January 22, 2021

OCR Announces it Will Not Impose HIPAA Penalties for Use of COVID-19 Vaccine Scheduling Apps

+ Follow Contact

Send

Embed

The Office of Civil Rights (OCR) issued a notice this week stating that it will not impose penalties for HIPAA non-compliance in connection with a covered entity health care provider’s or business associate’s good faith use of online or web-based scheduling applications (WBSAs) for the scheduling of appointments for COVID-19 vaccinations during the public health emergency. The notice is retroactively effective to December 11, 2020. OCR highlights to covered health care providers and business associates that its temporary lifting of HIPAA penalties applies only to scheduling of COVID-19 vaccinations and to no other activities.

A WBSA is a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination. “Non-public facing” means that a WBSA, as a default, allows only the intended parties (e.g., a health care provider and the individual scheduling the appointment, and a WBSA workforce member for technical support) to access the WBSA data. Importantly, a WBSA does not include appointment scheduling technology that connects directly to a covered entity’s electronic health record (EHR). In other words, OCR may still impose penalties for HIPAA non-compliance related to use of a COVID-19 scheduling application that connects directly to the EHR.

OCR does recommend that covered entities and their business associates implement reasonable safeguards when using WBSAs, including:

Complying with HIPAA’s minimum necessary rule when scheduling COVID-19 vaccine appointments;
Using encryption to protect PHI;
Enabling all available privacy settings, such as adjusting the WSBA’s calendar display settings to show initials instead of full names;
Ensuring storage of PHI by the WSBA vendor is temporary; and
Ensure the WSBA complies with HIPAA with respect to use and disclosure of electronic PHI.

OCR notes that failure to implement the above safeguards does not necessarily mean that an entity failed to act in good faith.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Robinson+Cole Health Law Diagnosis

Contact + Follow

Nathaniel Arden

+ Follow

less

Published In:

Data Breach

+ Follow

Enforcement Guidance

+ Follow

Health Care Providers

+ Follow

Health Insurance Portability and Accountability Act (HIPAA)

+ Follow

HIPAA Breach

+ Follow

Information Technology

+ Follow

Mobile Apps

+ Follow

OCR

+ Follow

Personally Identifiable Information

+ Follow

PHI

+ Follow

Communications & Media

+ Follow

Health

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Robinson+Cole Health Law Diagnosis on:

OCR Announces it Will Not Impose HIPAA Penalties for Use of COVID-19 Vaccine Scheduling Apps

Latest Posts

Written by:

Published In:

Robinson+Cole Health Law Diagnosis on:

"My best business intelligence, in one easy email…"