COVID Vaccine-Scheduling Apps Protected Against HIPAA Violations

By Devin Partida, Editor-in-Chief,
Twitter: @rehackmagazine

On Jan. 20, the Office for Civil Rights (OCR) issued a notice of enforcement regarding HIPAA regulations and COVID-19 vaccine-scheduling apps. The update states that the OCR won’t impose HIPAA noncompliance penalties related to good-faith use of these services. This suspension of penalties, retroactively effective to Dec. 11, 2020, could have a considerable impact on vaccine rollout.

Not all vaccine-related apps are free from HIPAA restrictions under this new guidance. The penalty suspension only applies to nonpublic-facing applications for scheduling COVID-19 vaccine appointments. Public-facing apps and activities outside of COVID vaccine scheduling still face HIPAA penalties.

This update doesn’t mean these apps are entirely immune to HIPAA regulations. If one of these services connects directly to an electronic health record, they’d still be guilty of HIPAA noncompliance. Similarly, any use of these apps that isn’t in good faith can result in penalties.

The OCR still recommends that covered entities follow some basic privacy guidelines when using these services. The recommendations include using encryption, showing initials instead of full names and ensuring personal health information storage is temporary. Violating these guidelines doesn’t necessarily mean an entity didn’t act in good faith, though.

Advantages of Suspending Vaccine App HIPAA Regulations

Normally, suspending penalties for potential HIPAA violations would seem irresponsible, even dangerous. The ongoing COVID-19 pandemic presents a far more urgent emergency, though. Relaxing regulations over this small group of specific services can enable faster vaccine rollout, aiding in the fight against COVID-19.

Reports show that thousands of COVID-19 vaccines end up going to waste due to rollout issues. The vaccines’ short shelf life and high demand create a slew of problems in scheduling and administering them. Lifting some HIPAA regulations on scheduling apps helps the process go by faster, leading to less waste.

Experts estimate that 70-90% of the population needs to be vaccinated to achieve herd immunity. At the nation’s current vaccination rate, it would take until late November to reach that number. With less bureaucracy in the way of the scheduling process, vaccine rollout would quicken, and that timeline could shorten.

Risks of HIPAA Suspensions

Of course, there are still some potential risks with alleviating these restrictions. HIPAA regulations are in place for a reason, and privacy concerns persist even amid a pandemic. Without a system to hold these apps accountable, breaches may be more likely.

Data breaches in health care are a growing issue. In September 2020 alone, there were 95 breaches of 500 records or more among HIPAA-covered entities. Relaxing privacy regulations amid this rise in health care-targeted cybercrime is far from a comfortable decision.

Attacks against health care apps specifically have shown a troubling upward trend. These attacks rose by 51% in December after the U.S. administered its first few COVID-19 vaccines. That’s before this new guidance took place, too.

If entities follow all OCR security recommendations, there’s far less cause for alarm. Still, these are guidelines, not regulations, so some organizations and apps may not comply with them. If they don’t, users will be more vulnerable to data breaches that could jeopardize their privacy and security.

The Changing Face of Medicine

Whether these temporary suspensions cause more harm or good will remain uncertain for some time. If covered entities adhere to basic privacy guidelines, it could prevent any serious risks. However, no matter what happens, health care organizations need to start thinking about how they use new technologies.

The medical industry is embracing new tech at an unprecedented rate. Health wearables alone are expanding by 16.4% a year, and for all its benefits, next-gen tech carries new concerns. More endpoints and third parties mean more areas where a hacker could access patient data.

Technology like scheduling apps is changing how the health care industry operates. Medical authorities and organizations need to rethink their approach to patient privacy in response. In some cases, loosened restrictions may improve tech’s ability to help patients, and in others, they could hinder it.

Digitization Brings New Opportunities and Concerns

The past year has been a period of remarkable technological innovation for the health care industry. Tools like vaccine scheduling apps could revolutionize medical access. At the same time, the way people use these resources can lead to privacy concerns.

Health care organizations don’t need to be scared of new technologies, but they should approach them cautiously. Whether or not these relaxed regulations will jeopardize these apps’ utility has yet to be seen. Until then, entities should proceed with caution and follow at least basic cyber hygiene.