On January 19, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Enforcement Discretion (Notice) announcing that it will not impose penalties for noncompliance with HIPAA against covered health care providers and their business associates in connection with the good faith use of online or web-based scheduling applications (WBSAs) for the limited purpose of scheduling of individual appointments for COVID-19 vaccinations. The enforcement discretion also applies to all WBSA vendors providing the technology used by these entities in these efforts, regardless of whether the vendor has actual or constructive knowledge that it meets the definition of a business associate under HIPAA.
The Notice covers those WBSAs that are “non-public facing,” meaning that the WBSA, by default, only allows the intended parties (e.g., a covered health care provider, the individual or personal representative scheduling the appointment, and a WBSA workforce member, if needed to provide technical support) to access data created, received, maintained, or transmitted by the WBSA.
OCR is encouraging covered health care providers and their business associates using WBSAs to implement the following reasonable recommended safeguards to protect the privacy and security of individuals’ PHI:
While OCR encourages health care providers and their business associates to implement these safeguards, failure to do so will not, in and of itself, cause OCR to determine that an entity failed to act in good faith. However, health care providers and their business associates should note that this Notice does not apply to the following circumstances:
In addition, the Notice does not address or appear to impact HIPAA’s requirement for covered entities to distribute a notice of privacy practices and obtain a written acknowledgment of receipt of the same.
The Notice is effective immediately and retroactive to of December 11, 2020; it will remain in effect until the Secretary of HHS determines the public health emergency no longer exists or upon the expiration date of the public health emergency, whichever occurs first.
For more information, please contact your Foley relationship partner or the Foley colleagues listed below. As the coronavirus continues to evolve, Foley is here to help you address the short- and long-term impacts in the wake of COVID-19. We have the resources to help you navigate these and other important legal considerations related to business operations and industry-specific issues faced by many companies around the world. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.