HHS Notification of Enforcement Discretion Regarding COVID-19 Community Based Testing sites

by | Apr 9, 2020 | COVID-19, HIPAA, Legislation & Rulemaking, Privacy & Consent

On April 9th, HHS announced a new Notification of Enforcement Discretion Regarding COVID-19 Community Based Testing Sites.  The Notification of Enforcement Discretion has a retroactive date to March 13, 2020. 

The HHS Notification informs the public that it is exercising its discretion in how it applies the HIPAA. As a matter of enforcement discretion, OCR will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules (including privacy, security & breach notification) against Covered Health Care Providers or their Business Associates in connection with the good faith participation in the operation of a COVID-19 Community-Based Testing Site (CBTS) during the COVID-19 nationwide public health emergency.

HHS notes that certain Covered Health Care Providers, including some large pharmacy chains, and their Business Associates may choose to participate in the operation of COVID-19 Community-Based Testing Sites (CBTS). CBTS include:

  • Mobile
  • Drive-through, or 
  • Walk-up sites 

that ONLY provide COVID19 specimen collection or testing services to the public. 

All HIPAA Covered Health Care Providers and their Business Associates are covered when they are, in good faith, participating in the operation of a CBTS. The operation of a CBTS includes all activities that support the collection of specimens from individuals for COVID-19 testing. 

Covered Health Care Providers and their Business Associates should still implement reasonable safeguards. Reasonable safeguards include the following: 

• Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment; 

• Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples; 

• Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS. (A six foot distance would serve this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19);

• Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming;

Using secure technology at a CBTS to record and transmit electronic PHI; 

Posting a Notice of Privacy Practices (NPP), or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS. 

Although Covered Health Care Providers and Business Associates are encouraged to implement these reasonable safeguards at a CBTS, OCR will not impose penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in connection with the good faith operation of a CBTS. 

Covered Health Care Providers or their Business Associates that are performing non-CBTS related activities, including the handling of PHI outside of the operation of a CBTS, are NOT afforded the same enforcement discretion. Potential HIPAA penalties still apply to all other HIPAA covered operations of the Covered Health Care Provider or Business Associate, unless otherwise stated by OCR. The following are provided as examples: 

  • A pharmacy that participates in the operation of a CBTS in the parking lot of its retail facility could be subject to a civil money penalty for HIPAA violations that occur inside its retail facility at that location that are unrelated to the CBTS; 
  • A covered clinical laboratory that has workforce members working on site at a CBTS could be subject to a civil money penalty for HIPAA violations that occur at the laboratory itself;

A covered health care provider that experiences a breach of PHI in its existing electronic health record system, which includes PHI gathered from the operation of a CBTS, could be subject to a civil money penalty for violations of the HIPAA Breach Notification Rule if it fails to notify all individuals affected by the breach (including individuals whose PHI was created or received from the operation of a CBTS).

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives