On April 9, 2020, the OCR announced it will use its enforcement discretion for Community Based Testing Sites for COVID-19 testing. The enforcement discretion is being retro-dated to March 13, 2020 and will remain active as long as the public health emergency declaration for the novel coronavirus is active. The OCR will not seek HIPAA fines or penalties for covered healthcare providers and their business associates utilizing community based testing sites for COVID-19 screenings and testing.
What is a Community Based Testing Site?
A community based testing site is a testing site outside of a clinical setting. Examples of a community-based testing site may include:
- Parking lots of healthcare facilities
- Retail and other public parking areas
- Community living facilities
Who is covered by this announcement?
All covered healthcare providers and their business associates are covered by this announcement. All activities involving the collection and testing of samples by covered healthcare providers and their business associates are covered by this announcement, as long as they are making a good faith effort.
Who is NOT covered by this announcement?
This announcement does not extend to health plans or clearinghouses. It also only covers community based COVID-19 testing activities for those that are covered. The OCR provided the following examples of activities that could still lead to a HIPAA penalty or fine:
- A pharmacy that participates in the operation of a CBTS in the parking lot of its retail facility could be subject to a civil money penalty for HIPAA violations that occur inside its retail facility at that location that are unrelated to the CBTS.
- A covered clinical laboratory that has workforce members working on site at a CBTS could be subject to a civil money penalty for HIPAA violations that occur at the laboratory itself.
- A covered health care provider that experiences a breach of PHI in its existing electronic health record system, which includes PHI gathered from the operation of a CBTS, could be subject to a civil money penalty for violations of the HIPAA Breach Notification Rule if it fails to notify all individuals affected by the breach (including individuals whose PHI was created or received from the operation of a CBTS).
What is a Good Faith Effort?
Covered healthcare providers and their business associates must make a reasonable effort to protect PHI. Fines and penalties will not be sought for any good faith effort; however, the OCR recommends the following safeguards:
- Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment.
- Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
- Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS. (A six foot distance would serve this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19.)
- Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming.
- Using secure technology at a CBTS to record and transmit electronic PHI.
- Posting a Notice of Privacy Practices (NPP), or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.
HIPAAtrek has compiled a COVID-19 HIPAA Compliance resource on our website. Please do not hesitate to reach out with any questions: firstname.lastname@example.org. Stay strong. Stay safe. Stay healthy! Happy HIPAAtrekking!