OCR Announces it Will Not Impose HIPAA Penalties for Use of COVID-19 Vaccine Scheduling Apps

Robinson+Cole Health Law Diagnosis

The Office of Civil Rights (OCR) issued a notice this week stating that it will not impose penalties for HIPAA non-compliance in connection with a covered entity health care provider’s or business associate’s good faith use of online or web-based scheduling applications (WBSAs) for the scheduling of appointments for COVID-19 vaccinations during the public health emergency.  The notice is retroactively effective to December 11, 2020. OCR highlights to covered health care providers and business associates that its temporary lifting of HIPAA penalties applies only to scheduling of COVID-19 vaccinations and to no other activities.

A WBSA is a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination. “Non-public facing” means that a WBSA, as a default, allows only the intended parties (e.g., a health care provider and the individual scheduling the appointment, and a WBSA workforce member for technical support) to access the WBSA data. Importantly, a WBSA does not include appointment scheduling technology that connects directly to a covered entity’s electronic health record (EHR). In other words, OCR may still impose penalties for HIPAA non-compliance related to use of a COVID-19 scheduling application that connects directly to the EHR.

OCR does recommend that covered entities and their business associates implement reasonable safeguards when using WBSAs, including:

  • Complying with HIPAA’s minimum necessary rule when scheduling COVID-19 vaccine appointments;
  • Using encryption to protect PHI;
  • Enabling all available privacy settings, such as adjusting the WSBA’s calendar display settings to show initials instead of full names;
  • Ensuring storage of PHI by the WSBA vendor is temporary; and
  • Ensure the WSBA complies with HIPAA with respect to use and disclosure of electronic PHI.

OCR notes that failure to implement the above safeguards does not necessarily mean that an entity failed to act in good faith.

[View source.]

Written by:

Robinson+Cole Health Law Diagnosis

Robinson+Cole Health Law Diagnosis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.