On January 19, 2021, the U.S. Department of Health and Human Services ("HHS") Office for Civil Rights ("OCR") announced that it will exercise its enforcement discretion and will not impose penalties for noncompliance with HIPAA against covered health care providers or their business associates with respect to the "good faith use of online or web-based scheduling applications ["WBSAs"] for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency" ("Notice of Enforcement Discretion").  In making this announcement, OCR recognized that health care providers may use WBSAs to quickly schedule large numbers of COVID-19 vaccination appointments in a manner that may not fully comply with HIPAA requirements and that WBSA vendors may satisfy the HIPAA definition of a business associate.  OCR's exercise of enforcement discretion is effective immediately, but has retroactive effect to December 11, 2020, and will remain in effect for the remainder of the COVID-19 public health emergency.

The application of OCR's enforcement discretion is narrow and is limited to a health care provider or business associate's "good faith" use of a WBSA for purposes of scheduling COVID-19 vaccination appointments.  In other words, unless otherwise stated by OCR, HIPAA penalties still apply to all other HIPAA-covered operations of the health care provider or business associate.  In its Notice of Enforcement Discretion, OCR defines a WBSA as "a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination" and clarifies that a WBSA "does not include appointment scheduling technology that connects directly to electronic health records (EHR) systems used by covered entities."  The Notice of Enforcement Discretion further clarifies that "OCR will exercise enforcement discretion with regard to WBSA vendors regardless of whether the WBSA vendor has actual or constructive knowledge that it meets the definition of a business associate under the HIPAA Rules . . . ."

In addition, OCR will exercise its enforcement discretion only if a health care provider or business associate is acting in "good faith."  OCR provided the following examples to illustrate circumstances under which it would not consider a health care provider or business associate to be acting in good faith: "where the covered health care provider or business associate uses a WBSA: [1] Whose terms of service prohibit the use of the WBSA for scheduling health care services or state that the WBSA may sell personal information that it collects; [2] To conduct services other than scheduling appointments for COVID-19 vaccination (e.g., to determine individuals' eligibility for COVID-19 vaccination); [3] Without reasonable security safeguards (e.g., access controls) to prevent the PHI from being readily accessed or viewed by unauthorized persons; [4] To screen individuals for COVID-19 prior to individuals' in-person health care visits."

Despite this Notice of Enforcement Discretion, covered health care providers and their business associates using WBSAs for the scheduling of COVID-19 vaccinations should still implement reasonable safeguards to protect the privacy and security of individuals' protected health information ("PHI").  If you have any questions regarding the Notice of Enforcement Discretion or the implementation of reasonable safeguards when using WBSAs for the scheduling of COVID-19 vaccination appointments, please do not hesitate to contact any member of the Health Law Practice Group at Shipman.

The full text of the Notice of Enforcement Discretion may be found here.

Originally published January 21, 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.