Getty Images

OCR Lifts HIPAA Penalties for Use of COVID-19 Vaccine Scheduling Apps

A new OCR enforcement discretion will allow providers to use online or web-based apps for scheduling COVID-19 vaccine appointments in good faith without the risk of a HIPAA penalty.

The Office for Civil Rights announced another enforcement discretion amid the pandemic, lifting penalties for potential HIPAA violations related to the good faith use of online or web-based scheduling applications (WBSAs) to create patients’ vaccine COVID-19 appointments.

Effective immediately, the enforcement discretion applies to covered entities and their business associates. The discretion also applies to all WBSA vendors providing the tech used by these entities in these efforts, regardless of whether the vendor has “actual or constructive knowledge that it meets the definition of a business associate” under HIPAA.

It has a retroactive date effective to December 11, 2020. 

It’s the fifth penalty waiver announced by OCR during the pandemic. The agency previously made exceptions for first responders, telehealth use, business associates, and Community-Based Testing Sites.

“OCR is using all available means to support the efficient and safe administration of COVID-19 vaccines to as many people as possible,” said March Bell, Acting OCR Director, in a statement.

According to OCR, a WBSA is a non-public facing online or web-based app that enables the scheduling of individual appointments for services tied to large-scale COVID-19 vaccine. These apps by default only allow the intended patients to access the data created, received, maintained, or transmitted by the app.

The enforcement action does not include appointment scheduling tech that directly connects to the EHR used by covered entities.

The exercise of the latest enforcement discretion applies to when these entities use WBSAs in good faith and only for the limited purpose of scheduling individual appointments for COVID-19 vaccinations amid the public health emergency.

In light of the public emergency, covered entities will need to quickly schedule a mass amount of patient appointments for the COVID-19 vaccination and may use WBSAs to accomplish the task. 

However, OCR recognized some of these apps and the methods used may not fully comply with HIPAA requirements. As such, penalties for noncompliance with HIPAA will not be imposed for good faith use of WBSAs.

While use of these platforms is acceptable, OCR also stressed that it’s important entities take all necessary safeguards to protect the privacy and security of protected health information. These measures should include using only the minimum necessary PHI, encryption tech, and enabling all available privacy settings.

OCR also encouraged entities to ensure any storage of PHI by the vendor is temporary, including metadata that constitutes PHI. For example, the PHI should be returned to the covered entity or destroyed as soon as practicable, but no later than 30 days after the appointment.

It’s also important that the WBSA vendor doesn’t use or disclose ePHI that is inconsistent with HIPAA. In particular, the vendor should not engage in the sale of ePHI collected from patients using the WBSA to schedule their COVID-19 vaccination.

While these measures are encouraged, OCR stated that failure to implement the recommended safeguards will not, in itself, result in OCR determining that the entity did not act in good faith.

“Covered health care providers and their business associates that seek additional privacy protections for ePHI collected while using WBSAs are encouraged to use application vendors that represent that their WBSAs support compliance with the HIPAA Rules and that the vendors will enter into BAAs in connection with the use of their WBSAs,” according to OCR.

The enforcement discretion does not apply to a covered entity or business associate that fails to act in good faith, including the use of a WBSA with terms of service that involves the sale of the personal data it collects.

The measure also doesn’t include the use of WBSAs for other services outside of scheduling appointments for COVID-19 vaccinations, or those without reasonable safeguards to prevent the PHI from unauthorized access.

Healthcare entities should be careful when selecting a WBSA for these uses, as Imperva data shows attacks on healthcare web apps have increased more than 51 percent since the start of the COVID-19 vaccine rollout in December.

In total, the global healthcare sector has seen a record 187 million attacks per month on these endpoints, or about 498 attacks per organization.

Entities should employ multi-layered protection when using web apps and review insights into building cyber resilient systems that employ network access management, visibility, and automation.

Next Steps

Dig Deeper on HIPAA compliance and regulation