News & Resources

Publications & Media

HIPAA Flexibility for COVID-19 Testing Sites

Health & Life Sciences Meghan C. O'Connor, Rachel H. Weiss

On April 9, 2020, the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance announcing its enforcement discretion in dealing with COVID-19 Community-Based Testing Sites (CBTS) during the nationwide public health emergency.

In short, OCR will not impose penalties for noncompliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules against covered health care providers or their business associates in connection with the good faith participation in the operation of a COVID-19 CBTS. For purposes of the guidance, a CBTS includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.

OCR’s enforcement discretion is effective immediately, and is also retroactive to March 13, 2020. It will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, including any extensions, whichever occurs first.

Despite the enforcement discretion, OCR still recommends that covered entities and their business associate take appropriate steps to safeguard individuals’ protected health information (PHI) while participating in a COVID-19 CBTS, including:

  • Using and disclosing the minimum necessary PHI (except for treatment purposes);
  • Setting up canopies or other opaque barriers at a CBTS to provide privacy;
  • Controlling foot and car traffic to create adequate distancing;
  • Establishing a “buffer zone” to prevent the media or public from observing individuals who approach a CBTS and posting signs prohibiting filming;
  • Using secure technology at a CBTS; and
  • Posting a Notice of Privacy Practices (NPP), or information on how to find the NPP online, in a place that is readily viewable by individuals approaching the CBTS.

Interestingly, OCR noted that a breach of PHI in a provider’s existing electronic health record—including PHI gathered from the operation of a CBTS—could subject the provider to penalties for failure to notify all affected individuals under the Breach Notification Rule, including individuals whose PHI was created or received from the operation of a CBTS.

Finally, it is important to note that the enforcement discretion has a limited scope. It does not apply to:

  • Surge sites or other sites providing any COVID-19 services beyond testing;
  • Health plans or health care clearinghouses; or
  • Covered health care providers or their business associates when performing non-CBTS related activities, including the handling of PHI outside of the operation of a CBTS (e.g., a retail pharmacy with a CBTS in its retail facility parking lot may be subject to penalties for non-CBTS-related HIPAA violations that occur inside the retail facility).

HIPAA penalties may still apply to these providers and operational settings.

For more information on COVID-19’s impact on HIPAA, please visit Quarles & Brady's COVID-19 Privacy & Security page, contact your Quarles & Brady attorney or one of the authors below: