Community-Based Mobile Testing Sites Will Not Be Penalized for HIPAA Violations During COVID-19 National Emergency

Alerts / April 10, 2020

On April 9, 2020, the Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion, which announced that, retroactive to March 13, OCR will not impose penalties against covered entities or business associates for violations of the HIPAA Rules in connection with their good faith participation in the operation of a COVID-19 community-based testing site (CBTS) during this nationwide public health emergency. According to OCR Director Roger Severino, OCR is “taking extraordinary action to help the growth of mobile testing sites so more people can get tested quickly and safely.”

The OCR notification applies to a CBTS that provides only COVID-19 specimen collection or testing services to the public, including mobile, drive-through or walk-up sites. While the notification only applies to a COVID-19 CBTS, it is noteworthy for all providers in that it elucidates OCR’s continued expectations for HIPAA compliance during this ongoing period of national emergency. The notification encourages providers participating in the operation of a CBTS to implement reasonable safeguards to protect the patient privacy and security of individuals, including the following:

  • Using and disclosing only the minimum protected health information (PHI) necessary, except when disclosing PHI for treatment.
  • Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
  • Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS.
  • Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming.
  • Using secure technology at a CBTS to record and transmit electronic health information.
  • Posting a Notice of Privacy Practices (NPP) in a place that is readily viewable by individuals who approach a CBTS, or information about how to find the NPP online.

While the notification provides that OCR will not impose penalties for violations of the HIPAA Privacy, Security and Breach Notification Rules that occur in connection with the good faith operation of a COVID-19 CBTS, the notification highlights the types of safeguards that OCR deems reasonable and expects all providers to have in place as they navigate this unprecedented national crisis. OCR makes clear that the notification is limited in nature to the operation of a CBTS and does not apply when providers are performing non-CBTS-related activities. Thus, a provider that experiences a breach in its electronic medical record system, which also includes PHI from the operation of a CBTS, is not immune from HIPAA enforcement and would be subject to penalties for violating the HIPAA Breach Notification Rule if it failed to notify all individuals affected by the breach (including individuals whose PHI was obtained during the operation of a CBTS) according to the notification.

The Notification of Enforcement Discretion on CBTS may be found here.

Authorship Credit: Vimala Devassy

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.

Related Services

Related Industries

Related Emerging Issues