eLaws | eCases | United States Code | Federal Courts |
Home » 2020 Issues » 85 FR (05/18/2020) » 2020-09099. Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites (CBTS) During the COVID-19 Nationwide Public Health Emergency

  2020-09099. Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites (CBTS) During the COVID-19 Nationwide Public Health Emergency  

  • Start Preamble

    AGENCY:

    Office of the Secretary, HHS.

    ACTION:

    Notification of enforcement discretion.

    SUMMARY:

    This notification is to inform the public that the Department of Health and Human Services (HHS) is exercising its discretion in how it applies the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As a matter of enforcement discretion, the HHS Office for Civil Rights (OCR) will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers or their business associates in connection with the good faith participation in the operation of a COVID-19 Community-Based Testing Site (CBTS) during the COVID-19 nationwide public health emergency.

    DATES:

    The notification of enforcement discretion was effective on April 9, 2020, and had a retroactive effect to March 13, 2020, and will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, including any extensions, (as determined by 42 U.S.C. 247d),[1] whichever occurs first.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Rachel Seeger at (202) 619-0403 or (800) 537-7697 (TDD).

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    HHS is informing the public that it is exercising its discretion in how it applies the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) [2] during the nationwide public health emergency declared by the Secretary of HHS.[3]

    I. Background

    The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is responsible for enforcing certain regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health (HITECH) Act, to protect the privacy and security of protected health information (PHI), namely the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules).

    During the COVID-19 national emergency,[4] which also constitutes a nationwide public health emergency,[5] certain covered health care providers, including some large pharmacy chains, and their business associates may choose to participate in the operation of COVID-19 specimen collection and testing sites (Community-Based Testing Sites, or CBTS). For purposes of this notification, a CBTS includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.

    OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with regulatory requirements under the HIPAA Rules against covered health care providers and their business associates in connection with the good faith participation in the operation of a CBTS during the COVID-19 nationwide public health emergency as described below.

    II. Who/what is covered by this notification?

    This notification applies to all HIPAA covered health care providers and their business associates when such entities are, in good faith, participating in the operation of a CBTS. The operation of a CBTS includes all activities that support the collection of specimens from individuals for COVID-19 testing.

    III. Covered Health Care Providers and Their Business Associates Should Implement Reasonable Safeguards

    OCR encourages covered health care providers participating in the good faith operation of a CBTS to implement reasonable safeguards to protect the privacy and security of individuals' PHI. Reasonable safeguards include the following:

    • Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment.Start Printed Page 29638
    • Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
    • Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS. (A six foot distance would serve this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19.)
    • Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming.
    • Using secure technology at a CBTS to record and transmit electronic PHI.
    • Posting a Notice of Privacy Practices (NPP), or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.

    Although covered health care providers and business associates are encouraged to implement these reasonable safeguards at a CBTS, OCR will not impose penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in connection with the good faith operation of a CBTS.

    IV. Who/what is not covered by this notification?

    This notification does not apply to health plans or health care clearinghouses when they are performing health plan and clearinghouse functions. To the extent that an entity performs both plan and provider functions, the Notification applies to the entity only in its role as a covered health care provider and only to the extent that it participates in a CBTS.

    This notification also does not apply to covered health care providers or their business associates when such entities are performing non-CBTS related activities, including the handling of PHI outside of the operation of a CBTS. Potential HIPAA penalties still apply to all other HIPAA-covered operations of the covered health care provider or business associate, unless otherwise stated by OCR.[6]

    For example:

    • A pharmacy that participates in the operation of a CBTS in the parking lot of its retail facility could be subject to a civil money penalty for HIPAA violations that occur inside its retail facility at that location that are unrelated to the CBTS.
    • A covered clinical laboratory that has workforce members working on site at a CBTS could be subject to a civil money penalty for HIPAA violations that occur at the laboratory itself.
    • A covered health care provider that experiences a breach of PHI in its existing electronic health record system, which includes PHI gathered from the operation of a CBTS, could be subject to a civil money penalty for violations of the HIPAA Breach Notification Rule if it fails to notify all individuals affected by the breach (including individuals whose PHI was created or received from the operation of a CBTS).

    V. Collection of Information Requirements

    This notification of enforcement discretion creates no legal obligations and no legal rights. Because this document imposes no information collection requirements, it need not be reviewed by the Office of Management and Budget under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).

    Start Signature

    Dated: April 14, 2020.

    Roger T. Severino

    Director, Office for Civil Rights Department of Health and Human Services.

    End Signature End Supplemental Information

    Footnotes

    1.  Public Health Emergency Declaration issued by HHS Secretary, pursuant to Section 319 of the Public Health Service Act, on January 31, 2020, with retroactive effective date of January 27, 2020. For more information, see https://www.phe.gov/​emergency/​news/​healthactions/​phe/​Pages/​2019-nCoV.aspx.

    Back to Citation

    2.  Due to the public health emergency posed by COVID-19, the HHS Office for Civil Rights (OCR) is exercising its enforcement discretion under the conditions outlined herein. We believe that this guidance is a statement of agency policy not subject to the notice and comment requirements of the Administrative Procedure Act (APA). 5 U.S.C. 553(b)(3)(A). OCR additionally finds that, even if this guidance were subject to the public participation provisions of the APA, prior notice and comment for this guidance is impracticable, and there is good cause to issue this guidance without prior public comment and without a delayed effective date. 5 U.S.C. 553(b)(3)(B) & (d)(3).

    Back to Citation

    4.  Presidential Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak (Mar 13, 2020), available at https://www.whitehouse.gov/​presidential-actions/​proclamation-declaring-national-emergency-concerning-novel-coronavirus-disease-covid-19-outbreak/​.

    Back to Citation

    5.  Secretary of HHS Alex M. Azar, Determination that a Public Health Emergency Exists (Jan. 31, 2020), available at https://www.phe.gov/​emergency/​news/​healthactions/​phe/​Pages/​2019-nCoV.aspx.

    Back to Citation

    6.  OCR's Notifications of Enforcement Discretion and other materials relating to the COVID-19 public health emergency are available at https://www.hhs.gov/​hipaa/​for-professionals/​special-topics/​hipaa-covid19/​index.html.

    Back to Citation

    [FR Doc. 2020-09099 Filed 5-15-20; 8:45 am]

    BILLING CODE 4153-01-P

Visit the Official Version
Leave a Comment

Document Information

Effective Date:
4/9/2020
Published:
05/18/2020
Department:
Health and Human Services Department
Entry Type:
Rule
Action:
Notification of enforcement discretion.
Document Number:
2020-09099
Dates:
The notification of enforcement discretion was effective on April 9, 2020, and had a retroactive effect to March 13, 2020, and will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, including any extensions, (as determined by 42 U.S.C. 247d),\1\ whichever occurs first.
Pages:
29637-29638 (2 pages)
PDF File:
2020-09099.pdf
Supporting Documents:
» Patient Protection and Affordable Care Act: Benefit and Payment Parameters for 2022; Updates to State Innovation Waiver Implementing Regulations
» Guidance: Good Guidance Practices; Correction
» National Vaccine Injury Compensation Program: Revisions to the Vaccine Injury Table
» Amendments to the HHS-Operated Risk Adjustment Data Validation Under the Patient Protection and Affordable Care Act's HHS-Operated Risk Adjustment Program
» Transparency in Coverage
» UA: Reg Flex Agenda
» Medicare and Medicaid Programs: CY 2020 Hospital Outpatient PPS Policy Changes and Payment Rates and Ambulatory Surgical Center Payment System Policy Changes and Payment Rates; Price Transparency Requirements for Hospitals to Make Standard Charges Public
» Administrative Simplification: Rescinding the Adoption of the Standard Unique Health Plan Identifier and Other Entity Identifier
» Protecting Statutory Conscience Rights in Health Care; Delegations of Authority
» Patient Protection and Affordable Care Act: Increasing Consumer Choice through the Sale of Individual Health Insurance Coverage Across State Lines Through Health Care Choice Compacts
CFR: (2)
45 CFR 160
45 CFR 164