In a scramble to utilize new software, the Office of Civil Rights (OCR) at the United States Department of Health and Human Services has recently elected to temporarily suspend HIPAA fines for vaccine management systems. The new, good-faith measure was put in place in an attempt to expedite the availability of COVID-19 related software for the purpose of scheduling vaccinations.
This announcement, made in late February, gives leeway to healthcare providers, business vendors, and WBSAs, which are web-based applications that are non-public facing and utilized by healthcare providers in compliance with their existing software. Software companies, and the healthcare providers that utilize their services, will temporarily be able to bypass the penalties that come with noncompliance with HIPAA regulations; this includes privacy, security, and breach notification rules.
The OCR has stated with certainty the necessity of these measures, citing the national emergency as the primary cause for the decision. Though this will help healthcare providers manage COVID-19 vaccinations with less restriction and provide a safety net to vendors that do not know their software is being used by HIPAA-regulated entities, the suspension of fines could open way to data breaches from third parties.
As it stands, the OCR is leaving data protection discretions to healthcare providers, encouraging a minimal release of PHI (protected health information), as well as encryption of all PHI that is being transferred. They also suggest that any PHI stored by a third party should be temporary and that all relevant privacy settings be enforced by healthcare providers. However, as good as those suggestions sound, without the proper enforcement of these practices by an unbiased third party, many healthcare providers may lack not only the software to ensure these precautions are met, but also the ability to retroactively change the terms of existing agreements now that PHI may be more easily accessed.
This is the fifth time during the pandemic that OCR has elected to not enforce penalties for selected entities in the healthcare field. So far, these measures have been a benefit to the thousands of people who handle day-to-day COVID-19 operations. It’s too early to tell what the long term repercussions of these fine suspensions will be, but the hope is that the good faith is well warranted. This penalty waiver does not yet have a set date of expiration and will be retroactive to December 11, 2020.