Since the release of the COVID-19 vaccine, healthcare organizations have scrambled to provide patients with timely vaccination. With the difficulties in scheduling vaccines, some providers have turned to non-traditional appointment scheduling platforms, such as Eventbrite. In an effort to ease vaccine initiatives, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced that, as of December 11, 2020, it will exercise enforcement discretion for the use of online or web-based scheduling applications (WBSAs) for COVID vaccination scheduling provided in good faith. The latest OCR enforcement discretion announcement is discussed. 

WBSA OCR Enforcement Discretion and COVID Vaccination

OCR Enforcement Discretion

The OCR, in response to the use of online or web-based scheduling applications (WBSAs) for COVID vaccination scheduling, has announced that it will not pursue enforcement against covered entities or business associates for the use of non-compliant WBSAs used in good faith. 

OCR’s announcement enables mass vaccination efforts to continue without the fear of violating HIPAA through the use of WBSAs, that under regular circumstances, are not considered HIPAA compliant.

March Bell, Acting OCR Director, stated, “OCR is using all available means to support the efficient and safe administration of COVID-19 vaccines to as many people as possible.”

This is particularly important as many of the WBSAs do not realize that, when being used to schedule medical appointments, they are considered business associates under HIPAA. As business associates, WBSAs would normally need to be HIPAA compliant in order to offer this service. As such, without the OCR enforcement discretion, these appointment scheduling services would generally be required to have certain measures in place to secure protected health information (PHI), such as the patient’s name and contact information. 

However, over the course of the public health emergency, OCR will not pursue enforcement for the use of non-public facing WBSAs used in good faith. This is not to say that OCR will suspend all enforcement efforts. 

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

The OCR still expects CEs and BAs to make every effort to ensure the confidentiality, integrity, and availability of PHI, recommending:

  • Using and disclosing only the minimum PHI necessary for the purpose (e.g., an individual’s name and phone number may be the minimum necessary PHI for scheduling the appointment).
  • Using encryption technology to protect PHI.
  • Enabling all available privacy settings (e.g., adjusting WSBA calendar display settings, as needed, to hide names or show only individuals’ initials instead of full names on calendar screens).
  • Ensuring that storage of any PHI (including metadata that constitutes PHI) by the vendor is only temporary (e.g., the PHI is returned to the covered health care provider or destroyed as soon as practicable, but no later than 30 days after the appointment).
  • Ensuring the WBSA vendor does not use or disclose ePHI in a manner that is inconsistent with the HIPAA Rules (e.g., does not engage in the sale of ePHI12 collected from individuals using the WBSA to schedule a COVID-19 vaccination).

The announcement came on the heels of another announcement, the extension of the Public Health Emergency, now effective until April 1st. The latest OCR enforcement discretion is set to expire upon expiration of the public health emergency. 

What Does Not Fall Under the OCR Enforcement Discretion?

There are instances in which the OCR enforcement discretion would not apply. The OCR enforcement discretion only applies to WBSAs that are not integrated with an organization’s electronic health record (EHR) systems. 

It also does not apply to WBSAs:

  • Whose terms of service prohibit the use of the WBSA for scheduling health care services or state that the WBSA may sell personal information that it collects.
  • To conduct services other than scheduling appointments for COVID-19 vaccination (e.g., to determine individuals’ eligibility for COVID-19 vaccination).
  • Without reasonable security safeguards (e.g., access controls) to prevent the PHI from being readily accessed or viewed by unauthorized persons.
  • To screen individuals for COVID-19 prior to individuals’ in-person health care visits.

To read OCR’s notice, please click here.

Are you using HIPAA compliant tools?

Make sure you’re following all of the HIPAA rules.