OCR lifts HIPAA fines for use of COVID-19 vaccine scheduling tools

A doctor types on a computer
Providers won't be penalized for potential HIPAA violations related to good faith use of web-based tools to schedule COVID-19 vaccine appointments. (Getty/andrei_r)

Healthcare organizations won't be penalized for potential Health Insurance Portability and Accountability Act (HIPAA) violations related to the good faith use of online or web-based scheduling applications for COVID-19 vaccine appointments.

The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services announced (PDF) this week that it won't enforce fines against providers when using apps and other digital tools that don't fully comply with HIPAA.

The enforcement discretion applies to covered healthcare providers and their business associates, including online or web-based scheduling applications vendors (WBSAs), when the vendors are used in good faith and only for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the nationwide public health emergency.

WBSAs offer a nonpublic-facing online or web-based app that enables the scheduling of individual appointments for services tied to large-scale COVID-19 vaccine administration. These apps by default only allow the intended patients to access the data created, received, maintained or transmitted by the app, the OCR said.

RELATED: HHS proposes changes to HIPAA privacy rule to improve care coordination

During the COVID-19 public health emergency, covered healthcare providers need to quickly schedule large numbers of individuals for appointments for COVID-19 vaccination and may use these apps to do so.

The OCR also is encouraging the use of reasonable safeguards to protect the privacy and security of individuals’ protected health information, such as using only the minimum necessary data and encryption technology as well as enabling all available privacy settings.

"OCR is using all available means to support the efficient and safe administration of COVID-19 vaccines to as many people as possible,” said March Bell, acting OCR director. 

RELATED: HHS delivers first fine under new information blocking initiative to Florida hospital

The enforcement discretion has a retroactive date effective to Dec. 11, 2020.

Covered healthcare providers and their business associates that seek additional privacy protections for health data collected while using WBSAs are encouraged to use application vendors that represent that their WBSAs support compliance with the HIPAA rules and that the vendors will enter into business associate agreements in connection with the use of their WBSAs.

It’s the fifth penalty waiver announced by the OCR during the pandemic. The agency previously made exceptions for first responders, telehealth use, business associates and community-based testing sites.