OCR Relaxes Enforcement on Providers Using Scheduling Apps for COVID-19 Vaccinations

On January 19, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Enforcement Discretion (Notice) announcing that it will not impose penalties for noncompliance with HIPAA against covered health care providers and their business associates in connection with the good faith use of online or web-based scheduling applications (WBSAs) for the limited purpose of scheduling of individual appointments for COVID-19 vaccinations. The enforcement discretion also applies to all WBSA vendors providing the technology used by these entities in these efforts, regardless of whether the vendor has actual or constructive knowledge that it meets the definition of a business associate under HIPAA.

The Notice covers those WBSAs that are “non-public facing,” meaning that the WBSA, by default, only allows the intended parties (e.g., a covered health care provider, the individual or personal representative scheduling the appointment, and a WBSA workforce member, if needed to provide technical support) to access data created, received, maintained, or transmitted by the WBSA.

OCR is encouraging covered health care providers and their business associates using WBSAs to implement the following reasonable recommended safeguards to protect the privacy and security of individuals’ PHI:

Using and disclosing only the minimum PHI necessary. For example, an individual’s name and phone number may be the minimum necessary PHI for scheduling the appointment via the WBSA.
Using encryption technology to safeguard PHI.
Enabling all available privacy settings on the WBSA. For example, adjusting the WBSA calendar display settings, as needed, to hide names or show only an individuals’ initials instead of their full name on the calendar screen.
Ensuring that storage of any PHI by the WBSA vendor is temporary. For example, returning the PHI to the covered health care provider or destroying it as soon as practicable.
Ensuring the WBSA vendor does not use or disclose PHI in a manner that is inconsistent with HIPAA. For example, prohibiting the WBSA vendor from selling PHI collected from individuals using the WBSA to schedule a COVID-19 vaccination.

While OCR encourages health care providers and their business associates to implement these safeguards, failure to do so will not, in and of itself, cause OCR to determine that an entity failed to act in good faith. However, health care providers and their business associates should note that this Notice does not apply to the following circumstances:

Using a WBSA other than for scheduling COVID-19 vaccinations. For example, the use of a WBSA to determine an individual’s eligibility to receive a COVID-19 vaccination or to screen individuals for COVID-19 before an in-person health care visit is not included within the scope of the OCR’s exercise of enforcement discretion.
Using a WBSA that includes technology that connects directly to an EHR system.
Using a WBSA whose terms of service prohibit the use of the WBSA for scheduling health care services or state that the WBSA may sell personal information that it collects.
Using a WBSA that does not employ reasonable security safeguards to prevent the PHI from being readily accessed or viewed by unauthorized persons.

In addition, the Notice does not address or appear to impact HIPAA’s requirement for covered entities to distribute a notice of privacy practices and obtain a written acknowledgment of receipt of the same.

The Notice is effective immediately and retroactive to of December 11, 2020; it will remain in effect until the Secretary of HHS determines the public health emergency no longer exists or upon the expiration date of the public health emergency, whichever occurs first.

For more information, please contact your Foley relationship partner or the Foley colleagues listed below. As the coronavirus continues to evolve, Foley is here to help you address the short- and long-term impacts in the wake of COVID-19. We have the resources to help you navigate these and other important legal considerations related to business operations and industry-specific issues faced by many companies around the world. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.