On April 8, 2020, the U.S. Department of Health & Human Services (HHS) Office of the Assistant Secretary for Health released guidance authorizing pharmacists to order and administer COVID-19 tests. Immediately following this guidance, on April 9, 2020, the HHS Office of Civil Rights (OCR) announced that it will exercise its enforcement discretion and will refrain from imposing penalties for violations of HIPAA for covered entities or business associates participating, in good faith, in the operation of COVID-19 Community-Based Testing Sites (CBTS) during the nationwide public health emergency. The guidance regarding pharmacists testing for COVID-19 and the notice related to the relaxation of HIPAA rules comes on the heels of pharmacies, such as CVS and Walgreens, taking on a more active and critical role in the fight against the COVID-19 pandemic.
OCR noted that this decision was issued to support certain covered health care providers, including some large pharmacy chains, and their business associates that choose to participate in the operation of a CBTS. These CBTS include mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.
This waiver does not, however, give covered entities carte blanch to run CBTS in whatever manner they choose. Rather, OCR noted that each CBTS should still take reasonable safeguards to protect patient privacy. Such reasonable safeguards may include:
- Using and disclosing only the minimum protected health information (PHI) necessary, except when disclosing PHI for treatment.
- Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
- Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS.
Further, OCR included a note of caution that this notice does not protect covered entities or their business associates from enforcement actions when such entities are performing non-CBTS related activities. For example:
- A pharmacy that participates in the operation of a CBTS in the parking lot of its retail facility could be subject to a civil money penalty for HIPAA violations that occur inside its retail facility at that location that are unrelated to the CBTS.
- A clinical laboratory that has workforce members working on site at a CBTS could be subject to a civil money penalty for HIPAA violations that occur at the laboratory itself.
- A covered health care provider that experiences a breach of PHI in its existing electronic health record system, which includes PHI gathered from the operation of a CBTS, could be subject to a civil money penalty for violations of the HIPAA Breach Notification Rule if it fails to notify all individuals affected by the breach (including individuals whose PHI was created or received from the operation of a CBTS).
If you are a pharmacy or pharmacist thinking about operating a CBTS, please contact one of our healthcare attorneys. We can assist in ensuring that proper compliance measures are in place before the commencement of COVID-19 community testing.