The Office for Civil Rights (OCR) at HHS announced that it will exercise its enforcement discretion and will not impose penalties for violations of the HIPAA Rules on covered health care providers or their business associates in connection with the good faith use of online or web-based scheduling applications (collectively, “WBSAs”) for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency. This exercise of enforcement discretion is effective immediately, but has retroactive effect to December 11, 2020.
The Notification explains that the exercise of enforcement discretion applies to covered health care providers and their business associates, including WBSA vendors (as WBSA is defined in the Notification), when the WBSA is used in good faith and only for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency. Although OCR is exercising enforcement discretion, the Notification encourages the use of reasonable safeguards to protect the privacy and security of individuals’ protected health information (PHI), such as using only the minimum necessary PHI, encryption technology, and enabling all available privacy settings.