Community-Based COVID Testing Sites and the Limits of the Relaxation of the HIPAA Rules

The rapid spread of the coronavirus quickly overwhelmed the capacity of hospitals, clinics, and physicians’ practices to test for the virus. The response was to create temporary Community-Based Testing Sites (CBTSs). Many CBTSs are located at pharmacies, often in the pharmacies’ parking lots. Many CBTSs are mobile, drive-through, or walk-up sites. Those sites may not (and probably cannot) fully meet the privacy and security requirements of HIPAA. They are, however, a necessary component in the effort to stop the spread of coronavirus. For that reason, on April 9, 2020, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services issued a Notice of Enforcement Discretion for Community-Based Testing Sites During COVID Crisis (“Guidance”).

Consistent with earlier OCR COVID-related guidance, OCR has not modified, amended, or suspended the operation of any provision of HIPAA or the HIPAA Privacy and Security Rules. OCR has merely announced in the Guidance that it will exercise its enforcement discretion in connection with HIPAA non-compliance in connection with the operation of a CBTS. Specifically, OCR will not impose penalties for HIPAA non-compliance against covered entity healthcare providers or their business associates in connection with their good faith participation in the operation of a COVID-19 CBTS during the COVID-19 emergency. As will become clear below, the Guidance protects covered entity healthcare providers and their business associates in connection with their collection of COVID-19 test specimens at a CBTS.

Although recognizing, albeit implicitly, the limits on ensuring privacy and security at a CBTS, OCR directs participants in a CBTS to provide reasonable safeguards for protected health information (PHI). Only the minimum PHI necessary should be collected or disclosed, except for disclosures for treatment purposes. Canopies and opaque barriers are recommended to provide the privacy of the testing. Adequate social distancing is deemed a reasonable safeguard to prevent patients from seeing or hearing interactions involving other patients. Underscoring the continued importance of protecting the privacy and security of PHI, the Guidance advises CBTS operators to keep the media and the general public at a distance from individuals approaching a CBTS. To achieve this goal, the Guidance recommends buffer zones and signage prohibiting the filming of CBTS operations. The operator of the CBTS should also make available to patients seeking testing its notice of privacy practices (NPP), either by posting the NPP in a place where it can be read or directing patients to a website where the NPP can be accessed and read. The Guidance also expressly directs CBTS operators to protect the security of PHI obtained from COVID-19 testing.

After directing CBTS operators to implement reasonable privacy and security precautions, the Guidance then limits the parameters of the relief thereunder. First, only healthcare providers (and their business associates) engaged in the operation of a CBTS may rely on the protections provided by the Guidance. Other HIPAA covered entities, like health plans—which would not be operating test sites anyway—may not. Second, the Guidance protects even healthcare providers and their business associates operating CBTSs only with respect to activities directly related to the operation of the CBTS. The Guidance does not apply to any other activities of the healthcare provider or its business associates, and HIPAA’s penalties apply in full force to any HIPAA non-compliance related to those activities.

The Guidance demonstrates the limited nature of the relief thereunder through three examples. Where a pharmacy operates a CBTC in its parking lot, for example, the Guidance provides no relief for a HIPAA violation unrelated to CBTS operations. Similarly, a clinical lab with employees on-site at a CBTS may not rely on the Guidance for relief with respect to a breach of the privacy and/or security of PHI it suffers at its lab facilities. It is the third example, however, that most clearly illustrates the limited scope of the relief the Guidance provides.

In that example, the Guidance sets out the following scenario: a healthcare provider suffers a breach of the privacy and security of PHI in its electronic health record system, including PHI gathered from the operation of a CBTS. According to the Guidance, the healthcare provider would be liable for a breach of the HIPAA Breach Notification Rule if it failed to notify all individuals impacted by the breach, including those whose PHI was collected or created via CBTS operations. This example demonstrates that the relief provided in the Guidance is limited to activities related to the collection of COVID-19 test samples and, it appears, transportation of the samples to the healthcare provider (or business associate) operating the CBTS. This example underscores OCR’s recognition that CBTS operations cannot always be completely HIPAA compliant (although CBTS operators are to use best efforts to maintain privacy and security). Because CBTSs are a necessary component of a COVID-19 response, OCR has decided to use its enforcement discretion to relax the enforcement of the HIPAA Privacy and Security Rules in the narrow context of collecting test samples at CBTSs. Otherwise, subject to the OCR’s earlier COVID-19 guidance, HIPAA and the HIPAA Privacy, Security and Breach Notification Rules remain in full force and effect, and full compliance is required.

Notwithstanding the limited scope of the relief provided therein, the significance of the Guidance goes beyond the narrow context of the collection of test samples at a CBTS. Indeed, the limited scope of the relief contained in the Guidance itself reinforces the continued viability and enforceability of HIPAA and the HIPAA Privacy, Security and Breach Notification Rules. The Guidance does not purport to abrogate or suspend any statutory or regulatory provision. Like OCR’s previous COVID-related guidance, the Guidance signals OCR’s intention to relax the enforcement of HIPAA’s privacy and security protections in a narrowly defined context. Otherwise, for purposes of HIPAA, the HIPAA Privacy Rule, and the HIPAA Security Rule, it’s business as usual. It is crucial, therefore, that entities governed by HIPAA understand that point and do not grow lax in their HIPAA compliance.

For more information about current HIPAA regulatory and sub-regulatory guidance, contact David N. Crapo of the Gibbons Healthcare Team and Financial Restructuring & Creditors’ Rights Department.

To view all client alerts in Gibbons “The Coronavirus Pandemic and Your Business: How We Can Help” Series, click here. Please also be sure to follow Gibbons on LinkedIn for a continuous feed of COVID-19 related updates and other important business, industry, and firm news.