AGENCY:
Office of the Secretary, HHS.
ACTION:
Notification of Enforcement Discretion.
SUMMARY:
This Notification is to inform the public that the Department of Health and Human Services (HHS) is exercising its discretion in how it applies the Privacy, Security, and Breach Notification Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act (“HIPAA Rules”). As a matter of enforcement discretion, the HHS Office for Civil Rights (OCR) will not impose penalties for noncompliance with regulatory requirements under the HIPAA Rules against covered health care providers or their business associates in connection with the good faith use of online or web-based scheduling applications for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency.
DATES:
This Notification of Enforcement Discretion went into effect on December 11, 2020, and will remain in effect until the Secretary of HHS determines that the public health emergency no longer exists, or upon the expiration date of the public health emergency, including any extensions (as determined by 42 U.S.C. 247d), whichever occurs first.
FOR FURTHER INFORMATION CONTACT:
Rachel Seeger at (202) 619-0403 or (800) 537-7697 (TDD).
SUPPLEMENTARY INFORMATION:
HHS is informing the public that it is exercising its discretion in how it applies the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act (“HIPAA Rules”) during the nationwide public health emergency declared by the Secretary of HHS.
Public Law 104-191, 100 Stat. 2548 (August 21, 1996). Due to the public health emergency posed by COVID-19, the HHS Office for Civil Rights (OCR) is exercising its enforcement discretion under the conditions outlined herein. We believe that this guidance is a statement of agency policy not subject to the notice and comment requirements of the Administrative Procedure Act (APA). 5 U.S.C. 553(b)(3)(A). OCR additionally finds that, even if this guidance were subject to the public participation provisions of the APA, prior notice and comment for this guidance is impracticable, and there is good cause to issue this guidance without prior public comment and without a delayed effective date. 5 U.S.C. 553(b)(3)(B) & (d)(3).
Title XIII of the American Recovery and Reinvestment Act, Public Law 111-5, 123 Stat. 226 (February 17, 2009).
See Determination that a Public Health Emergency Exists by the HHS Secretary, pursuant to Section 319 of the Public Health Service Act (January 31, 2020), available at https://www.phe.gov/emergency/news/healthactions/phe/Pages/2019-nCoV.aspx (Determination of January 31, 2020). See also Renewal of Determination That a Public Health Emergency Exists (January 7, 2021), available at https://www.phe.gov/emergency/news/healthactions/phe/Pages/covid19-07Jan2021.aspx. For more information, see https://www.phe.gov/emergency/news/healthactions/phe/Pages/2019-nCoV.aspx.
I. Background
The Office for Civil Rights (OCR) at HHS is responsible for enforcing certain regulations issued under HIPAA and the HITECH Act, to protect the privacy and security of protected health information (PHI), namely the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”).
During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, certain covered health care providers, including some large pharmacy chains and public health authorities, or their business associates acting for or on behalf of such providers, may choose to use online or web-based scheduling applications (collectively, “WBSAs”) for the limited purpose of scheduling individual appointments for COVID-19 vaccination. For the purposes of this Notification, a WBSA is a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination. “Non-public facing” means that a WBSA, as a default, allows only the intended parties (e.g., a covered health care provider, the individual or personal representative scheduling the appointment, and a WBSA workforce member, if needed to provide technical support) to access data created, received, maintained, or transmitted by the WBSA. For the purposes of this Notification, a WBSA does not include appointment scheduling technology that connects directly to electronic health records (EHR) systems used by covered entities.
See Presidential Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak (Mar. 13, 2020), available at https://www.whitehouse.gov/presidential-actions/proclamation-declaring-national-emergency-concerning-novel-coronavirus-disease-covid-19-outbreak/.
Determination of Jan. 31, 2020.
See 45 CFR 160.103 (definition of “covered entity”).
See 45 CFR 164.501 (definition of “public health authority”). The HIPAA Rules only apply to a public health authority if it is a HIPAA covered entity or business associate. For example, a county health department that administers a health plan, or provides health care services for which it conducts standard electronic transactions (e.g., checking eligibility for coverage, billing insurance), is a HIPAA covered entity. A public health authority that does not meet the definition of a covered entity or business associate is not subject to the HIPAA Rules. See also OCR FAQ, “Are state, county or local health departments required to comply with the HIPAA Privacy Rule?” https://www.hhs.gov/hipaa/for-professionals/faq/358/are-state-county-or-local-health-departments-required-to-comply-with-hipaa/index.html.
The HIPAA Privacy Rule permits a business associate of a HIPAA covered entity to use and disclose PHI to conduct certain activities or functions on behalf of the covered entity, or provide certain services to or for the covered entity, but only pursuant to the explicit terms of a business associate contract or other written agreement or arrangement under 45 CFR 164.502(e)(2) (collectively, “business associate agreement” or BAA), or as required by law. During the COVID-19 public health emergency, covered health care providers need to quickly schedule large numbers of individuals for appointments for COVID-19 vaccination and may use WBSAs to do so. Some of these applications, and the manner in which HIPAA covered health care providers or their business associates use the applications, may not fully comply with the requirements of the HIPAA Rules. Additionally, the vendors of such applications may not be aware that HIPAA covered health care providers are using their products to create, receive, maintain, or transmit electronic protected health information (ePHI), and that a WBSA vendor may, as a result, meet the definition of business associate under the HIPAA Rules.
See 45 CFR 160.103 (definition of “electronic protected health information”).
OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with regulatory requirements under the HIPAA Rules against covered health care providers and their business associates, including WBSA vendors meeting the definition of a business associate, in connection with the good faith use of a WBSA for scheduling appointments for individuals for COVID-19 vaccination during the COVID-19 nationwide public health emergency, as described below.
II. Who/what is covered by this Notification?
This Notification applies to all HIPAA covered health care providers and their business associates when such entities are, in good faith, using WBSAs to schedule individual appointments for COVID-19 vaccination.
See 45 CFR 160.103 (definition of “business associate”).
This Notification also applies to all vendors of WBSAs whose technology is being used by a covered health care provider or its business associate to schedule individuals to receive a COVID-19 vaccine. OCR will exercise enforcement discretion with regard to WBSA vendors regardless of whether the WBSA vendor has actual or constructive knowledge that it meets the definition of a business associate under the HIPAA Rules as described in this Notification.
III. What are reasonable safeguards that covered health care providers and their business associates should consider implementing?
OCR encourages covered health care providers and their business associates using WBSAs in good faith for the scheduling of individual appointments for COVID-19 vaccination to implement reasonable safeguards to protect the privacy and security of individuals' PHI. OCR recommends that covered health care providers and their business associates consider the following recommended reasonable safeguards:
- Using and disclosing only the minimum PHI necessary for the purpose (e.g., an individual's name and phone number may be the minimum necessary PHI for scheduling the appointment).
- Using encryption technology to protect PHI.
- Enabling all available privacy settings (e.g., adjusting WSBA calendar display settings, as needed, to hide names or show only individuals' initials instead of full names on calendar screens).
- Ensuring that storage of any PHI (including metadata that constitutes PHI) by the vendor is only temporary (e.g., the PHI is returned to the covered health care provider or destroyed as soon as practicable, but no later than 30 days after the appointment).
- Ensuring the WBSA vendor does not use or disclose ePHI in a manner that is inconsistent with the HIPAA Rules (e.g., does not engage in the sale of ePHI collected from individuals using the WBSA to schedule a COVID-19 vaccination).
Although covered health care providers and business associates are encouraged to implement these reasonable safeguards when using a WBSA to schedule individuals for appointments for COVID-19 vaccination, OCR will exercise its enforcement discretion and not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers or their business associates in connection with the good faith provision of COVID-19 vaccination during the COVID-19 nationwide public health emergency. Failure to implement the recommended reasonable safeguards above will not, in itself, cause OCR to determine that a covered health care provider or its business associate failed to act in good faith for purposes of this Notification.
Covered health care providers and their business associates that seek additional privacy protections for ePHI collected while using WBSAs are encouraged to use application vendors that represent that their WBSAs support compliance with the HIPAA Rules and that the vendors will enter into BAAs in connection with the use of their WBSAs.
Note:
OCR does not endorse, certify, or recommend specific technology, software, applications, or products.
IV. Who/what is not covered under this Notification?
This Notification does not apply to activities of a covered health care provider and its business associates other than the scheduling of COVID-19 vaccinations. Other activities, such as the handling of PHI unrelated to the scheduling of COVID-19 vaccinations, are not included within the scope of this exercise of enforcement discretion. Potential HIPAA penalties still apply to all other HIPAA-covered operations of the covered health care provider and its business associates, unless otherwise stated by OCR.
OCR's Notifications of Enforcement Discretion and other materials relating to the COVID-19 public health emergency are available at https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html.
Additionally, this Notification does not apply to a covered health care provider or business associate when it fails to act in good faith. For example, OCR will not consider a covered health care provider or business associate to be acting in good faith with respect to the use of a WBSA for the scheduling of individual appointments for COVID-19 vaccination where the covered health care provider or business associate uses a WBSA:
- Whose terms of service prohibit the use of the WBSA for scheduling health care services or state that the WBSA may sell personal information that it collects.
- To conduct services other than scheduling appointments for COVID-19 vaccination (e.g., to determine individuals' eligibility for COVID-19 vaccination).
- Without reasonable security safeguards (e.g., access controls) to prevent the PHI from being readily accessed or viewed by unauthorized persons.
- To screen individuals for COVID-19 prior to individuals' in-person health care visits.
V. Collection of Information Requirements
This Notification of Enforcement Discretion creates no legal obligations and no legal rights. Because this notice imposes no information collection requirements, it need not be reviewed by the Office of Management and Budget under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).
Dated: February 12, 2021.
Robinsue Frohboese
Acting Director and Principal Deputy Director, Office for Civil Rights, U.S. Department of Health and Human Services.
[FR Doc. 2021-03348 Filed 2-23-21; 8:45 am]
BILLING CODE 4153-01-P