The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that it will exercise its enforcement discretion for health care providers’ and their business associates’ noncompliance with the HIPAA rules with respect to their good faith use of online or web-based scheduling applications for scheduling COVID-19 vaccination appointments. OCR will not impose penalties for such noncompliance during the COVID-19 nationwide public health emergency.

In its Notification of Enforcement Discretion (Notification), published on February 24, OCR clarified that the scheduling applications covered by the Notification are “non-public facing online or web-based application[s] that provide[] scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination.” Appointment scheduling technologies that directly connect to covered entities’ electronic health records systems are expressly excluded from the scope of the Notification. Likewise, the Notification does not cover handling of protected health information (PHI) and other activities unrelated to COVID-19 vaccination appointment scheduling. The enforcement discretion will apply to providers’ web-based scheduling application vendors whether or not those vendors know that they constitute business associates for purposes of HIPAA.

OCR also identified a number of reasonable safeguards that providers and their business associates who utilize web-based scheduling technologies for COVID-19 vaccination appointments should consider taking. OCR noted, however, that a provider’s or business associate’s failure to adopt these safeguards will not cause OCR to conclude that the provider or business associate did not act in good faith for purposes of the Notification. The recommended safeguards include:

  • Using and disclosing only the minimum PHI necessary for the purpose;
  • Using encryption technology to protect PHI;
  • Enabling all available privacy settings;
  • Ensuring that storage of any PHI by the vendor is only temporary; and
  • Ensuring that the vendor does not use or disclose electronic PHI in a manner that is inconsistent with the HIPAA rules.

OCR took care to emphasize that the Notification does not apply to a provider or business associate that fails to act in good faith. An example of such a failure would be a provider’s use of a web-based scheduling technology to conduct services other than scheduling appointments for COVID-19 vaccination. Given the limited scope of activities covered by the Notification, providers and their business associates should proceed carefully when implementing a web-based system to schedule COVID-19 vaccination appointments.