On January 19, 2021, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced its new Notification of Enforcement Discretion. Under the Notification, OCR will not impose penalties for HIPAA rule violations related to the good faith use of web-based scheduling applications (“WBSAs”) for scheduling COVID-19 vaccinations. “A WBSA is a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination … [and] does not include appointment scheduling technology that connects directly to electronic health records (EHR) systems used by covered entities.”
The Notification arises from OCR’s recognition that healthcare providers may need to quickly schedule individuals for COVID-19 vaccinations and providers may use WBSAs to perform this task. However, some WBSAs, or the manner that covered entities and business associates use them, may violate HIPAA rules. According to OCR, “the vendors of such applications may not be aware that HIPAA covered health care providers are using their products to create, receive, maintain, or transmit electronic protected health information (ePHI), and that a WBSA vendor may, as a result, meet the definition of business associate under the HIPAA Rules.” Accordingly, OCR will not impose penalties for non-compliance with HIPAA rules against covered entities and business associates, in connection with the good faith use of WBSAs for scheduling appointments for COVID-19 vaccination during the COVID-19 nationwide public health emergency. The enforcement discretion also applies to WBSA vendors meeting the definition of business associate, whether the vendor has actual or constructive knowledge of its status as a business associate.
What Is Not Covered
The Notification does not apply to activities other than scheduling COVID-19 vaccinations, including the handling of PHI unrelated to the scheduling of COVID-19 vaccinations. The Notification does not apply to a covered entity or business associate (including WBSA vendors) that do not act in good faith. Below is a non-exhaustive list of actions OCR will not consider good faith:
- Use of a WBSA whose terms of service prohibit using the WBSA for scheduling healthcare services or provide that the WBSA may sell personal information it collects.
- Use of a WBSA to conduct services other than scheduling appointments for COVID-19 vaccination (e.g. to determine eligibility for COVID-19 vaccination);
- Use of a WBSA to screen individuals for COVID-19 before in-person health care visits; and
- Use of a WBSA without reasonable security safeguards (e.g. access controls) to prevent PHI from being readily accessed or viewed by unauthorized persons.
Recommended Reasonable Safeguards
The Notification provides entities and business associates using WBSAs recommendations and encouragement to implement reasonable safeguards to protect PHI. These recommendations include disclosing the minimum PHI necessary for scheduling an appointment (e.g. name and phone number). Also, using encryption technology and enabling all available privacy settings to protect PHI. Other recommendations require examination of the WBSA’s capabilities and vendor terms. OCR recommends that covered entities and business associates (1) ensure that the WBSA stores PHI and metadata temporarily (e.g. PHI is returned or destroyed as soon as practicable, but no later than 30 days after the appointment); and (2) ensure the WBSA vendor does not use or disclose ePHI inconsistent with HIPAA rules (e.g. selling ePHI collected).
OCR also encouraged the use of WBSA vendors willing to enter business associate agreements and who represent that their WBSAs support compliance with HIPAA. Importantly, “failure to implement the recommended reasonable safeguards above will not, in itself, cause OCR to determine that a covered health care provider or its business associate failed to act in good faith for purposes of this Notification.”
This enforcement discretion is effective immediately and has a retroactive effect to December 11, 2020. It expires when the public health emergency declaration expires or is rescinded. The Notification of Enforcement Discretion can be read here.
The attorneys at Chilivis Grubman assist businesses of all types and sizes in connection with HIPAA related matters, including breach response, breach notification, OCR investigations, and resulting civil litigation. If you need assistance with such a matter, please contact us today.