COVID-19 vaccinations are beginning to be made available to the public. As of this writing, health care workers and adults age 65 or older are eligible to receive the COVID-19 vaccine in North Carolina. As vaccine roll-out continues, additional groups of individuals will become eligible.
North Carolina local health departments are critical partners in the effort to administer COVID-19 vaccinations to large numbers of people rapidly. They are also HIPAA-covered entities that must comply with regulations including the HIPAA Privacy Rule, the Security Rule, and the Breach Notification Rule. Among other things, these rules require covered health care providers to maintain the security of individually identifiable health information that is collected or maintained electronically, including information that is collected for the purpose of scheduling appointments for health care services. Determining how to schedule appointments for individuals while not violating these rules has posed a challenge to HIPAA-covered providers operating large-scale COVID-19 vaccination clinics.
On Tuesday, January 19, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) —the HIPAA enforcement agency—issued a Notice of Enforcement Discretion (NED) stating that OCR will not impose penalties against covered health care providers or their business associates who use online or web-based scheduling applications to schedule individual appointments for COVID-19 vaccinations, provided the health care provider or business associate acts in good faith. The enforcement discretion is effective retroactively to December 11, 2020, and will remain in effect for the duration of the COVID-19 public health emergency. Read on for additional details.
Why was the Notice of Enforcement Discretion (NED) issued?
As COVID-19 vaccine becomes more widely available, local health departments and other HIPAA-covered health care providers need to be able to hold large-scale COVID-19 vaccination events efficiently. To make appointments for vaccination, health care providers must collect information from individuals that constitutes protected health information (PHI) under HIPAA.
Ordinarily, HIPAA-covered providers must assure that technologies used to collect or maintain PHI electronically satisfy particular security standards. Further, vendors of electronic systems for collecting or maintaining PHI for appointments or other purposes must enter business associate agreements with HIPAA-covered health care providers and must comply with parts of the HIPAA regulations. The NED has the effect of temporarily excusing covered entities and their business associates from some of these requirements, for the limited purpose of supporting the scheduling of COVID-19 vaccination appointments.
What does the NED allow?
The NED allows HIPAA-covered health care providers and their business associates (BAs) to use non-public facing web-based scheduling applications to schedule COVID-19 vaccination appointments without risk of HIPAA enforcement penalties during the COVID-19 public health emergency, provided the covered health care provider or BA acts in good faith.
What is a non-public facing web-based scheduling application?
The NED defines a web-based scheduling application (WBSA) as a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination events.
A WBSA is non-public facing if, as a default, it allows only the intended parties—such as a health care provider, an individual scheduling an appointment, or a WBSA workforce member providing tech support—to access the data created, received, maintained, or transmitted by the WBSA.
The definition of WBSA does not include appointment scheduling technology that is part of an electronic health record (EHR). If a local health department or other covered health care provider uses appointment scheduling technology that is part of its EHR for scheduling COVID-19 vaccinations, the NED does not apply to those uses.
What does the requirement to act in good faith mean?
Enforcement discretion does not apply when an entity fails to act in good faith. The NED expressly identifies several actions that OCR will not consider to be good-faith actions. Specifically, a health care provider or BA will not be acting in good faith if it does any of the following:
- Uses a WSBA whose terms of service prohibit the use of the WBSA for scheduling health care services, or whose terms of service state that the WBSA may sell the personal information that it collects.
- Uses a WSBA to conduct services other than scheduling COVID-19 vaccination appointments, such as determining vaccination eligibility. Local health departments should not use WBSAs to determine eligibility for vaccination under North Carolina’s priority system.
- Uses a WBSA without implementing reasonable security safeguards, such as access controls, to prevent the PHI from being readily accessed or viewed by unauthorized persons.
- Uses a WBSA to screen individuals for COVID-19 prior to the individual’s in-person health care visits.
Are there specific actions that users of WSBAs should take to safeguard individuals’ information?
The NED recommends, but does not require, that health care providers who use a WBSA to make COVID-19 vaccination appointments implement the following reasonable safeguards to protect individuals’ information:
- Use and disclose only the minimum PHI necessary for the purpose. For example, an individual’s name and phone number may be the minimum necessary PHI for scheduling the vaccination appointment.
- Use encryption technology to protect PHI.
- Enable all applicable privacy settings in the WBSA, such as adjusting calendar display settings to hide names or use initials instead of names on calendar screens.
- Ensure that the storage of any PHI by the vendor is temporary, for example by arranging for the PHI to be returned to the covered health care provider or destroyed within 30 days after the appointment. (Although this action is not required by OCR, it is necessary to terminate the WSBA’s status as a BA of the covered health care provider—see the next question in this post—so it really needs to be done.)
- Ensure the WBSA vendor does not use or disclose ePHI in a manner that is inconsistent with HIPAA.
Because these are recommended but not required actions, failure to implement the recommendations will not in itself cause OCR to determine that a covered provider or BA failed to act in good faith.
Is a WBSA used for appointment scheduling a business associate (BA) as defined by HIPAA?
When a covered health care provider uses a WBSA to schedule a COVID-19 vaccination appointment, the WBSA is acting as a BA to the covered health care provider. Ordinarily this would mean a BA agreement is required. However, as long as the NED is in effect, the requirement for a BA agreement will not be enforced.
The NED notes that a WBSA retains its technical status as a BA (though not one for which a BA agreement is required) until such time as it destroys the PHI collected in connection with the COVID-19 vaccination appointment scheduling, or returns it to the covered health care provider. It is therefore important for local health departments to determine how the PHI collected by WSBAs will be destroyed or returned.
Which COVID-19 services does the NED apply to?
The January 19 NED applies only to the scheduling of COVID-19 vaccination appointments. It does not apply to any other activities or services, including other services related to COVID-19. Note, however, that OCR has previously released NEDs relating to community-based COVID testing sites, the use of telehealth during the pandemic, and certain other activities necessitated by the pandemic and affecting HIPAA compliance.
What are the effective dates of the NED?
The NED was released on January 19, 2021, but was made retroactive to December 11, 2020. It will remain in effect for the duration of the COVID-19 public health emergency as determined by the U.S. Secretary of Health & Human Services.