Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

OCR will not enforce HIPAA for COVID-19 vaccination appointment scheduling

OCR will not enforce HIPAA for COVID-19 vaccination appointment scheduling
The HHS Office of Civil Rights (OCR) recently announced that it will apply enforcement discretion for healthcare providers and their business associates using web-based scheduling applications (WBSAs) for COVID-19 vaccination appointments.  Let's discuss how this will affect your healthcare business’s role in fighting the ongoing pandemic.


What is enforcement discretion?

Enforcement discretion means the OCR will not impose penalties on covered entities or business associates if they are non-compliant with HIPAA guidelines. 


SEE MORE: Understanding and Implementing HIPAA Rules


When will the OCR use enforcement discretion?

In an effort to increase vaccine distribution, the OCR is using enforcement discretion to help organizations schedule appointments for the COVID-19 vaccination using web-based scheduling applications, like Zocdoc or Phreesia for example.


What does this mean for healthcare providers?

Usually, a WBSA would have to follow specific rules to keep protected health information ( PHI ) safe and sign a business associate agreement ( BAA ). However, this recent announcement means that healthcare providers are free to choose a WBSA without signing a BAA or ensuring the vendor is capable of meeting HIPAA security requirements. This news protects healthcare providers and also protects WBSA companies that may be unaware they are handing PHI.  The OCR has made similar decisions in the past like relaxing requirements around telehealth during the pandemic .


SEE MORE: OCR Issues Notification of Enforcement Discretion for Business Associates in Response to COVID-19 Pandemic


Enforcement discretion doesn't mean healthcare providers should ignore data security. It would be best to put reasonable safeguards in place with a WBSA like:


  • Using only the minimum PHI
  • Enabling all privacy settings
  • Using encryption technology 
  • Ensuring PHI storage by the vendor is temporary
  • Ensuring WSBA vendor doesn't use or disclose PHI


Are all circumstances covered under enforcement discretion?

While the OCR is willing to make many exceptions, there are still a few circumstances where you could face HIPAA violations . The OCR will enforce HIPAA guidelines if it discovers an organization is not acting “in good faith.” Some circumstances include:


  • A WBSA selling PHI that it collects
  • Using a WBSA for other services besides COVID-19 vaccine appointments
  • No reasonable safeguards to prevent unauthorized users from accessing data
  • Using WSBA to screen individuals before their visits


To learn more about enforcement discretion for COVID-19 vaccine appointments, read the OCR’s announcement .



Enforcement discretion will help healthcare providers schedule appointments for the COVID-19 vaccine without fear of retribution if the platform they choose doesn't meet HIPAA guidelines.  However, enforcement discretion is only used for this one specific circumstance. Using a HIPAA compliant vendor will keep data and your company security safer, and you can use it for everything instead of just one occasion. This is true for sending HIPAA compliant email as well. Paubox Email Suite encrypts all email by default, so every message is HIPAA compliant automatically with no change in user behavior.  Paubox Email Suite seamlessly integrates with your current email provider, such as Google Workspace or Microsoft 365 . Emails are sent directly to a patient's inbox, meaning they no longer have to log in to a portal or use a password to access messages.  Taking the time to protect PHI from cyberattacks will pay off in the long run.
Try Paubox Email Suite for FREE today.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.