HHS Won’t Enforce Penalties for Good Faith Use of COVID-19 Vaccination Scheduling Technologies

On February 24, 2021, the Department of Health and Human Services Office for Civil Rights (OCR) announced that it won’t enforce fines against providers for potential Health Insurance Portability and Accountability Act (HIPAA) violations related to the limited, good faith use of online scheduling applications for COVID-19 vaccination appointments. This enforcement discretion is applicable to all healthcare providers and their business associates, including web-based scheduling application vendors. Although there will be no penalties for the use of apps and other tools that don’t fully comply with HIPAA, the OCR encourages the use of reasonable safeguards to protect the privacy and security of patients’ protected health information, including using encryption technology, enabling all available privacy settings, and using only the minimum necessary data. The decision has a retroactive date of December 11, 2020.