The US Department of Health and Human Services Office for Civil Rights (OCR) announced that it will not impose penalties for noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) for a COVID-19 community-based testing site’s (CBTS) disclosure of protected health information (PHI) when the disclosure was done in good faith. Some GNYHA members may be operating these sites, which include mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.

OCR encouraged, but did not require, the implementation of reasonable safeguards, including using and disclosing only the minimum PHI necessary (except when disclosing PHI for treatment), setting up barriers to protect some privacy, controlling foot and car traffic to create distance, establishing a “buffer zone” between the service area and the public, using secure technology to record and transmit electronic PHI, and posting a notice of privacy practices (NPP) or information on how to find the NPP online. OCR clarified that HIPAA-covered entities are still subject to enforcement for non-CBTS incidents, such as when a violation occurs at the HIPAA-covered entity’s main non-CBTS site, or when a covered entity fails to notify affected individuals of a breach of an electronic health record system, which may include PHI from a CBTS. OCR’s discretion is effective immediately but has a retroactive effect to March 13, 2020.