose penalties for violations of the HIPAA Rules on healthcare providers for use of web-based scheduling of COVID-19 vaccination appointments
The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced it will exercise its enforcement discretion and will not impose penalties for violations of the HIPAA Rules on covered healthcare providers or their business associates in connection with the good faith use of online or web-based scheduling applications (collectively, “WBSAs”) for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency.
This exercise of enforcement discretion is effective immediately but has retroactive effect to Dec. 11, 2020.
The Notification explains that the exercise of enforcement discretion applies to covered healthcare providers and their business associates, including WBSA vendors (as WBSA is defined in the Notification), when the WBSA is used in good faith and only for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency. Although OCR is exercising enforcement discretion, the Notification encourages the use of reasonable safeguards to protect the privacy and security of individuals’ protected health information (PHI), such as using only the minimum necessary PHI, encryption technology, and enabling all available privacy settings.
“OCR is using all available means to support the efficient and safe administration of COVID-19 vaccines to as many people as possible,” said March Bell, Acting OCR Director.
The Notification of Enforcement Discretion for Use of Online or Web-Based Scheduling Applications during the COVID-19 Nationwide Public Health Emergency is at https://www.hhs.gov/sites/default/files/hipaa-vaccine-ned.pdf.
