I’ve been impressed with everything that the various organizations within HHS have done to try and help healthcare organizations deal with the pandemic. OCR has done a lot around HIPAA including the enforcement discretion around HIPAA penalties associated with telehealth. Of course, Mitch Parker pointed out what the enforcement discretion really means and that the enforcement discretion doesn’t absolve you completely from responsibility. OCR also offered another enforcement discretion around HIPAA BAs sharing health data with public health organizations.
In another similar effort, OCR recently announced another enforcement discretion for use of online or web-based scheduling applications for scheduling COVID-19 vaccination appointments. Here’s a short summary of the enforcement discretion:
Today, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced that it will exercise its enforcement discretion and will not impose penalties for violations of the HIPAA Rules on covered health care providers or their business associates in connection with the good faith use of online or web-based scheduling applications (collectively, “WBSAs”) for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency. This exercise of enforcement discretion is effective immediately, but has retroactive effect to December 11, 2020.
The Notification explains that the exercise of enforcement discretion applies to covered health care providers and their business associates, including WBSA vendors (as WBSA is defined in the Notification), when the WBSA is used in good faith and only for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency. Although OCR is exercising enforcement discretion, the Notification encourages the use of reasonable safeguards to protect the privacy and security of individuals’ protected health information (PHI), such as using only the minimum necessary PHI, encryption technology, and enabling all available privacy settings.
This is probably a good discretion since many healthcare organizations hadn’t prepared for the roll out of the vaccine. That said, there are HIPAA compliant solutions out there. I know a company I work with, CareCognitics, rolled out a COVID vaccine solution for an organization in under a week. So, there are options that can be implemented quickly and are HIPAA compliant. Plus, they’re no doubt better than a consumer scheduling app in a number of other ways as well. In fact, many companies are offering the COVID vaccine technology for free.
With this in mind, I’m interested to see how long this enforcement discretion lasts. It’s one thing to implement something like this in a rush to immunize your own staff. Although, it doesn’t scale and is a privacy risk that I don’t think most healthcare organizations want to take on long term. Especially when there are better solutions out there. It makes sense for OCR to not be punitive about this area, but that doesn’t mean a poorly implemented solution that doesn’t take into account patient privacy won’t come back to bite an organization long term.
We’re going to see this with telehealth as well. In the rush of COVID and the emergency situations that occur, it makes sense why we shouldn’t throw HIPAA violations at healthcare organizations that were just doing their best to connect loved ones and care for patients in the safest way possible. However, that HIPAA enforcement discretion for telehealth shouldn’t and I predict won’t last forever. There are secure telehealth solutions out there. We’re at the point now that not using one and having one available seems like poor judgment.
You can find the full text of the online web-base scheduling application enforcement discretion here. What do you think of this enforcement discretion? Will it help your organization? What are you using to manage COVID vaccinations in your organization?
