March 1, 2021

Volume XI, Number 60

Advertisement

March 01, 2021

Subscribe to Latest Legal News and Analysis

February 26, 2021

Subscribe to Latest Legal News and Analysis

OCR Announces it Will Not Impose HIPAA Penalties for Use of COVID-19 Vaccine Scheduling Apps

The Office of Civil Rights (OCR) issued a notice yesterday stating that it will not impose penalties for HIPAA non-compliance in connection with a covered entity health care provider’s or business associate’s good faith use of online or web-based scheduling applications (WBSAs) for the scheduling of appointments for COVID-19 vaccinations during the public health emergency.  The notice is retroactively effective to December 11, 2020. OCR highlights to covered health care providers and business associates that its temporary lifting of HIPAA penalties applies only to scheduling of COVID-19 vaccinations and to no other activities.

A WBSA is a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination. “Non-public facing” means that a WBSA, as a default, allows only the intended parties (e.g., a health care provider and the individual scheduling the appointment, and a WBSA workforce member for technical support) to access the WBSA data. Importantly, a WBSA does not include appointment scheduling technology that connects directly to a covered entity’s electronic health record (EHR). In other words, OCR may still impose penalties for HIPAA non-compliance related to use of a COVID-19 scheduling application that connects directly to the EHR.

OCR does recommend that covered entities and their business associates implement reasonable safeguards when using WBSAs, including:

  • Complying with HIPAA’s minimum necessary rule when scheduling COVID-19 vaccine appointments;

  • Using encryption to protect PHI;

  • Enabling all available privacy settings, such as adjusting the WSBA’s calendar display settings to show initials instead of full names;

  • Ensuring storage of PHI by the WSBA vendor is temporary; and

  • Ensure the WSBA complies with HIPAA with respect to use and disclosure of electronic PHI.

OCR notes that failure to implement the above safeguards does not necessarily mean that an entity failed to act in good faith.

Advertisement
Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XI, Number 21
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Nathaniel Arden, Health Care and Intellectual Property Attorney, Robinson Cole Law Firm, Hartford, Connecticut
Counsel

Nathaniel Arden is a member of Robinson+Cole’s Health Law Group. He advises hospitals, health systems, physician groups, community providers, and other health care entities on a variety of health law and business issues. His practice focuses on health care-related regulatory and transactional matters, as well as health care-related information technology issues. Nathaniel has an extensive background in the healthcare industry, and he worked at a large academic medical center prior to joining the firm.

Regulatory

...
860-275-8269
Advertisement
Advertisement