OCR to Have Enforcement Discretion in Relation to the Use of Internet or Cloud-based Scheduling Software for COVID-19 Vaccination Sessions
The Department of Health and Human Services’ Office for Civil Rights has stated that it is going to implement enforcement discretion and will not issue financial penalties on HIPAA-covered entities or business associates in the event of HIPAA rules violations associated with the honest use of online or web-based scheduling applications (WBSAs) for booking individual visits for COVID-19 shots.
The notice of enforcement discretion is applicable to the use of WBSAs for the restricted function of booking individual sessions for COVID-19 vaccinations throughout the COVID-19 public health emergency. The notification is in effect without delay, is retroactive to December 11, 2020, and will stay in force during the COVID-19 countrywide public health emergency.
A WBSA is a nonpublic facing internet or web-based program that permits personal sessions to be appointed in association with mass COVID-19 vaccination. The objective of a WBSA is to enable covered healthcare organizations to immediately program a lot of appointments for COVID-19 shots.
A WBSA, and the information generated, acquired, retained, or transmitted by the WBSA, must only be available to the designated entities, for example, the healthcare company or pharmacy supplying the vaccines, the authorized individual organizing vaccinations, or a WBSA personnel that needs access to the solution and/or records for giving technical help.
The notice of enforcement discretion is not applicable to an appointment scheduling software that links straight to electronic health record (EHR) programs.
A WBSA might not fulfill all conditions of the HIPAA Guidelines and would hence not be authorized for use in association with electronic protected health information (ePHI) under typical instances. It is likewise likely that the vendor of a WBSA might not know that their platform is being utilized by healthcare companies in correlation with ePHI, which would hence classify the vendor as a business associate under HIPAA.
Although the notice of enforcement discretion is in place, OCR is not going to charge penalties against HIPAA covered entities, their business associates, and WBSA vendors that satisfy the characterization of a business associate as per the HIPAA Policies for good faith purposes of WBSAs for booking COVID-19 vaccination sessions.
Though fines will not be charged, OCR encourages the usage of reasonable safety measures to secure the privacy of people and the safety of ePHI. So the ePHI compiled and put into the WBSA ought to be confined to the minimum needed data, encryption technology ought to be employed when available, and all privacy controls must be activated. That includes changing the calendar display to obscure names or merely reveal initials. When a vendor retains ePHI, the storage ought to only be non-permanent and ePHI have to be deleted within 30 days following the session. The WBSA vendor must be advised not to reveal any ePHI in a way that is not in accordance with the HIPAA Guidelines.
These acceptable safeguards are recommended by OCR, though not using the advised reasonable safety measures won’t, in itself, mean a covered health care company or its business associate did not act in good faith considering this Notification.
Bad faith uses that are not protected by the notification are the following:
- Using a WBSA where the vendor forbids its usage for managing healthcare services.
- Utilizing the WBSA for arranging appointments aside from COVID-19 vaccinations.
- Employing a solution that doesn’t include access controls to confine access to ePHI to approved people.
- Screening persons for COVID-19 before face-to-face healthcare consultations.
- Usage of public-facing WBSAs.
OCR is making use of all accessible resources to make the COVID-19 vaccinations successful and secure to all individuals as much as possible.