The COVID-19 pandemic remains in a state of emergency across the country and access to testing also remains a top priority. Testing continues to be viewed as a significant means of determining the scope of the pandemic as well as establishing the potential for tracking and tracing that could allow a return to some level of normalcy. Where to provide the testing is an ongoing challenge though. Should it be in physician offices, hospitals, or other settings? The answer may be all of the above. That being said, an increasingly popular choice is community-based testing sites (CBTS). A lot goes into the operation of a CBTS, but an argument against implementing had been fears of HIPAA violations.
The fear of violating HIPAA, as with many such fears, was not necessarily well placed. A CBTS is an extension of operations to any number of healthcare providers, including hospitals, physician groups, and pharmacies. The testing would be a healthcare service that is part of operations. From that perspective, a CBTS is similar to setting up a new office. As such, it seems that the attention garnered by COVID-19 was just thrown up as a barrier to getting needed care.
To address concerns, the Office for Civil Rights (OCR) announced another exercise of discretion to forego enforcement of potential HIPAA violations. The announced discretion, like prior guidance, will continue until the earlier of (i) the Secretary of Health and Human Services declaring that the state of emergency no longer exists or (ii) the expiration date of the declared public health emergency. In reality, that means the enforcement discretion will probably be around for a significant amount of time. The waiver states that OCR will not seek to impose penalties for HIPAA violations arising from the operation a CBTS if the operation is done in good faith.
There are some key elements that go into how OCR will apply the discretion. First, the discretion only applies to healthcare providers and applicable business associates. The included healthcare providers are those actually operating the CBTS. The business associates benefiting from the protection will be those directly supporting the providers in the running of the CBTS.
While enforcement discretion will be exercised, OCR makes it clear that the discretion does not come without strings attached. The so-called strings are actually expecting basic efforts at compliance. In particular, the guidance on the enforcement discretion speaks to the following:
- Use and disclose only the minimum necessary amount of protected health information;
- Set up canopies or other forms of opaque barriers to afford some degree of privacy to individuals while samples or testing is occurring (this point should go without saying since even when blood donations, not covered by HIPAA, are conducted there is some form of minimal blockage when personal information is being taken);
- Create separation between individuals receiving testing in accordance with social distancing guidelines (this is really an obvious point since individuals being tested should not be stacked right next to each other even in the best of time);
- Take reasonable steps to prevent the media or members of the general public from observing the testing, including posting signs to not take photographs (these reasonable steps are similar to what should be done in any facility and go to debates around prohibiting photos or videos in a facility);
- Securely recording and transmitting information collected from individuals (securing data is a fundamental tenet of security); and
- Posting or making a Notice of Privacy Practices available (this is the only somewhat eyebrow-raising point since there could already be an established relationship with many individuals seeking testing).
The list of expected actions should provide a clear basis by which covered entities and business associates can establish the good faith attempts at compliance. The inserted commentary with each point underscores that OCR’s expectations are pretty basic. If concerns remain about being able to set up a CBTS because of HIPAA, then HIPAA is not really the actual barrier.
Along with the identification of what will be protected by the enforcement discretion, OCR also described what organizations and actions will not benefit. The organizations not benefiting from the discretion are healthcare plans and clearinghouses. The limitation that regard feels a little shortsighted since a healthcare plan could arguably operate and run a CTBS, even if staffing and services are done by a provider. The statement in OCR’s guidance seems a bit overly strict and limiting in this regard.
While healthcare providers benefit from the discretion, the discretion only applies to operation of the CBTS. If a HIPAA violation occurs in another part of the provider’s operations, then OCR could still pursue an enforcement action. While not stated, other operations could benefit from one or more of the other instances of enforcement discretion announced by OCR.
The enforcement discretion is helpful from the perspective that the rushed setup of CBTS operations and the potentially stressed operation will strain resources and increase the possibility of a violation. Being able to provide a necessary community benefit without fear of enforcement is helpful. However, as with all actions subject to enforcement discretion, the discretion is not, and should not be viewed as, an opportunity to ignore HIPAA obligations.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.