HHS Relaxes Data Security and Privacy Enforcement For COVID-19 Test Sites

The Health and Human Services Department has been relaxing restrictions on the collection and protection of patient health data as the COVID-19 pandemic wears on and made more moves Monday to ease regulations on community-based testing sites.

As health care providers nationwide stand up mobile, drive-thru and walk-up testing sites—called community-based testing sites, or CBTS—the HHS Office for Civil Rights is making it easier for operators to collect relevant data without the strict security and privacy regulations required under the Health Insurance Portability and Accountability Act, or HIPAA.

“During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, certain covered health care providers, including some large pharmacy chains, and their business associates may choose to participate in the operation of COVID-19 specimen collection and testing sites,” according to a notice posted Monday in the Federal Register. “This notification applies to all HIPAA covered health care providers and their business associates when such entities are, in good faith, participating in the operation of a CBTS.”

The notice is clear that the laxed regulations only apply to the operation of community-based testing sites and not other health care services like insurance or clearinghouse functions.

“To the extent that an entity performs both plan and provider functions, the notification applies to the entity only in its role as a covered health care provider and only to the extent that it participates in a CBTS,” the notice states. “This notification also does not apply to covered health care providers or their business associates when such entities are performing non-CBTS related activities, including handling of [protected health information] outside of the operation of a CBTS.”

The notice offers several examples, such as a pharmacy that operates a testing site in the parking lot, which “could be subject to a civil money penalty for HIPAA violations that occur inside its retail facility at that location that are unrelated to the CBTS.”

Similarly, if a provider has a previously established electronic health record system that is integrated with a testing site, the provider is responsible for alerting anyone whose data was collected through the testing site if a data breach occurs.

In the notice, HHS officials offered a list of best practices for test providers to consider but added that none of these suggestions are mandatory and “OCR will not impose penalties for violations.” That said, testing sites should “reasonable safeguards” such as:

• Using and disclosing only the minimum [protected health information] necessary except when disclosing PHI for treatment.
• Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
• Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS. A six-foot distance would serve this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19.
• Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming.
• Using secure technology at a CBTS to record and transmit electronic PHI.
• Posting a notice of privacy practices or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.