May 26, 2022

Volume XII, Number 146


May 25, 2022

Subscribe to Latest Legal News and Analysis

May 24, 2022

Subscribe to Latest Legal News and Analysis

May 23, 2022

Subscribe to Latest Legal News and Analysis

OCR Relaxes Enforcement on Providers Using Scheduling Apps for COVID-19 Vaccinations

On January 19, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Enforcement Discretion (Notice) announcing that it will not impose penalties for noncompliance with HIPAA against covered health care providers and their business associates in connection with the good faith use of online or web-based scheduling applications (WBSAs) for the limited purpose of scheduling of individual appointments for COVID-19 vaccinations. The enforcement discretion also applies to all WBSA vendors providing the technology used by these entities in these efforts, regardless of whether the vendor has actual or constructive knowledge that it meets the definition of a business associate under HIPAA.

The Notice covers those WBSAs that are “non-public facing,” meaning that the WBSA, by default, only allows the intended parties (e.g., a covered health care provider, the individual or personal representative scheduling the appointment, and a WBSA workforce member, if needed to provide technical support) to access data created, received, maintained, or transmitted by the WBSA.

OCR is encouraging covered health care providers and their business associates using WBSAs to implement the following reasonable recommended safeguards to protect the privacy and security of individuals’ PHI:

  • Using and disclosing only the minimum PHI necessary. For example, an individual’s name and phone number may be the minimum necessary PHI for scheduling the appointment via the WBSA.

  • Using encryption technology to safeguard PHI.

  • Enabling all available privacy settings on the WBSA. For example, adjusting the WBSA calendar display settings, as needed, to hide names or show only an individuals’ initials instead of their full name on the calendar screen.

  • Ensuring that storage of any PHI by the WBSA vendor is temporary. For example, returning the PHI to the covered health care provider or destroying it as soon as practicable.

  • Ensuring the WBSA vendor does not use or disclose PHI in a manner that is inconsistent with HIPAA. For example, prohibiting the WBSA vendor from selling PHI collected from individuals using the WBSA to schedule a COVID-19 vaccination.

While OCR encourages health care providers and their business associates to implement these safeguards, failure to do so will not, in and of itself, cause OCR to determine that an entity failed to act in good faith. However, health care providers and their business associates should note that this Notice does not apply to the following circumstances:

  • Using a WBSA other than for scheduling COVID-19 vaccinations. For example, the use of a WBSA to determine an individual’s eligibility to receive a COVID-19 vaccination or to screen individuals for COVID-19 before an in-person health care visit is not included within the scope of the OCR’s exercise of enforcement discretion.

  • Using a WBSA that includes technology that connects directly to an EHR system.

  • Using a WBSA whose terms of service prohibit the use of the WBSA for scheduling health care services or state that the WBSA may sell personal information that it collects.

  • Using a WBSA that does not employ reasonable security safeguards to prevent the PHI from being readily accessed or viewed by unauthorized persons.

In addition, the Notice does not address or appear to impact HIPAA’s requirement for covered entities to distribute a notice of privacy practices and obtain a written acknowledgment of receipt of the same.

The Notice is effective immediately and retroactive to of December 11, 2020; it will remain in effect until the Secretary of HHS determines the public health emergency no longer exists or upon the expiration date of the public health emergency, whichever occurs first.

© 2022 Foley & Lardner LLPNational Law Review, Volume XI, Number 26

About this Author

Jennifer L. Urban Data Security Attorney Foley & Lardner Milwaukee, WI

Jennifer L. Urban (formerly Rathburn) is a partner with Foley & Lardner LLP. Jennifer focuses her practice on counseling clients on data protection programs, data incident management, breach response and recovery, monetization of data and other privacy and security issues. She is one of the founders of the Midwest Cyber Security Alliance and has a deep understanding of the complex risk, operational and legal issues companies must address to maintain the confidentiality of, access toand integrity of their data.

As a member of the firm’s Technology Transactions & Outsourcing...

Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management...

Aaron T. Maguregui Health Care Attorney Foley & Lardner Tampa, FL
Special Counsel

Aaron Maguregui is a health care lawyer and member of the firm’s Privacy, Security & Information Management Practice, and national Telemedicine & Digital Health Industry Team. He advises innovative health care and technology companies to solve complex compliance, cybersecurity, data governance, data privacy, and risk management matters. Working with leading health care insurers, government-sponsored managed care organizations, health care providers, and technology companies, he delivers pragmatic legal advice and action-oriented solutions guidance to help clients reach their goals...

Samuel Goldstick, Foley Lardner Law Firm, Chicago, Cybersecurity and Healthcare Law Attorney

Samuel (Sam) Goldstick is a data privacy and cybersecurity associate at Foley & Lardner LLP. He is a member of the firm’s Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices, as well as Technology and Health Care Industry Teams. He also is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in both the United States and Europe (CIPP/US and CIPP/E).

Prior to joining Foley, Mr. Goldstick was an associate at a prominent law...