OCR Enforcement Discretion for Good-Faith Operation of Community Based Testing
April 10, 2020
Effective immediately, the Department of Health and Human Services (“HHS”) announced its decision to exercise its enforcement discretion in how it applies the Privacy, Security and Breach Notification Rules under the Health Insurance and Portability and Accountability Act of 1996 (“HIPAA”).1 No enforcement actions will be sought against covered health care providers or their business associates for good faith participation in the operation of a COVID-19 Community Based Testing Site (“CBTS”). This is effective during the nationwide COVID-19 public health emergency (“PHE”).
This may include certain covered health care providers, including large pharmacy chains, and their business associates. A CBTS for purposes of this Notification includes, mobile, drive-through, or walk-up sites that only provide COVIS-19 specimen collection or testing services to the public.
The Notification is retroactive back to March 13, 2020 and will end once the Secretary of HHS declares there is no longer a PHE or upon expiration date of the declared PHE, including any applicable extensions.
Who is covered?
All HIPAA covered health care providers and their business associates participating in good-faith to operate a CBTS. A CBTS includes the operation of all activities that support the collection of specimens from individuals for COVID-19 testing.
What reasonable safeguards does OCR encourage Covered Entities and their Business Associates to implement?
OCR recommends covered health care providers and their business associates implement HIPAA reasonable safeguards, which include:
- Using and disclosing only the minimum protected health information (“PHI”) necessary except when disclosing PHI for treatment;
- Setting up canopies or similar opaque barriers at CBTS to provide some privacy to individuals during the collection of samples;
- Controlling foot traffic and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS;
- Establishing a “buffer zone” to prevent members of the media or public from observing of filming individuals who approach a CBTS, and posting signs prohibiting filming;
- Using secure technology at a CBTS to record and transmit electronic PHI;
- Posting a Notice of Privacy Practices (“NPP”), or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.2
No penalties will be imposed by OCR for violations if in connection with the good faith operations of a CBTS.
What is not covered by this Notification?
The Notification does not apply to health plans or health care clearinghouses. However, to the extent that an entity performs both plan and provider functions, the Notification applies to the entity only in its role as a covered health care provider and only to the extent it is participating in a CBTS.
Additionally, this Notification does not apply to covered functions of a covered health care provider or their business associates in the performance of non-CBTS activities. HIPAA penalties apply to all other covered operations, unless OCR has stated otherwise.3
1 See Notification published April 9, 2020: https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-community-based-testing-sites.pdf
3 OCR’s Notification of Enforcement Discretion and other materials relating to COVID-19 public health emergency: See https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html