Due to the current COVID-19 health emergency, healthcare providers need to schedule vast numbers of appointments for individuals to receive COVID-19 vaccinations. In the interest of ease and efficiency for all parties, they may use apps and other digital scheduling tools to do so.
Covered providers will not be penalized for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) related to use of online scheduling applications for COVID-19 vaccinations. The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services announced that it will not enforce fines against healthcare providers for use of such apps that may not be fully HIPAA compliant.
This discretion of HIPAA enforcement applies to covered healthcare providers and their associates, including web-based scheduling applications vendors (WBSAs), when these vendors are a) used in good faith and b) limited to the scheduling of COVID-19 vaccination appointments during the nationwide health emergency. This enforcement discretion is retroactively affective to Dec. 11, 2020 and will remain in effect until it is deemed that the public health emergency has ended.
WBSAs offer online or web-based apps that are non-public facing for the purpose of scheduling appointments for COVID-related services on a large scale. According to the OCR, “non- public facing” means that these apps only allow the patient and intended health care provider(s) to access the data created, received, maintained, or transmitted by the app. The OCR encourages the reasonable use of safeguards to protect privacy security of patients’ protected health information (PHI). These safeguards include using only the minimum of necessary data to complete the scheduling as well as encryption technology and enabling all available privacy settings.
Healthcare providers are encouraged to use vendors that state that their WBSAs support HIPAA compliance when seeking additional privacy protection for PHI. Additionally, they can look for vendors that will enter into a business agreement in connection with use of their WBSAs.
Notification of Enforcement Discretion, 45 C.F.R. §§ 160, 164. (2021).