OCR Lifts HIPAA Penalties for COVID-19 Community-Based Testing Sites

April 13, 2020 - The Office for Civil Rights announced yet another enforcement discretion during the Coronavirus pandemic, lifting potential HIPAA penalties related to noncompliance for covered entities and business providers using good faith participation of COVID-19 Community-Based Testing Site (CBTS).

This is the fourth enforcement discretion enacted by OCR during the pandemic. The agency has also carved out exceptions for business associates, first responders, and telehealth.

The latest enforcement discretion permits certain covered healthcare providers, including some large pharmacy chains, as well as business associates to participate in the operation of a CBTS. CBTS can include mobile, drive-through, or walk-up sites set up to only provide COVID-19 specimen or testing services to the public.

“We are taking extraordinary action to help the growth of mobile testing sites so more people can get tested quickly and safely,” said OCR Director Roger Severino, in a statement. “President Trump has ordered the federal government to use every tool available to help save lives during this crisis, and this announcement is another concrete example of putting the President’s directive into action.”

The notification applies to all HIPAA-covered covered entities and business associates participating in good faith operation of testing sites supporting the collection of specimens from individuals seeking COVID-19 testing. But providers must implement reasonable safeguards when operating a CBTS.

To start, these providers must use and disclose only the minimum necessary protected health information when its needed to disclose PHI for treatment.

Secure technology should be used to record and transmit electronic PHI, and a notice of privacy practices or information on how to find the privacy disclosure online should be posted in a place that can be easily viewed by individuals who visit a CBTS.

Providers must also set up canopies or other opaque barriers to provide privacy to these individuals during the collection of samples, while controlling foot and car traffic to ensure adequate distancing at the point-of-service to minimize both the ability to overhear conversations or see screening interactions.

“A six-foot distance would serve this purpose, as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19,” officials noted.

There should also be an established buffer zone to prevent the media or general public from observing or filming individuals who visit a CBTS. Providers should also post signs prohibiting filming.

“Although covered healthcare providers and business associates are encouraged to implement these reasonable safeguards at a CBTS, OCR will not impose penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in connection with the good faith operation of a CBTS,” according to the notice.

Health plans and healthcare clearinghouses are not covered by this enforcement discretion when they perform health plane and clearinghouse functions. Further, the notification only applies to the entity in its role as it participates in a CTBS, not to other functions.

It also doesn’t apply to covered healthcare providers or their business associates when they perform non-CBTS activities, such as handling PHI outside of the CBTS operation. Thus, all potential HIPAA still apply to all other HIPAA-covered operations, unless otherwise noted by OCR.

This could include a pharmacy participating in a CBTS operation in the parking lot of its retail site, which could be subjected to a civil monetary penalty for potential HIPAA violations that occur inside of its facility that are unrelated to the CBTS.

Another example would be a covered clinical lab with workforce members working on-site at a CBTS, which could be subject to a civil monetary penalty for HIPAA violations that occur within its lab facility.