OCR has announced that it will exercise enforcement discretion by not imposing penalties for HIPAA violations on covered entities or business associates so long as they use good faith regarding online and web-based scheduling for COVID-19 vaccinations. This action is specific to the administration of COVID-19 vaccinations and lasts for the duration of the public health emergency. Even with relaxed enforcement of the HIPAA requirements related to COVID-19 vaccinations, providers are still expected to use reasonable safeguards for the protection of protected health information, including the use of encryption. In addition to taking effect immediately, the action is retroactive to December 11, 2020.