OCR Announces HIPAA Enforcement Discretion for Make-Shift COVID-19 Testing Sites

The Department of Health and Human Services’ Office for Civil Rights (OCR) announced today that it will not enforce HIPAA rules against healthcare providers and their business associates for HIPAA violations that occur during the good faith operation of a community-based COVID-19 specimen collection and testing site (“Community-Based Testing Site”).  These testing sites include mobile, drive-through or walk-up sites that only provide COVID-19 specimen collection and testing services.  Because these make-shift sites have been set up quickly and most are outdoors, it is often not possible to implement the privacy and security measures that are found in dedicated, indoor healthcare facilities.

As explained in the notice, OCR expects providers and their business associates at Community-Based Testing Sites to implement reasonable safeguards to protect patient information.  Examples of reasonable safeguards include:

  • complying with the minimum necessary rule and only using or disclosing necessary information;
  • creating barriers where possible to protect privacy during the collection of samples;
  • controlling foot and car traffic to limit inadvertent access to information (OCR recommends a 6-foot distancing measure in line with social distancing standards);
  • establishing a “buffer zone” to keep others from filming or photographing and posting signs prohibiting filming or photographing;
  • using secure technology at the testing site when transmitting protected health information (PHI); and
  • posting in a readily viewable location a copy of the Notice of Privacy Practices (NPP) or information about where to find the NPP on a website.

Even if providers or their business associates cannot implement these safeguards, OCR will not initiate an enforcement action so long as the providers or business associates acted in good faith. 

Notably, this enforcement discretion does not apply to the handling of PHI outside of the operation of a Community-Based Testing Site.  For example, if a pharmacy operates a testing site in the parking lot, enforcement discretion will not extend to HIPAA violations that occur inside the retail facility.  Further, if a provider suffers a data breach involving information collected at a Community-Based Testing Site, the provider would still be subject to enforcement for any failure to comply with the Breach Notification Rule. 

As with all of OCR’s other enforcement discretion notices throughout this pandemic, good faith action is key.  Providers and business associates need to do the best that they can under the circumstances to protect patient privacy while carrying out critical public health functions during this health emergency.