HHS Enforcement Discretion for COVID Immunizations

Today, the Office of Civil Rights (OCR) provided notice that they will "...will not impose penalties for noncompliance with regulatory requirements under the HIPAA Rules against covered health care providers or their business associates in connection with the good faith use of online or web-based scheduling applications for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency...".

However, OCR did provide some recommendation for employing these online or web-based scheduling applications, including:

• using and disclosing only the minimum PHI necessary for the purpose

• encrypting all ePHI involved (at rest and in transit)

• displaying the least amount of ePHI to the scheduling screen (e.g. initials in lieu of names if possible, etc.)

• destroying permanently or returning ePHI to the entity using the scheduling application, as soon as after the appointment as possible, and

• ensuring the scheduling application company does not disclose or use the ePHI inconsistent with the Privacy Rule.

This enforcement discretion "...will remain in effect until the Secretary of HHS determines that the public health emergency no longer exists, or upon the expiration date of the public health emergency, including any extensions..."

The enforcement discretion aside, we recommend establishing Business Associate Agreement or other HIPAA-compliant service contracts with anyone sharing ePHI as permitted by the HIPAA Privacy Rule.

Click on the graphic below to read the source document. As Proteus does not provide legal advice, we recommend consulting with your organization's counsel before acting on this news.

Stay (HIPAA) safe, Alan -