HHS Exercises Discretion and Declines to Enforce HIPAA Privacy Rules for Use of Web-Based COVID-19 Vaccine Appointment Scheduling Platforms

By Seth A. Nadel, Esq.
Email the Author

On January 19, 2021, the U.S. Department of Health and Human Services (HHS) issued a notification that the Office of Civil Rights (OCR), the entity responsible for enforcement of HIPAA privacy rules, would exercise its discretion and decline to impose penalties against certain covered entities or their business associates with respect to the use of online scheduling applications to schedule individual patient appointments to receive a COVID-19 vaccination. 

Per the notification, OCR recognizes that certain covered health care providers or their business associates have chosen to use web-based scheduling applications (“WBSA’s”) to schedule patients in connection with large-scale COVID-19 vaccination efforts. These WSBA’s are “non public facing,” in that they are not viewable by the public and are only intended to be viewed by the patient, provider and scheduling entity. WSBA’s and the companies which provide them, by their very nature, are also considered “business associates” of the HIPAA-covered healthcare entities which use their platforms.

Generally, the HIPAA Privacy Rules allow a covered entity to share Protected Health Information (PHI) with a business associate, but only pursuant to a written business associate agreement (BAA) or in accordance with pre-existing federal regulations established by HHS. However, recognizing the public need to schedule large numbers of COVID-19 vaccine appointments within  a short period of time, OCR has opted not to impose penalties for noncompliance with these regulatory requirements when either covered entities or their business associates are, in good faith, using WSBA’s to schedule such appointments.

As to the requirement of good faith, the notification outlines the recommended and reasonable safeguards that these entities should employ in their use of WSBA’s, which mirror the general requirements for the handling of HIPAA-protected information. These include: (1) using and disclosing only the minimum PHI necessary for the purpose of scheduling; (2) use of encryption technology; (3) enabling maximum privacy settings on the scheduling software; (4) ensuring that storage of PHI is only temporary; and (5) ensuring that WBSA vendors do not disclose PHI to any third party in a manner which is inconsistent with HIPAA rules.

HHS explicitly states that “[failure] to implement recommended reasonable safeguards above will not, in itself, cause OCR to determine that a covered health care provider or its business associate failed to act in good faith” for the purposes of the notification. However, from a practical compliance standpoint, a covered entity or business associate should still take tangible steps to implement reasonable safeguards, such that they may more easily be able to show good faith efforts in meeting OCR’s requirements should they later be required to do so. HHS also encourages covered health care providers to use WBSA’s which explicitly represent that they support compliance with applicable HIPAA rules.

It should be noted that the scope of the notification does not extend to appointment scheduling technology that links directly to a covered entity’s EHR system. The notification likewise does not extend to any activities other than the scheduling of COVID-19 vaccinations, including other activities related to COVID-19 vaccination or treatment in any other respect. This includes determining an individual’s eligibility for receiving a COVID-19 or screening a patient for COVID-19 prior to an appointment. The notification also does not extend to activities undertaken without any reasonable safeguards in place, underlining the importance of documenting that at least some manner of safeguarding is implemented.

Although announced in late-January, the notification is retroactive to December 11, 2020, and will remain in effect until the expiration of the public emergency declaration, or until HHS determines in its discretion that the public emergency no longer exists. A copy of HHS’s notification may be found here.

Weiss Zarett has assisted numerous physicians and health-related businesses in connection with concerns regarding HIPAA compliance and other regulatory issues. If you have questions about any such issues, please reach out to Seth A. Nadel, Esq. at snadel@app-60705ed4c1ac183264fb7857.closte.com or 516-627-7000.

Weiss Zarett Brofman Sonnenklar & Levy, P.C. is a Long Island law firm providing a wide array of legal services to the members of the health care industry, including corporate and transactional matters, civil and administrative litigation, healthcare regulatory issues, bankruptcy and creditors’ rights, and commercial real estate transactions.

ATTORNEY ADVERTISING: PRIOR RESULTS DO NOT GUARANTEE FUTURE OUTCOMES.