The Health and Human Services Office for Civil Rights (OCR) has updated their January 19th announcement "Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination...".
This February 12th update, signed by Acting Secretary Robinsue Frohboese is to "...inform the public that the Department of Health and Human Services (HHS) is exercising its discretion in how it applies the Privacy, Security, and Breach Notification Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act (“HIPAA Rules”)..."
Specifically, this notice serves to inform the healthcare community that "...the HHS Office for Civil Rights (OCR) will not impose penalties for noncompliance with regulatory requirements under the HIPAA Rules against covered health care providers or their business associates in connection with the good faith use of online or web-based scheduling applications for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency..." but that this decision is limited to "...a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination...". So any non-COVID vaccination appointment use is not included, as detailed "...activities, such as the handling of PHI unrelated to the scheduling of COVID-19 vaccinations, are not included within the scope of this exercise of enforcement discretion. Potential HIPAA penalties still apply to all other HIPAA-covered operations of the covered health care provider and its business associates, unless otherwise stated by OCR..." and ..."does not apply to a covered health care provider or business associate when it fails to act in good faith'''.
We emphatically recommend all HIPAA Privacy and Security Officers keep abreast of OCR announcements and continue applying compliant, secure practices to preserve their patients' information. We also recommend clicking the graphic below and reviewing the source document.
Stay (HIPAA) safe,