Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency
Notification of Enforcement Discretion.
CFR Part: "45 CFR Parts 160 and 164"
Citation: "86 FR 11139"
Page Number: "11139"
"Rules and Regulations"
Agency: "
SUMMARY: This Notification is to inform the public that the
DATES: This Notification of Enforcement Discretion went into effect on
FOR FURTHER INFORMATION CONTACT:
SUPPLEMENTARY INFORMATION: HHS is informing the public that it is exercising its discretion in how it applies the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) /1/ and the Health Information Technology for
FOOTNOTE 1 Public Law 104-191, 100 Stat. 2548 (
FOOTNOTE 2 Title XIII of the American Recovery and Reinvestment Act, Public Law 111-5, 123 Stat. 226 (
FOOTNOTE 3 See Determination that a Public Health Emergency Exists by the HHS Secretary, pursuant to Section 319 of the Public Health Service Act (
I. Background
During the COVID-19 national emergency, /4/ which also constitutes a nationwide public health emergency, /5/ certain covered health care providers, /6/ including some large pharmacy chains and public health authorities, /7/ or their business associates acting for or on behalf of such providers, may choose to use online or web-based scheduling applications (collectively, "WBSAs") for the limited purpose of scheduling individual appointments for COVID-19 vaccination. For the purposes of this Notification, a WBSA is a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination. "Non-public facing" means that a WBSA, as a default, allows only the intended parties (e.g., a covered health care provider, the individual or personal representative scheduling the appointment, and a WBSA workforce member, if needed to provide technical support) to access data created, received, maintained, or transmitted by the WBSA. For the purposes of this Notification, a WBSA does not include appointment scheduling technology that connects directly to electronic health records (EHR) systems used by covered entities.
FOOTNOTE 4 See Presidential Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak (
FOOTNOTE 5 Determination of
FOOTNOTE 6 See 45 CFR 160.103 (definition of "covered entity"). END FOOTNOTE
FOOTNOTE 7 See 45 CFR 164.501 (definition of "public health authority"). The HIPAA Rules only apply to a public health authority if it is a HIPAA covered entity or business associate. For example, a county health department that administers a health plan, or provides health care services for which it conducts standard electronic transactions (e.g., checking eligibility for coverage, billing insurance), is a HIPAA covered entity. A public health authority that does not meet the definition of a covered entity or business associate is not subject to the HIPAA Rules. See also OCR FAQ, "Are state, county or local health departments required to comply with the HIPAA Privacy Rule?" https://www.hhs.gov/hipaa/for-professionals/faq/358/are-state-county-or-local-health-departments-required-to-comply-with-hipaa/index.html. END FOOTNOTE
The HIPAA Privacy Rule permits a business associate of a HIPAA covered entity to use and disclose PHI to conduct certain activities or functions on behalf of the covered entity, or provide certain services to or for the covered entity, but only pursuant to the explicit terms of a business associate contract or other written agreement or arrangement under 45 CFR 164.502(e)(2) (collectively, "business associate agreement" or BAA), or as required by law. During the COVID-19 public health emergency, covered health care providers need to quickly schedule large numbers of individuals for appointments for COVID-19 vaccination and may use WBSAs to do so. Some of these applications, and the manner in which HIPAA covered health care providers or their business associates use the applications, may not fully comply with the requirements of the HIPAA Rules. Additionally, the vendors of such applications may not be aware that HIPAA covered health care providers are using their products to create, receive, maintain, or transmit electronic protected health information (ePHI), and that a WBSA vendor may, as a result, meet the definition of business associate under the HIPAA Rules. /8/
FOOTNOTE 8 See 45 CFR 160.103 (definition of "electronic protected health information"). END FOOTNOTE
OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with regulatory requirements under the HIPAA Rules against covered health care providers and their business associates, including WBSA vendors meeting the definition of a business associate, in connection with the good faith use of a WBSA for scheduling appointments for individuals for COVID-19 vaccination during the COVID-19 nationwide public health emergency, as described below.
II. Who/what is covered by this Notification?
This Notification applies to all HIPAA covered health care providers and their business associates /9/ when such entities are, in good faith, using WBSAs to schedule individual appointments for COVID-19 vaccination.
FOOTNOTE 9 See 45 CFR 160.103 (definition of "business associate"). END FOOTNOTE
This Notification also applies to all vendors of WBSAs whose technology is being used by a covered health care provider or its business associate to schedule individuals to receive a COVID-19 vaccine. OCR will exercise enforcement discretion with regard to WBSA vendors regardless of whether the WBSA vendor has actual or constructive knowledge that it meets the definition of a business associate under the HIPAA Rules as described in this Notification.
III. What are reasonable safeguards that covered health care providers and their business associates should consider implementing?
OCR encourages covered health care providers and their business associates using WBSAs in good faith for the scheduling of individual appointments for COVID-19 vaccination to implement reasonable safeguards to protect the privacy and security of individuals' PHI. OCR recommends that covered health care providers and their business associates consider the following recommended reasonable safeguards:
* Using and disclosing only the minimum PHI necessary for the purpose (e.g., an individual's name and phone number may be the minimum necessary PHI for scheduling the appointment).
* Using encryption technology to protect PHI.
* Enabling all available privacy settings (e.g., adjusting WSBA calendar display settings, as needed, to hide names or show only individuals' initials instead of full names on calendar screens).
* Ensuring that storage of any PHI (including metadata that constitutes PHI) by the vendor is only temporary (e.g., the PHI is returned to the covered health care provider or destroyed as soon as practicable, but no later than 30 days after the appointment). /10/
FOOTNOTE 10 Once the WBSA vendor securely returns or destroys the ePHI (as determined by its arrangements with the covered health care provider), the WBSA vendor is no longer a business associate to that covered health care provider. END FOOTNOTE
* Ensuring the WBSA vendor does not use or disclose ePHI in a manner that is inconsistent with the HIPAA Rules (e.g., does not engage in the sale of ePHI /11/ collected from individuals using the WBSA to schedule a COVID-19 vaccination).
FOOTNOTE 11 See 45 CFR 164.502(a)(5)(B)(2). END FOOTNOTE
Although covered health care providers and business associates are encouraged to implement these reasonable safeguards when using a WBSA to schedule individuals for appointments for COVID-19 vaccination, OCR will exercise its enforcement discretion and not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers or their business associates in connection with the good faith provision of COVID-19 vaccination during the COVID-19 nationwide public health emergency. Failure to implement the recommended reasonable safeguards above will not, in itself, cause OCR to determine that a covered health care provider or its business associate failed to act in good faith for purposes of this Notification.
Covered health care providers and their business associates that seek additional privacy protections for ePHI collected while using WBSAs are encouraged to use application vendors that represent that their WBSAs support compliance with the HIPAA Rules and that the vendors will enter into BAAs in connection with the use of their WBSAs.
Note:OCR does not endorse, certify, or recommend specific technology, software, applications, or products.
IV. Who/what is not covered under this Notification?
This Notification does not apply to activities of a covered health care provider and its business associates other than the scheduling of COVID-19 vaccinations. Other activities, such as the handling of PHI unrelated to the scheduling of COVID-19 vaccinations, are not included within the scope of this exercise of enforcement discretion. Potential HIPAA penalties still apply to all other HIPAA-covered operations of the covered health care provider and its business associates, unless otherwise stated by OCR. /12/
FOOTNOTE 12 OCR's Notifications of Enforcement Discretion and other materials relating to the COVID-19 public health emergency are available at https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html. END FOOTNOTE
Additionally, this Notification does not apply to a covered health care provider or business associate when it fails to act in good faith. For example, OCR will not consider a covered health care provider or business associate to be acting in good faith with respect to the use of a WBSA for the scheduling of individual appointments for COVID-19 vaccination where the covered health care provider or business associate uses a WBSA:
* Whose terms of service prohibit the use of the WBSA for scheduling health care services or state that the WBSA may sell personal information that it collects.
* To conduct services other than scheduling appointments for COVID-19 vaccination (e.g., to determine individuals' eligibility for COVID-19 vaccination).
* Without reasonable security safeguards (e.g., access controls) to prevent the PHI from being readily accessed or viewed by unauthorized persons.
* To screen individuals for COVID-19 prior to individuals' in-person health care visits.
V. Collection of Information Requirements
This Notification of Enforcement Discretion creates no legal obligations and no legal rights. Because this notice imposes no information collection requirements, it need not be reviewed by the
Dated:
Acting Director and Principal Deputy Director,
[FR Doc. 2021-03348 Filed 2-23-21;
BILLING CODE 4153-01-P
Xavier Becerra Hoping To Rally Democrats To Aid Confirmation
Woods faces hard recovery from serious injuries in car crash
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News