The Office for Civil Rights (OCR) has issued a notification of enforcement discretion permitting entities covered under the Health Insurance Portability and Accountability Act (HIPAA), and their business associates, to use online or web-based scheduling applications (WBSAs) to schedule appointments for COVID-19 vaccinations during the public health emergency. The notification will be published in the Federal Register on February 24, 2021 and applies as of December 11, 2020.

OCR will not charge covered entities or business associates which use WBSAs to schedule vaccine appointments with violation of the HIPAA rules, provided that they do so in good faith. A WBSA as a non-public facing online application that permits access to data only by the intended parties (a health care provider, the patient or representative, and WBSA workforce member). OCR states that for purposes of the notification, a WBSA does not include appointment scheduling technology connected directly to an electronic health record system.

OCR encourages use of safeguards to protect the privacy and security of protected health information (PHI), including using only the minimum PHI necessary to schedule the appointment; using encryption technology; enabling privacy settings; ensuring that storage of PHI is only temporary; and ensuring the WBSA vendor does not disclose PHI in a manner prohibited by HIPAA, such as selling PHI. However, failure to implement these safeguards will not, in itself, cause OCR to determine that the provider was not acting in good faith. OCR will consider a provider is not acting in good faith if the provider uses a WBSA whose terms of service prohibit the use of the WBSA for scheduling health care services; conducts services other than scheduling vaccination appointments (e.g., determining the patient’s eligibility for vaccination); or screen individuals for COVID-19 prior to an in-person visit.