February 5, 2023

Volume XIII, Number 36

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

HHS’ OCR Announces Enforcement Discretion for HIPAA Noncompliance Relating to Online COVID-19 Vaccination Appointment Scheduling Applications

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that it will exercise its enforcement discretion for health care providers’ and their business associates’ noncompliance with the HIPAA rules with respect to their good faith use of online or web-based scheduling applications for scheduling COVID-19 vaccination appointments. OCR will not impose penalties for such noncompliance during the COVID-19 nationwide public health emergency.

In its Notification of Enforcement Discretion (Notification), published on February 24, OCR clarified that the scheduling applications covered by the Notification are “non-public facing online or web-based application[s] that provide[] scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination.” Appointment scheduling technologies that directly connect to covered entities’ electronic health records systems are expressly excluded from the scope of the Notification. Likewise, the Notification does not cover handling of protected health information (PHI) and other activities unrelated to COVID-19 vaccination appointment scheduling. The enforcement discretion will apply to providers’ web-based scheduling application vendors whether or not those vendors know that they constitute business associates for purposes of HIPAA.

OCR also identified a number of reasonable safeguards that providers and their business associates who utilize web-based scheduling technologies for COVID-19 vaccination appointments should consider taking. OCR noted, however, that a provider’s or business associate’s failure to adopt these safeguards will not cause OCR to conclude that the provider or business associate did not act in good faith for purposes of the Notification. The recommended safeguards include:

  • Using and disclosing only the minimum PHI necessary for the purpose;

  • Using encryption technology to protect PHI;

  • Enabling all available privacy settings;

  • Ensuring that storage of any PHI by the vendor is only temporary; and

  • Ensuring that the vendor does not use or disclose electronic PHI in a manner that is inconsistent with the HIPAA rules.

OCR took care to emphasize that the Notification does not apply to a provider or business associate that fails to act in good faith. An example of such a failure would be a provider’s use of a web-based scheduling technology to conduct services other than scheduling appointments for COVID-19 vaccination. Given the limited scope of activities covered by the Notification, providers and their business associates should proceed carefully when implementing a web-based system to schedule COVID-19 vaccination appointments.

©1994-2023 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume XI, Number 56

About this Author

The health industry is a complex system, and reimbursement is the lifeblood. Reduction in payments from governmental and commercial payors affects providers, suppliers, manufacturers, and all others across the health care continuum.

Regulatory approval and accreditation is the heart of the system. For many, delay in licensure and other regulatory approvals can threaten financing and corporate viability. Accreditation of residency training programs is essential to the vitality of academic medical centers and teaching hospitals.

Restructuring is a fact of life in this dynamic...