HHS suspends HIPAA-compliance penalties related to online scheduling of COVID-19 vaccinations

The U.S. Department of Health and Human Services’ Office for Civil Rights announced Feb. 24 that it will not impose penalties for noncompliance with the Health Insurance Portability and Accountability Act against covered health care providers in connection with the good faith use of online or web-based applications for scheduling appointments of COVID-19 vaccinations.

The suspension of penalties will remain in effect until the HHS secretary determines that the public health emergency no longer exists.

The HHS Office of Civil Rights encourages covered health care providers and their business associates utilizing online scheduling to implement reasonable safeguards to protect the privacy and security of individuals' protected health information.

The office recommends that covered health care providers and their business associates consider the following safeguards:

• Using and disclosing only the minimum protected health information necessary (e.g., an individual's name and phone number may be the minimum necessary for scheduling the appointment).
• Using encryption technology to protect protected health information.
• Enabling all available privacy settings (e.g., adjusting calendar display settings, as needed, to hide names or show only individuals' initials instead of full names).
• Ensuring that storage of any protected health information by the scheduling vendor is only temporary (e.g., the protected health information is returned to the covered health care provider or destroyed as soon as practicable, but no later than 30 days after the appointment).
• Ensuring the scheduling vendor does not use or disclose electronic protected health information in a manner that is inconsistent with HIPAA rules (e.g., does not engage in the impermissible sale of electronic protected health information collected from individuals who attempt to schedule a COVID-19 vaccination

This notification does not apply to activities of a covered health care provider and its business associates other than the scheduling of COVID-19 vaccinations. Potential HIPAA penalties still apply to all other HIPAA-covered operations of the covered health care provider and its business associates, unless otherwise stated by the Office of Civil Rights. Additionally, this notification does not apply to a covered health care provider or business associate when it fails to act in good faith.

The Office for Civil Rights is responsible for enforcing certain regulations issued under HIPAA to protect the privacy and security of protected health information.