Insights & Resources

COVID-19 Resource Center

    Back To COVID-19 Resource Center
    COVID-19 Update: OCR announces HIPAA enforcement discretion for community-based testing sites

    COVID-19 Update: OCR announces HIPAA enforcement discretion for community-based testing sites

    On April 9, 2020, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it will exercise its enforcement discretion and will not impose penalties for HIPAA violations made in connection with a covered entity or business associate’s good faith participation in the operation of a COVID-19 Community-Based Testing Site (CBTS). A CBTS is a mobile, drive-through or walk-up site that solely provides specimen collection or testing services.

    OCR’s decision was made effective immediately but also covers any actions by covered health care providers and their business associates since March 13, 2020. The enforcement discretion will remain in effect until the public health emergency ends.

    While it will not impose penalties for HIPAA violations at a CBTS (assuming good faith), OCR still encourages covered health care providers to continue to implement reasonable safeguards to protect the privacy and security of individuals being tested, including:

    • using and disclosing only the minimum protected health information (PHI) necessary
    • setting up canopies or opaque barriers at the CBTS to provide privacy
    • controlling foot and car traffic to minimize individuals seeing or overhearing screening interactions
    • prohibiting filming and creating a buffer zone to prevent such filming
    • using secure technology at the CBTS to record and transmit PHI
    • posting a Notice of Privacy Practice (NPP) or information on how to find the NPP online

    OCR warned that while the enforcement discretion would apply to operations at the CBTS, it would not apply to PHI handled outside of the CBTS. Providers that gather PHI at a CBTS should ensure that they continue to protect that information pursuant to HIPAA requirements at other locations.

    Download PDF