HIPAA Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites (CBTS) During The COVID-19 Emergency

On April 9, 2020, the Department of Health and Human Services (HHS) issued guidance regarding HIPAA enforcement for Community Based Testing Sites. This guidance is covered under 45 CFR Parts 160 and 164 and informs the public that HHS is exercising discretion on how it applies the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As a matter of enforcement discretion, the HHS Office for Civil Rights (OCR) will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules on covered health care providers, or on their business associates that are participating in the operation of a COVID-19 Community-Based Testing Site (CBTS) during the COVID-19 nationwide public health emergency.   This guidance is enforced effective retroactive to March 13, 2020 and remains in effect until the emergency is determined to be over.

Who and What Is Covered?

During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, certain covered health care providers (including some large pharmacy chains) and their business associates may choose to participate in the operation of a COVID-19 specimen collection and testing sites (CBTS). A CBTS includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public. This Notification applies to all HIPAA-covered health care providers and their business associates when such entities are participating in the operation of a CBTS in good faith.

Who Is Not Covered?

This Notification does not apply to health plans or healthcare clearinghouses when they are performing health plan and clearinghouse functions. To the extent that an entity performs both plan and provider functions, the Notification applies to the entity only in its role as a covered healthcare provider and only to the extent that it participates in a CBTS. This Notification also does not apply to covered healthcare providers or their business associates when such entities are performing non-CBTS related activities, including the handling of Protected Health Information (PHI) outside of the operation of a CBTS.

Reasonable Measures

CBTS sites should take reasonable measures to ensure the confidentially and security of data.  Some measures include:

  • Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment
  • Setting up canopies or similar opaque barriers at a CBTS to provide privacy to individuals during the collection of samples
  • Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions
  • Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming
  • Using secure technology at a CBTS to record and transmit electronic PHI
  • Posting a Notice of Privacy Practices (NPP), or information about how to find the NPP online, if applicable, in a place that’s readily viewable by individuals who come to the CBTS site

For more information on the Notification, visit the HHS website.