HHS Reduces Enforcement of HIPAA Violations for COVID-19 Community Based Testing Sites

Written by: Brett Lawrence, Esq. 

On April 14, 2020, The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) announced it will exercise further enforcement discretion in easing back penalties for failing to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The enforcement discretion has retroactive effect beginning on March 13, 2020.  This has been a frequent occurrence on the part of OCR in its effort to help the healthcare field combat the COVID-19 pandemic while simultaneously trying to protect the inadvertent use and disclosure of protected health information (“PHI”).

The notification stipulates that OCR will not penalize covered healthcare providers or their business associates for not complying with HIPAA rules who in good faith operate COVID-19 community-based testing sites (“CBTS”) during the nationwide public health emergency.  Operating a CBTS includes all activities that support the collection of specimens from individuals for COVID-19 testing.  For the purposes of this notification, a CBTS includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.  The notification will remain in effect until the Secretary of HHS declares that the public health emergency is over, or upon the expiration date of the declared public health emergency, including any extension, whichever occurs first.

Although OCR announced it will not impose penalties for violations of HIPAA in connection with operating a CBTS, it recommended that reasonable safeguards be implemented to protect PHI.  Examples OCR provided include: (1) using and disclosing minimum PHI necessary except for when disclosing PHI for treatment; (2) constructing canopies or similar opaque barriers at a CBTS to provide individuals privacy during sample collections; and (3) establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS.

OCR clarified that this enforcement discretion only applies to covered entities or its business associates whose activities are directly connected to the good-faith operation of a CBTS.  For instance, a covered clinical laboratory that has workforce members on site at a CBTS may be subject to a civil penalty for HIPAA violations that occur in the laboratory itself.