Voglio sapere a riguardo di…

11140

Federal Register / Vol. 86, No. 35 / Wednesday, February 24, 2021 / Rules and Regulations
enforcement discretion, the HHS Office for Civil Rights OCR will not impose penalties for noncompliance with regulatory requirements under the HIPAA Rules against covered health care providers or their business associates in connection with the good faith use of online or web-based scheduling applications for the scheduling of individual appointments for COVID19 vaccinations during the COVID19 nationwide public health emergency.
DATES: This Notification of Enforcement Discretion went into effect on December 11, 2020, and will remain in effect until the Secretary of HHS determines that the public health emergency no longer exists, or upon the expiration date of the public health emergency, including any extensions as determined by 42 U.S.C.
247d, whichever occurs first.
FOR FURTHER INFORMATION CONTACT:
Rachel Seeger at 202 6190403 or 800
5377697 TDD.
SUPPLEMENTARY INFORMATION: HHS is informing the public that it is exercising its discretion in how it applies the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 HIPAA 1
and the Health Information Technology for Economic and Clinical Health HITECH Act 2 HIPAA Rules during the nationwide public health emergency declared by the Secretary of HHS.3
I. Background The Office for Civil Rights OCR at HHS is responsible for enforcing certain regulations issued under HIPAA and the
khammond on DSKJM1Z7X2PROD with RULES

1 Public
Law 104191, 100 Stat. 2548 August 21, 1996. Due to the public health emergency posed by COVID19, the HHS Office for Civil Rights OCR
is exercising its enforcement discretion under the conditions outlined herein. We believe that this guidance is a statement of agency policy not subject to the notice and comment requirements of the Administrative Procedure Act APA. 5 U.S.C.
553b3A. OCR additionally finds that, even if this guidance were subject to the public participation provisions of the APA, prior notice and comment for this guidance is impracticable, and there is good cause to issue this guidance without prior public comment and without a delayed effective date. 5 U.S.C. 553b3B & d3.
2 Title XIII of the American Recovery and Reinvestment Act, Public Law 1115, 123 Stat. 226
February 17, 2009.
3 See Determination that a Public Health Emergency Exists by the HHS Secretary, pursuant to Section 319 of the Public Health Service Act January 31, 2020, available at https
www.phe.gov/emergency/news/healthactions/phe/
Pages/2019-nCoV.aspx Determination of January 31, 2020. See also Renewal of Determination That a Public Health Emergency Exists January 7, 2021, available at https www.phe.gov/emergency/news/
healthactions/phe/Pages/covid19-07Jan2021.aspx.
For more information, see https www.phe.gov/
emergency/news/healthactions/phe/Pages/2019nCoV.aspx.

VerDate Sep<11>2014

16:14 Feb 23, 2021

Jkt 253001

HITECH Act, to protect the privacy and security of protected health information PHI, namely the HIPAA Privacy, Security, and Breach Notification Rules HIPAA Rules.
During the COVID19 national emergency,4 which also constitutes a nationwide public health emergency,5
certain covered health care providers,6
including some large pharmacy chains and public health authorities,7 or their business associates acting for or on behalf of such providers, may choose to use online or web-based scheduling applications collectively, WBSAs for the limited purpose of scheduling individual appointments for COVID19
vaccination. For the purposes of this Notification, a WBSA is a non-public facing online or web-based application that provides scheduling of individual appointments for services in connection with large-scale COVID19 vaccination.
Non-public facing means that a WBSA, as a default, allows only the intended parties e.g., a covered health care provider, the individual or personal representative scheduling the appointment, and a WBSA workforce member, if needed to provide technical support to access data created, received, maintained, or transmitted by the WBSA. For the purposes of this Notification, a WBSA does not include appointment scheduling technology that connects directly to electronic health records EHR systems used by covered entities.
The HIPAA Privacy Rule permits a business associate of a HIPAA covered entity to use and disclose PHI to conduct certain activities or functions on behalf of the covered entity, or provide certain services to or for the covered entity, but only pursuant to the explicit terms of a business associate 4 See Presidential Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease COVID19 Outbreak Mar.
13, 2020, available at https www.whitehouse.gov/
presidential-actions/proclamation-declaringnational-emergency-concerning-novel-coronavirusdisease-covid-19-outbreak/.
5 Determination of Jan. 31, 2020.
6 See 45 CFR 160.103 definition of covered entity.
7 See 45 CFR 164.501 definition of public health authority. The HIPAA Rules only apply to a public health authority if it is a HIPAA covered entity or business associate. For example, a county health department that administers a health plan, or provides health care services for which it conducts standard electronic transactions e.g., checking eligibility for coverage, billing insurance, is a HIPAA covered entity. A public health authority that does not meet the definition of a covered entity or business associate is not subject to the HIPAA Rules. See also OCR FAQ, Are state, county or local health departments required to comply with the HIPAA Privacy Rule? https
www.hhs.gov/hipaa/for-professionals/faq/358/arestate-county-or-local-health-departments-requiredto-comply-with-hipaa/index.html.

PO 00000

Frm 00050

Fmt 4700

Sfmt 4700

contract or other written agreement or arrangement under 45 CFR 164.502e2
collectively, business associate agreement or BAA, or as required by law. During the COVID19 public health emergency, covered health care providers need to quickly schedule large numbers of individuals for appointments for COVID19 vaccination and may use WBSAs to do so. Some of these applications, and the manner in which HIPAA covered health care providers or their business associates use the applications, may not fully comply with the requirements of the HIPAA Rules. Additionally, the vendors of such applications may not be aware that HIPAA covered health care providers are using their products to create, receive, maintain, or transmit electronic protected health information ePHI, and that a WBSA vendor may, as a result, meet the definition of business associate under the HIPAA Rules.8
OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with regulatory requirements under the HIPAA Rules against covered health care providers and their business associates, including WBSA vendors meeting the definition of a business associate, in connection with the good faith use of a WBSA for scheduling appointments for individuals for COVID19 vaccination during the COVID19 nationwide public health emergency, as described below.
II. Who/what is covered by this Notification?
This Notification applies to all HIPAA
covered health care providers and their business associates 9 when such entities are, in good faith, using WBSAs to schedule individual appointments for COVID19 vaccination.
This Notification also applies to all vendors of WBSAs whose technology is being used by a covered health care provider or its business associate to schedule individuals to receive a COVID19 vaccine. OCR will exercise enforcement discretion with regard to WBSA vendors regardless of whether the WBSA vendor has actual or constructive knowledge that it meets the definition of a business associate under the HIPAA Rules as described in this Notification.

8 See 45 CFR 160.103 definition of electronic protected health information.
9 See 45 CFR 160.103 definition of business associate.

E:FRFM24FER1.SGM

24FER1