HHS Issues Notice of Enforcement Discretion for COVID-19 Community-Based Testing Sites
The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a Notice of Enforcement Discretion covering the good faith operation of COVID-19 community-based testing sites by HIPAA-covered entities and their business associates.
OCR will not be issuing HIPAA penalties to covered entities and business associates that participate in the testing and collection of samples at COVID-19 community-based testing sites, such as mobile walk-up testing facilities and drive-through testing sites for the duration of the COVID-19 public health emergency. The Notice of Enforcement Discretion has been backdated to March 13, 2020.
While enforcement discretion will be exercised by OCR, HIPAA-covered entities and their business associates should still implement safeguards at COVID-19 community-based testing sites to protect individuals’ privacy and safeguards should be implemented to ensure protected health information is secured at rest and in transit.
To ensure patient privacy, OCR recommends erecting screens, barriers, and canopies at the testing sites to make it difficult for other users and the public to view people being tested. Filming should be prohibited at the sites and signs erected advising users that the use of cameras and other recording equipment is banned.
Social distancing measures should be implemented to protect the public. OCR recommends a distance of at least 6 feet should be maintained between users of the facility. This will also help to ensure that any communications between patients and healthcare employees remain private and cannot be overheard.
A Notice of Privacy Practices (NPP) should be clearly visible to users of the facility and a copy of the NPP should be posted online. The printed NPP should provide the necessary information to allow visitors to the facility to find the online notice.
Aside from when PHI is required for the purpose of providing treatment, all other uses and disclosures of PHI should be limited to the minimum necessary amount to achieve the purpose for which the PHI is being used or disclosed.