Since the release of the COVID-19 vaccine, healthcare organizations have scrambled to provide patients with timely vaccination. With the difficulties in scheduling vaccines, some providers have turned to non-traditional appointment scheduling platforms, such as Eventbrite. In an effort to ease vaccine initiatives, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced that, as of December 11, 2020, it will exercise enforcement discretion for the use of online or web-based scheduling applications (WBSAs) for COVID vaccination scheduling provided in good faith. The latest OCR enforcement discretion announcement is discussed. 

WBSA OCR Enforcement Discretion and COVID Vaccination

OCR Enforcement Discretion

The OCR, in response to the use of online or web-based scheduling applications (WBSAs) for COVID vaccination scheduling, has announced that it will not pursue enforcement against covered entities or business associates for the use of non-compliant WBSAs used in good faith. 

OCR’s announcement enables mass vaccination efforts to continue without the fear of violating HIPAA through the use of WBSAs, that under regular circumstances, are not considered HIPAA compliant.

March Bell, Acting OCR Director, stated, “OCR is using all available means to support the efficient and safe administration of COVID-19 vaccines to as many people as possible.”

This is particularly important as many of the WBSAs do not realize that, when being used to schedule medical appointments, they are considered business associates under HIPAA. As business associates, WBSAs would normally need to be HIPAA compliant in order to offer this service. As such, without the OCR enforcement discretion, these appointment scheduling services would generally be required to have certain measures in place to secure protected health information (PHI), such as the patient’s name and contact information. 

However, over the course of the public health emergency, OCR will not pursue enforcement for the use of non-public facing WBSAs used in good faith. This is not to say that OCR will suspend all enforcement efforts. 

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

The OCR still expects CEs and BAs to make every effort to ensure the confidentiality, integrity, and availability of PHI, recommending:

  • Using and disclosing only the minimum PHI necessary for the purpose (e.g., an individual’s name and phone number may be the minimum necessary PHI for scheduling the appointment).
  • Using encryption technology to protect PHI.
  • Enabling all available privacy settings (e.g., adjusting WSBA calendar display settings, as needed, to hide names or show only individuals’ initials instead of full names on calendar screens).
  • Ensuring that storage of any PHI (including metadata