On January 19, 2021, OCR announced that it will exercise its discretion in enforcing the HIPAA Privacy, Security and Breach Notification Rules by not imposing penalties for noncompliance with those requirements against covered entities who are health care providers or their business associates in connection with the use of online or web-based scheduling applications (“WBSA”) for scheduling individual COVID-19 vaccination appointments. This enforcement discretion is effective retroactive to December 11, 2020, and will remain in effect for the duration of the COVID-19 public health emergency.
Definition of WBSA
A WBSA is defined as a non-public facing online or web-based application that provides scheduling of individual appointments for large-scale COVID-19 vaccination services. “Non-public facing” means that data created, received, maintained or transmitted by the WBSA is only available to the covered health care provider, the individual or personal representative scheduling the appointment and WBSA workforce members as necessary to provide technical support. The enforcement discretion also applies to WBSA vendors who would meet the definition of a business associate, whether they are aware that a covered health care provider is using the WBSA for these purposes or not. However, the term WBSA does not include any scheduling application that connects directly to a covered entity’s electronic health record.
Safeguards
OCR still recommends reasonable safeguards be used to protect the health information shared with WBSAs, including capturing minimum necessary PHI only, using encryption, enabling all privacy settings, ensuring storage of PHI is temporary and ensuring the WBSA does not use or disclose PHI in a manner inconsistent with HIPAA. However, failure to implement such safeguards alone will not cause OCR to determine that a covered health care provider has violated the HIPAA Security Rule.
Scope
The scope of the enforcement discretion is limited to WBSAs used for the scheduling of COVID-19 vaccinations only. All other HIPAA-covered functions that are not subject to this or other notices of enforcement discretion remain subject to enforcement actions and penalties for non-compliance. Additionally, failure to act in good faith will also exclude a covered health care provider from the scope of this enforcement discretion. For example, OCR will not consider an entity to be acting in good faith with respect to use of a WBSA for the scheduling of individual appointments for COVID-19 vaccination where:
- The WBSA’s terms of service state that the WBSA may sell personal information collected through the WBSA or prohibit use of the WBSA for scheduling health services;
- The WBSA is being used for purposes other than scheduling appointments for COVID-19 vaccination, such as eligibility determinations;
- Use of the WBSA lacks reasonable security safeguards to prevent PHI from being accessed or viewed by unauthorized persons; and
- The WBSA is being used to screen patients for COVID-19 in advance of in-person health care visits.
Practical Takeaways
In light of the notice of enforcement discretion, covered health care providers should consider the following:
- Review the terms of service for any WBSA prior to using it for scheduling of COVID-19 vaccinations to ensure such terms do not contractually prohibit the covered health provider from using the WBSA for health care services or scheduling of such services and do not contain terms permitting the sale of personal information.
- Evaluate security measures available in the WBSA to determine if reasonable safeguards can be applied, and implement them. It is essential to protect not only the security of protected health information, but also avoid disruptions to the vaccine enrollment process.
- Do not use the WBSA for any purpose other than scheduling for COVID-19 vaccination unless full HIPAA compliance has been assessed.
- Enter into a business associate agreement with the WBSA, if possible.
- Confirm that abiding by this notice of enforcement discretion does not violate any other contractual or legal requirements, such as state law requirements for health information security.
If you have any questions or would like additional information about this topic, please contact:
- Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com;
- Charise Frazier at (317) 977-1406 or cfrazier@hallrender.com;
- Stephane Fabus at (414) 721-0904 or sfabus@hallrender.com;
- Patricia Connelly at (317) 429-3654 or pconnelly@hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
