The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced that it will exercise its enforcement discretion and will not impose penalties for violations of the HIPAA Rules on covered health care providers or their business associates in connection with the good faith use of online or web-based scheduling applications (collectively, “WBSAs”) for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency. The enforcement discretion is retroactively effective to December 11, 2020.
The exercise of enforcement discretion applies to covered health care providers and their business associates, including WBSA vendors (as WBSA is defined in the Notification), when the WBSA is used in good faith and only for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency. Although OCR is exercising enforcement discretion, the Notification encourages the use of reasonable safeguards to protect the privacy and security of individuals’ protected health information (PHI), such as using only the minimum necessary PHI, encryption technology, and enabling all available privacy settings.
The Notification of Enforcement Discretion for Use of Online or Web-Based Scheduling Applications during the COVID-19 Nationwide Public Health Emergency is available on the HHS website