Changes in HIPAA enforcement keep coming under the COVID-19 public health emergency. Two recent changes will waive penalties for HIPAA noncompliance when there is a good faith use and disclosure of protected health information during the COVID-19 public health emergency.
These are the third and fourth announcements regarding enforcement from OCR during the pandemic. Before this, OCR issued HIPAA guidance for first responders under COVID-19, and announced exceptions for telehealth.
In the past two weeks the Office for Civil Rights (OCR) the agency that enforces HIPAA, separately announced that HIPAA penalties will be waived for:
- business associates who share patient data without express permission from the covered entity, and
- covered health care providers or their business associates at COVID-19 testing sites.
Both changes will remain in effect until the Secretary of Health and Human Services (HHS) declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, including any extensions, whichever occurs first.
Business Associates and COVID-19
According to the first notice on April 2, 2020, the lifting of penalties on business associates was driven by the need to provide Federal, state and local public health authorities and health oversight agencies, such as the Centers for Disease Control and Prevention (CDC), with support and protected health information (PHI) during the emergency.
Under HIPAA, covered entities are already allowed to share this information with federal public health authorities. But business associates are allowed to share protected health information for public health and health oversight purposes, only if expressly outlined in its business associate agreement with the covered entity.
With the new enforcement direction, now business associates are permitted to share PHI in the same manner without explicit permission in the BAA and without the risk of a HIPAA penalty from OCR, as long as the sharing is in good faith for the purpose of aiding public health.
“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” said OCR Director Roger Severino, in a statement. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”
Business associates are still required to follow HIPAA’s other requirements. Read the full announcement here.
COVID-19 Testing Sites
The latest change, announced April 9, 2020, is designed to make testing sites easier to operate.
The Office for Civil Rights (OCR), the agency that enforces HIPAA, announced that it “will not impose penalties for violations of the HIPAA Rules against covered entities or business associates in connection with the good faith participation in the operation of COVID-19 testing sites during the COVID-19 nationwide public health emergency.” The enforcement change is retroactive to March 13, 2020.
This enforcement change is designed to support certain covered health care providers, including some large pharmacy chains, and their business associates that participate in operating a Community Based-Testing Site (CBTS or testing site), which includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public. Read the full announcement here.
Use Reasonable Safeguards
OCR encourages covered health care providers participating in the good faith operation of a testing site to use reasonable safeguards to protect individuals’ privacy and security.
Reasonable safeguards include the following:
- Following the minimum necessary standard except when disclosing PHI for treatment.
- Setting up visual barriers at a testing facility to provide some privacy to individuals being tested.
- Controlling foot and car traffic to create adequate distancing to minimize the ability of persons to see or overhear interactions at the testing facility.
- Establishing a “buffer zone” to prevent the media or public from observing or filming individuals who approach a testing facility, and posting signs prohibiting filming.
- Using secure technology to record and transmit electronic PHI.
- Posting a Notice of Privacy Practices (NPP), or information about how to find the NPP online in a place that is readily viewable.
Although covered health care providers and business associates are encouraged to implement these reasonable safeguards at a testing facility, OCR will not impose penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in connection with the good faith operation of a testing facility.
Where it Does Not Apply
This enforcement change does not apply when providers or business associates are performing non-Covid-19 testing activities, including the handling of PHI outside of the testing operation.
For example:
- A pharmacy that participates in a testing facility in the parking lot could be subject to a penalty for HIPAA violations that occur inside the pharmacy at that location.
- A covered clinical laboratory with workforce members on site at a testing facility could be subject to a penalty for HIPAA violations that occur at the laboratory itself.
- A covered health care provider that experiences a breach of PHI in its existing electronic health record system, which includes PHI gathered from the operation of a CBTS, could be subject to a civil money penalty for violations of the HIPAA Breach Notification Rule if it fails to notify all individuals affected by the breach (including individuals whose PHI was created or received from the operation of a testing facility).
The HIPAA E-Tool® Has Answers
If you’re confused about any of the latest HIPAA changes under COVID-19, we can help. Call or write us with questions, and we’ll answer.