On April 9, 2020, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) announced that it will exercise its enforcement discretion and not impose penalties on covered entities or their business associates for noncompliance with Health Insurance Portability and Accountability Act (“HIPAA”) regulatory requirements in connection with their good faith participation in a COVID-19 Community-Based Testing Site (“CBTS”) during the COVID-19 public health emergency. OCR defines a CBTS as a mobile, drive-through or walk-up site that solely provides COVID-19 specimen collection or testing services to the public. The enforcement discretion was made effective as of April 9, 2020, but retroactively covers any actions taken by HIPAA-covered health care providers and their business associates since March 13, 2020.

This enforcement discretion facilitates the participation of covered health care providers, including large pharmacy chains, and their business associates in the operation of a CBTS, which encompasses all activities that support the collection of specimens from individuals for purposes of COVID-19 testing. Although OCR will not impose penalties for violations of the HIPAA Privacy, Security and Breach Notification Rules against covered health care providers or their business associates pursuant to their good faith participation in a CBTS, OCR nonetheless encourages covered health care providers and their business associates to implement reasonable safeguards to protect the privacy and security of individual protected health information (“PHI”) when operating a CBTS. Such reasonable safeguards include, but are not limited to:

  • Using and disclosing only the minimum necessary PHI (except when disclosing PHI for treatment purposes);
  • Setting up canopies or similar opaque barriers at a CBTS to provide privacy to individuals during sample collection;
  • Controlling foot and car traffic to create adequate distancing at the point of service to minimize individuals from seeing or overhearing screening interactions at a CBTS;
  • Establishing a buffer zone to prevent the media or the general public from observing or filming individuals who visit a CBTS including posting signs prohibiting filming;
  • Using secure technology to record and transmit electronic PHI (“ePHI”) at a CBTS; and
  • Posting a Notice of Privacy Practices (“NPP”), or information about how to find the NPP online, that is easily viewable by individuals who visit a CBTS.

Notably, this enforcement discretion does not apply to covered health care providers or their business associates when these entities are performing non-CBTS related activities, including handling PHI outside of the CBTS operation. By way of example, OCR notes that a pharmacy that participates in the operation of a CBTS in the parking lot of its retail facility could still be subject to potential penalties for HIPAA violations that occur in its retail facility unrelated to the operation of the CBTS. Further, covered health care providers that experience a breach of ePHI, including ePHI gathered from a CBTS, may still be subject to penalties for violations of the HIPAA Breach Notification Rule if the entities fail to appropriately notify the affected individuals of the breach, including individuals whose PHI was created or received pursuant to the CBTS operation.

OCR further notes that the enforcement discretion does not extend to health plans or health care clearinghouses when these entities are performing health plan and clearinghouse functions, respectively.

This is the fourth enforcement discretion enacted by OCR during the COVID-19 public health emergency. On March 17, 2020, OCR announced that it would exercise its enforcement discretion and waive potential penalties against covered health care providers for noncompliance with HIPAA regulatory requirements in connection with their good faith provision of telehealth services to patients during the COVID-19 public health emergency. OCR further issued guidance on March 24, 2020 clarifying how covered entities may, under certain circumstances, disclose PHI about an individual who has been exposed to, or infected with COVID-19 to law enforcement, paramedics, other first responders and public health authorities without an individual’s authorization. OCR also issued guidance on April 2, 2020 stating that it will exercise its enforcement discretion and not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against a covered entity or its business associate for good faith uses and disclosures of PHI by the business associate for public health and health oversight activities pursuant to 45 C.F.R. § 164.512 provided that the business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs.

Companies should carefully review the guidances issued and ensure that their practices comply with OCR’s guidelines. While OCR relaxes certain HIPAA regulatory requirements under the prescribed circumstances, its enforcement discretion does not extend to all of a company’s obligations under the HIPAA Privacy, Security and Breach Notification Rules. Further, OCR’s guidance is silent regarding whether state attorneys general are obligated to follow OCR’s enforcement discretion with respect to waiving penalties for certain HIPAA violations. OCR’s guidance also does not address other federal or state laws that may still apply regarding the appropriate use and disclosure of an individual’s PHI.

It is significant to note that OCR’s enforcement discretion applies for the duration of the COVID-19 public health emergency as declared by the HHS Secretary, and it is unknown whether OCR will provide a grace period or designated time frame for companies that are otherwise in violation of HIPAA pursuant to OCR’s enforcement discretion to redress their practices once the public health emergency declaration is revoked by the HHS Secretary, or whether penalties will be imposed promptly for noncompliance. For further information regarding how OCR’s guidelines may impact your operations, please contact your Cooley attorney.

Posted by Phil Mitchell