On February 12, 2021, the Office for Civil Rights (“OCR”) of the U.S Department of Health and Human Services (“HHS”) provided additional information regarding its previously-announced discretion in the enforcement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act related to privacy, security, and date breaches. OCR stated that it will not penalize covered entities or their business associates for non-compliance under HIPAA for the good faith use of online or web-based scheduling applications (“WBSAs”) for scheduling COVID-19 vaccination appointments during the COVID-19 pandemic.

During the COVID-19 public health emergency, covered entities, such as large pharmacy chains, or business associates acting on behalf of the covered entities, are permitted to use WBSAs to schedule individual appointments for COVID-19 vaccinations. For the purposes of this exercise of discretion, a WBSA is defined as an online or web-based application that only allows the intended parties to access the data and that provides individual appointment scheduling related to large-scale COVID-19 vaccination efforts. Technology that directly connects to electronic health records (“EHR”) systems used by covered entities is excluded from the definition of a WBSA. The HIPAA privacy rules allow business associates of a covered entity to use and disclose protected health information (“PHI”) for certain functions, only as dictated by a business associate agreement. During the COVID-19 pandemic, however, covered entities need to schedule a large number of vaccine appointments and often do this through the use of WBSAs. Some of these online scheduling applications, and the way in which covered entities use them, may not comply with the HIPAA privacy rules. Furthermore, vendors of the WBSAs may not know providers are using these applications to create and send PHI, potentially making the WBSA vendors business associates under HIPAA.

OCR will exercise discretion in the enforcement of HIPAA privacy rules and will not penalize covered entities, their business associates, or WBSA vendors who are technically business associates, for noncompliance as it relates to the scheduling of individual COVID-19 vaccination appointments during the COVID-19 pandemic. This enforcement discretion applies to covered healthcare providers and their business associates, which are, in good faith, using WBSAs to schedule COVID-19 vaccination appointments, as well as WBSA vendors whose platforms are being used to schedule COVID-19 vaccination appointments. Discretion does not apply to covered entities or business associates for activities unrelated to the scheduling of COVID-19 vaccinations or if the covered providers or business associates fail to act in good faith. Instances where a covered entity or business associate is not considered to be acting in good faith include: (i) the use of a WBSA that allows the sale of personal information collected; (ii) the use of a WBSA for purposes other than scheduling COVID-19 vaccination appointments; (iii) the use of a WBSA without reasonable safeguards to protect the PHI; and (iv) the use of a WBSA to screen individuals for COVID-19 before an in-person visit.

George W. Bodenger, Esquire Law Offices of George W. Bodenger, LLC 575 S. Goddard Blvd, #213 King of Prussia, PA 19406 Office (610) 212-5031 Fax – (484) 416-0229 www.bodengerlaw.com