OCR will not penalize covered healthcare providers and their vendors for HIPAA noncompliance at COVID-19 Community-Based Testing Sites (CBTSs)

April 13, 2020

Health Care Alert

Author(s): Valerie Breslin Montague

This alert was co-authored by Meredith LaMaster. 

OCR provides flexibility and best practices regarding data privacy and security related to the operation of CBTSs.

On April 9, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced that it will exercise its enforcement discretion in its application of the Health Insurance Portability and Accountability Act’s (HIPAA’s) Privacy, Security, and Breach Notification Rules in relation to COVID-19 testing sites. OCR stated that penalties will not be imposed against covered healthcare providers or their business associate vendors for failure to comply with the HIPAA regulations related to operating a COVID-19 testing site. This exercise of enforcement discretion applies during the COVID-19 emergency only and is effective immediately, although it is retroactive to March 13, 2020.

Because of the current nationwide public health emergency, numerous covered healthcare providers, including pharmacies, and their business associate vendors have opted to run mobile, drive-through, or walk-up COVID-19 specimen collecting and testing sites, commonly referred to as Community-Based Testing Sites, or CBTSs. The OCR enforcement discretion applies to both healthcare providers and their business associates in the good faith operations of a CBTS that offers COVID-19 testing or specimen collection to the public.

Although it is exercising its discretion not to impose penalties, OCR encourages healthcare providers to take steps to safeguard the protected health information (PHI) of individuals being tested at CBTSs, including:

  • Using and disclosing the minimum necessary amount of PHI except when the PHI is being disclosed for treatment purposes.
  • Erecting canopies or other similar barriers and controlling foot and vehicle traffic at testing sites to provide both privacy and social distancing to individuals whose specimens are being collected.
  • Taking steps to prevent the media or the public from viewing, photographing, or filming individuals seeking testing, and posting signs that prohibit filming.
  • Using a secure network at the test site to record and transmit electronic PHI.
  • Placing a HIPAA Notice of Privacy Practices (NPP), or information about accessing one online, if necessary, in a location that is easily viewable by people approaching the CBTS.

Although these safeguards are encouraged, covered healthcare providers and their business associates will not be penalized for HIPAA violations related to the good faith operation of a CBTS.

It is important to note that the OCR enforcement discretion does not apply to health plans performing health plan functions. For example, if a HIPAA covered entity serves as both a plan and a healthcare provider, then the enforcement discretion only applies when the entity is acting in its healthcare provider capacity and is limited to activities involving CBTS operation. In addition, the enforcement discretion does not shelter healthcare providers or their business associates when the entities participate in non-CBTS–related tasks. As an example, OCR states that a pharmacy that runs a CBTS in its parking lot may still be penalized for HIPAA violations that take place inside the pharmacy and have no relation to the CBTS.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top