Community-Based Mobile Testing Sites Will Not Be Penalized for HIPAA Violations During COVID-19 National Emergency

Vimala Devassy
BakerHostetler
Contact
LinkedIn
Facebook
X
Send
Embed

BakerHostetler

On April 9, 2020, the Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion, which announced that, retroactive to March 13, OCR will not impose penalties against covered entities or business associates for violations of the HIPAA Rules in connection with their good faith participation in the operation of a COVID-19 community-based testing site (CBTS) during this nationwide public health emergency. According to OCR Director Roger Severino, OCR is “taking extraordinary action to help the growth of mobile testing sites so more people can get tested quickly and safely.”

The OCR notification applies to a CBTS that provides only COVID-19 specimen collection or testing services to the public, including mobile, drive-through or walk-up sites. While the notification only applies to a COVID-19 CBTS, it is noteworthy for all providers in that it elucidates OCR’s continued expectations for HIPAA compliance during this ongoing period of national emergency. The notification encourages providers participating in the operation of a CBTS to implement reasonable safeguards to protect the patient privacy and security of individuals, including the following:

  • Using and disclosing only the minimum protected health information (PHI) necessary, except when disclosing PHI for treatment.
  • Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
  • Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS.
  • Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming.
  • Using secure technology at a CBTS to record and transmit electronic health information.
  • Posting a Notice of Privacy Practices (NPP) in a place that is readily viewable by individuals who approach a CBTS, or information about how to find the NPP online.

While the notification provides that OCR will not impose penalties for violations of the HIPAA Privacy, Security and Breach Notification Rules that occur in connection with the good faith operation of a COVID-19 CBTS, the notification highlights the types of safeguards that OCR deems reasonable and expects all providers to have in place as they navigate this unprecedented national crisis. OCR makes clear that the notification is limited in nature to the operation of a CBTS and does not apply when providers are performing non-CBTS-related activities. Thus, a provider that experiences a breach in its electronic medical record system, which also includes PHI from the operation of a CBTS, is not immune from HIPAA enforcement and would be subject to penalties for violating the HIPAA Breach Notification Rule if it failed to notify all individuals affected by the breach (including individuals whose PHI was obtained during the operation of a CBTS) according to the notification.

The Notification of Enforcement Discretion on CBTS may be found here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide