OCR to Waive Penalties For Community-Based COVID-19 Testing Sites

Husch Blackwell LLP
Contact
LinkedIn
Facebook
X
Send
Embed

On April 8, 2020, the U.S. Department of Health & Human Services (HHS) Office of the Assistant Secretary for Health released guidance authorizing pharmacists to order and administer COVID-19 tests. Immediately following this guidance, on April 9, 2020, the HHS Office of Civil Rights (OCR) announced that it will exercise its enforcement discretion and will refrain from imposing penalties for violations of HIPAA for covered entities or business associates participating, in good faith, in the operation of COVID-19 Community-Based Testing Sites (CBTS) during the nationwide public health emergency. The guidance regarding pharmacists testing for COVID-19 and the notice related to the relaxation of HIPAA rules comes on the heels of pharmacies, such as CVS and Walgreens, taking on a more active and critical role in the fight against the COVID-19 pandemic.

OCR noted that this decision was issued to support certain covered health care providers, including some large pharmacy chains, and their business associates that choose to participate in the operation of a CBTS. These CBTS include mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.

This waiver does not, however, give covered entities carte blanch to run CBTS in whatever manner they choose. Rather, OCR noted that each CBTS should still take reasonable safeguards to protect patient privacy. Such reasonable safeguards may include:

  • Using and disclosing only the minimum protected health information (PHI) necessary, except when disclosing PHI for treatment.
  • Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
  • Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS.

Further, OCR included a note of caution that this notice does not protect covered entities or their business associates from enforcement actions when such entities are performing non-CBTS related activities. For example:

  • A pharmacy that participates in the operation of a CBTS in the parking lot of its retail facility could be subject to a civil money penalty for HIPAA violations that occur inside its retail facility at that location that are unrelated to the CBTS.
  • A clinical laboratory that has workforce members working on site at a CBTS could be subject to a civil money penalty for HIPAA violations that occur at the laboratory itself.
  • A covered health care provider that experiences a breach of PHI in its existing electronic health record system, which includes PHI gathered from the operation of a CBTS, could be subject to a civil money penalty for violations of the HIPAA Breach Notification Rule if it fails to notify all individuals affected by the breach (including individuals whose PHI was created or received from the operation of a CBTS).

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Husch Blackwell LLP | Attorney Advertising

Written by:

Husch Blackwell LLP
Husch Blackwell LLP
Contact
more
less

Husch Blackwell LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide