HHS Announces Exercise of Enforcement Discretion for Entities Engaged in COVID-19 Relief Efforts

Since COVID-19 was declared a pandemic, the U.S. Department of Health and Human Services (“HHS”) and its Office for Civil Rights (“OCR”) have taken a variety of steps to relax HIPAA restrictions particularly pertinent to the COVID-19 response.

First, as covered in an earlier posting, HHS took action to waive penalties and assure companies that it would exercise enforcement discretion with respect to the Privacy Rule’s application to telehealth services and certain limited communication activities related to COVID-19 treatment efforts.

On April 2, HHS released a notification indicating it will be exercising its discretion by not pursuing enforcement actions against business associates that share protected health information (“PHI”) for good faith purposes involving COVID-19 related public health concerns beyond the authority granted in their business associate agreements.  HHS’s guidance indicates that it will not pursue enforcement actions for such disclosures as long as two conditions are met:

  • The business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d); and
  • The business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs.

The following week, on April 9th, 2020, HHS issued another notification outlining its intention to exercise enforcement discretion with respect to both covered healthcare providers and their business associates participating in the operation of community-based testing sites (“CBTS”) related to COVID-19 specimen testing. The operation of CBTS includes all activities that support the collection of specimens from individuals for COVID-19 testing, and includes mobile, drive-through, or walk-up sites.  The agency’s relaxed enforcement posture with regard to covered entities and business associates applies only to healthcare providers and their business associates engaging in COVID-19 specimen collection at CBTS, who must still employ reasonable safeguards to protect patients’ PHI, including:

  • Using and disclosing only the minimum necessary PHI.
  • Setting up canopies or other opaque barriers between patient collections sites within a larger testing site.
  • Controlling foot and car traffic to maintain at least 6 feet’s worth of distance between passageways and patient specimen collection sites.
  • Establishing a “buffer zone,” that will prevent members of the media from filming or documenting patient specimen collection practices.
  • Using secure technology on-site when transmitting electronic PHI.
  • Posting a Notice of Privacy Practices to inform patients of their rights under HIPAA.

Provided these factors are satisfied, HHS has stated that it does not intend to pursue enforcement actions. HHS offered further clarification on this point in an April 24th webinar, where it emphasized that its enforcement discretion will not extend to the provision of non-COVID-19 related activities at CBTS.