OCR Relaxes HIPAA Rules for COVID-19 Testing Sites

April 14, 2020 David Holtzman

Mobile, walk-up and drive-through COVID-19 testing sites operated by hospitals, healthcare providers, and pharmacy chains are the latest beneficiaries of a series of targeted measures to relax enforcement for violations of the HIPAA health information privacy, security, and breach notification standards. The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued a Notice of Enforcement Discretion announcing that healthcare providers and their business associates will not be subject to penalties for noncompliance with the requirements of the HIPAA Rules in connection with their “good faith” participation in the operation of community-based testing sites (CBTS) during the COVID-19 nationwide public health emergency. OCR will apply the provisions of its enforcement discretion retroactively to March 13, 2020.

What is Good Faith?

The HIPAA Rules do not define “Good Faith.”  OCR has used the term in many of its recent COVID-19 related guidance documents without specific explanation of what constitutes Good Faith. In its recent FAQs for HIPAA and Telehealth, OCR describes good faith through specific examples of what constitutes “bad faith.”[i] In weighing if a healthcare provider in engaging in good faith participation in a CBTS, and covered by the notice, covered entities and business associates should weigh their actions against these examples until OCR clarifies its definition of what is Good Faith.

Who/Where Does This Apply?

OCR describes a CBTS as a mobile, drive-through, or walk-up site that only provides COVID-19 specimen collection or testing services to the public. OCR will apply its enforcement discretion to all activities that support the collection of specimens and operation of COVID-19 testing centers set up by healthcare providers and their business associates. Health plans and health care clearinghouses will only be excused for noncompliance with the HIPAA rules while performing a role as a covered healthcare provider and only to the extent that it is participating in a CBTS.

While OCR’s Notice of Enforcement Discretion applies to all of the standards of the HIPAA Privacy, Security, and Breach Notification Rules, the agency called-out specific examples of reasonable safeguards of violations that should be implemented when operating a CBTS:

  • Use or disclose only the minimum necessary amount of PHI for purposes like reporting to public health organizations or for billing or other business records.
  • Set up canopies or opaque barriers at the CBTS to provide some privacy for individuals during the specimen collection process.
  • Create a buffer zone around the CBTS to prevent the media or members of the public observe patients receiving treatment.
  • Post a Notice of Privacy or information where the NPP is posted online.
  • Use secure technology at the CBTS to record and transmit e-PHI.

Who/What is Not Covered?

OCR has established specific limits to how far its enforcement discretion will apply. The relaxation of enforcement for failure to comply with the HIPAA Rules does not apply to health plans or health care clearinghouses when they are performing health plan and clearinghouse functions.

Activities that involve the handling of PHI when performing non-CBTS will be out of bounds of OCR’s exercise of enforcement discretion. Examples provided by OCR of when there is the potential of HIPAA penalties for non-compliance with the Rules:

  • A pharmacy that participates in the operation of a CBTS in the parking lot of its retail facility has HIPAA violations that occur inside its retail facility at that location that are unrelated to the CBTS.
  • A covered clinical laboratory that has workforce members working on-site at a CBTS has HIPAA violations that occur at the laboratory itself.
  • A covered healthcare provider that experiences a breach of PHI in its existing electronic health record system, which includes PHI gathered from the operation of a CBTS, could be subject to a civil money penalty for violations of the HIPAA Breach Notification Rule if it fails to notify all individuals affected by the breach (including individuals whose PHI was created or received from the operation of a CBTS).

Stay connected with CynergisTek to receive the latest updates on security, privacy, and compliance amid the Coronavirus COVID-19 pandemic. Our team is here to help you navigate this ever-changing environment. Please contact us if we can assist you with any questions about the requirements of the HIPAA Privacy Rule or to assist you in identifying and complying with the standards and specifications of the rule.


[1]Some examples of what OCR may consider as a bad faith provision of telehealth services that is not covered by the Notice of Enforcement Discretion:

  1. Conduct or furtherance of a criminal act, such as fraud, identity theft and intentional invasion of privacy;
  2. Further uses or disclosures of patient data transmitted during a telehealth communication that are prohibited by the HIPAA Privacy Rule (e.g. sale of the data, or use of the data for marketing without authorization);
  3. Violations of state licensing laws or professional ethical standards….; or,
  4. Use of public-facing remote communications products, such as Tik-Tok, Facebook Live, Twitch, or a chat room like Slack, which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.
 

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Content
Planning for Incident Response During the COVID-19 Crisis: Tales on Tackling The Security Debt
Planning for Incident Response During the COVID-19 Crisis: Tales on Tackling The Security Debt

Our team of our experts puts together a checklist to help organizations plan for an incident response durin...

Next Article
Telehealth and Coronavirus: Compliance Considerations to Think About
Telehealth and Coronavirus: Compliance Considerations to Think About

Things are changing rapidly in the current regulatory environment and that is true for telehealth as well. ...