Community-Based Testing Sites

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

Community-Based Testing & HIPAA
Community-Based Testing Sites (CBTS) are the latest entity to be excluded from HIPAA enforcement penalties by the Office for Civil Rights (OCR) for their participation in regard to COVID-19 specimen collection and testing. This “exercise of enforcement discretion is effective immediately (April 9, 2020), but has a retroactive effect to March 13, 2020.” These mobile sites must ONLY be providing COVID-19 services and the exception to HIPAA enforcement is only applicable to the collection of such data and testing.

This means that some large pharmacy chains, business associates, and some healthcare providers will now be able to participate in the operation of a CBTS. These can include drive-through, walk-up, and mobile sites that will provide COVID-19 testing ONLY services to the general public.

This move will allow the OCR to contribute to the growth of mobile testing sites for quicker testing and coverage in more areas.

Reasonable Safeguards
While HIPAA covered entities are given leeway during this time, they must still provide reasonable safeguard measures as they set up and operate a CBTS. This should include the following measures:

  1. Maintain social distancing onsite and at the point of service; this should be done by controlling foot and car traffic to create adequate distancing at the point of service; this is to minimize people overhearing or seeing screening interactions with other individuals
  2. Disclose and use the minimum amount of protected health information (PHI) necessary except when disclosing PHI for treatment
  3. Canopies or similar opaque barriers must be set up at CBTS to provide privacy during the collection of samples

This is yet another move by the government as they continue to have to make temporary changes to the existing rules in place to accommodate these extraordinary circumstances. Full details and the HHS approved document can be found here.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.


HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.

Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE