On January 19, 2021, the U.S. Department of Health and Human Services issued a Notification that it is exercising its discretion in how it applies the privacy, security and breach notification rules under HIPAA, such that as a matter of enforcement discretion, the HHS Office for Civil Rights will not impose penalties for noncompliance with regulatory requirements under HIPAA against covered health care providers or their business associates in connection with the good faith use of online or web-based scheduling applications for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency.
This Notification of Enforcement Discretion is effective immediately, but will have retroactive effect to December 11, 2020.
The Office for Civil Rights does encourage covered health care providers and their business associates using web-based scheduling applications in good faith for the scheduling of individual appointments for COVID-19 vaccinations to implement reasonable safeguards to protect the privacy and security of individuals protected health information. The recommended safeguards include using and disclosing only the minimum protected health information necessary for the purpose; using encryption technology to protect protected health information; enabling all available privacy settings; ensuring that storage of any protected health information by the vendor is only temporary; and ensuring the web-based scheduling application vendor does not use or disclose electronic protected health information in a manner that is inconsistent with HIPAA.