April 13, 2020
Health Care Alert
Author(s): Valerie Breslin Montague
This alert was co-authored by Meredith LaMaster.
OCR provides flexibility and best practices regarding data privacy and security related to the operation of CBTSs.
On April 9, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced that it will exercise its enforcement discretion in its application of the Health Insurance Portability and Accountability Act’s (HIPAA’s) Privacy, Security, and Breach Notification Rules in relation to COVID-19 testing sites. OCR stated that penalties will not be imposed against covered healthcare providers or their business associate vendors for failure to comply with the HIPAA regulations related to operating a COVID-19 testing site. This exercise of enforcement discretion applies during the COVID-19 emergency only and is effective immediately, although it is retroactive to March 13, 2020.
Because of the current nationwide public health emergency, numerous covered healthcare providers, including pharmacies, and their business associate vendors have opted to run mobile, drive-through, or walk-up COVID-19 specimen collecting and testing sites, commonly referred to as Community-Based Testing Sites, or CBTSs. The OCR enforcement discretion applies to both healthcare providers and their business associates in the good faith operations of a CBTS that offers COVID-19 testing or specimen collection to the public.
Although it is exercising its discretion not to impose penalties, OCR encourages healthcare providers to take steps to safeguard the protected health information (PHI) of individuals being tested at CBTSs, including:
Although these safeguards are encouraged, covered healthcare providers and their business associates will not be penalized for HIPAA violations related to the good faith operation of a CBTS.
It is important to note that the OCR enforcement discretion does not apply to health plans performing health plan functions. For example, if a HIPAA covered entity serves as both a plan and a healthcare provider, then the enforcement discretion only applies when the entity is acting in its healthcare provider capacity and is limited to activities involving CBTS operation. In addition, the enforcement discretion does not shelter healthcare providers or their business associates when the entities participate in non-CBTS–related tasks. As an example, OCR states that a pharmacy that runs a CBTS in its parking lot may still be penalized for HIPAA violations that take place inside the pharmacy and have no relation to the CBTS.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.