[Federal Register Volume 85, Number 96 (Monday, May 18, 2020)]
[Rules and Regulations]
[Pages 29637-29638]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-09099]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

45 CFR Parts 160 and 164


Enforcement Discretion Regarding COVID-19 Community-Based Testing 
Sites (CBTS) During the COVID-19 Nationwide Public Health Emergency

AGENCY: Office of the Secretary, HHS.

ACTION: Notification of enforcement discretion.

-----------------------------------------------------------------------

SUMMARY: This notification is to inform the public that the Department 
of Health and Human Services (HHS) is exercising its discretion in how 
it applies the Privacy, Security, and Breach Notification Rules under 
the Health Insurance Portability and Accountability Act of 1996 
(HIPAA). As a matter of enforcement discretion, the HHS Office for 
Civil Rights (OCR) will not impose penalties for noncompliance with the 
regulatory requirements under the HIPAA Rules against covered health 
care providers or their business associates in connection with the good 
faith participation in the operation of a COVID-19 Community-Based 
Testing Site (CBTS) during the COVID-19 nationwide public health 
emergency.

DATES: The notification of enforcement discretion was effective on 
April 9, 2020, and had a retroactive effect to March 13, 2020, and will 
remain in effect until the Secretary of HHS declares that the public 
health emergency no longer exists, or upon the expiration date of the 
declared public health emergency, including any extensions, (as 
determined by 42 U.S.C. 247d),\1\ whichever occurs first.
---------------------------------------------------------------------------

    \1\ Public Health Emergency Declaration issued by HHS Secretary, 
pursuant to Section 319 of the Public Health Service Act, on January 
31, 2020, with retroactive effective date of January 27, 2020. For 
more information, see https://www.phe.gov/emergency/news/healthactions/phe/Pages/2019-nCoV.aspx.

FOR FURTHER INFORMATION CONTACT: Rachel Seeger at (202) 619-0403 or 
---------------------------------------------------------------------------
(800) 537-7697 (TDD).

SUPPLEMENTARY INFORMATION: HHS is informing the public that it is 
exercising its discretion in how it applies the Privacy, Security, and 
Breach Notification Rules under the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA) \2\ during the nationwide public 
health emergency declared by the Secretary of HHS.\3\
---------------------------------------------------------------------------

    \2\ Due to the public health emergency posed by COVID-19, the 
HHS Office for Civil Rights (OCR) is exercising its enforcement 
discretion under the conditions outlined herein. We believe that 
this guidance is a statement of agency policy not subject to the 
notice and comment requirements of the Administrative Procedure Act 
(APA). 5 U.S.C. 553(b)(3)(A). OCR additionally finds that, even if 
this guidance were subject to the public participation provisions of 
the APA, prior notice and comment for this guidance is 
impracticable, and there is good cause to issue this guidance 
without prior public comment and without a delayed effective date. 5 
U.S.C. 553(b)(3)(B) & (d)(3).
    \3\ https://www.phe.gov/emergency/news/healthactions/phe/Pages/2019-nCoV.aspx.
---------------------------------------------------------------------------

I. Background

    The Office for Civil Rights (OCR) at the U.S. Department of Health 
and Human Services (HHS) is responsible for enforcing certain 
regulations issued under the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA), and the Health Information 
Technology for Economic and Clinical Health (HITECH) Act, to protect 
the privacy and security of protected health information (PHI), namely 
the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA 
Rules).
    During the COVID-19 national emergency,\4\ which also constitutes a 
nationwide public health emergency,\5\ certain covered health care 
providers, including some large pharmacy chains, and their business 
associates may choose to participate in the operation of COVID-19 
specimen collection and testing sites (Community-Based Testing Sites, 
or CBTS). For purposes of this notification, a CBTS includes mobile, 
drive-through, or walk-up sites that only provide COVID-19 specimen 
collection or testing services to the public.
---------------------------------------------------------------------------

    \4\ Presidential Proclamation on Declaring a National Emergency 
Concerning the Novel Coronavirus Disease (COVID-19) Outbreak (Mar 
13, 2020), available at https://www.whitehouse.gov/presidential-actions/proclamation-declaring-national-emergency-concerning-novel-coronavirus-disease-covid-19-outbreak/.
    \5\ Secretary of HHS Alex M. Azar, Determination that a Public 
Health Emergency Exists (Jan. 31, 2020), available at https://www.phe.gov/emergency/news/healthactions/phe/Pages/2019-nCoV.aspx.
---------------------------------------------------------------------------

    OCR will exercise its enforcement discretion and will not impose 
penalties for noncompliance with regulatory requirements under the 
HIPAA Rules against covered health care providers and their business 
associates in connection with the good faith participation in the 
operation of a CBTS during the COVID-19 nationwide public health 
emergency as described below.

II. Who/what is covered by this notification?

    This notification applies to all HIPAA covered health care 
providers and their business associates when such entities are, in good 
faith, participating in the operation of a CBTS. The operation of a 
CBTS includes all activities that support the collection of specimens 
from individuals for COVID-19 testing.

III. Covered Health Care Providers and Their Business Associates Should 
Implement Reasonable Safeguards

    OCR encourages covered health care providers participating in the 
good faith operation of a CBTS to implement reasonable safeguards to 
protect the privacy and security of individuals' PHI. Reasonable 
safeguards include the following:
     Using and disclosing only the minimum PHI necessary except 
when disclosing PHI for treatment.

[[Page 29638]]

     Setting up canopies or similar opaque barriers at a CBTS 
to provide some privacy to individuals during the collection of 
samples.
     Controlling foot and car traffic to create adequate 
distancing at the point of service to minimize the ability of persons 
to see or overhear screening interactions at a CBTS. (A six foot 
distance would serve this purpose as well as supporting recommended 
social distancing measures to minimize the risk of spreading COVID-19.)
     Establishing a ``buffer zone'' to prevent members of the 
media or public from observing or filming individuals who approach a 
CBTS, and posting signs prohibiting filming.
     Using secure technology at a CBTS to record and transmit 
electronic PHI.
     Posting a Notice of Privacy Practices (NPP), or 
information about how to find the NPP online, if applicable, in a place 
that is readily viewable by individuals who approach a CBTS.
    Although covered health care providers and business associates are 
encouraged to implement these reasonable safeguards at a CBTS, OCR will 
not impose penalties for violations of the HIPAA Privacy, Security, and 
Breach Notification Rules that occur in connection with the good faith 
operation of a CBTS.

IV. Who/what is not covered by this notification?

    This notification does not apply to health plans or health care 
clearinghouses when they are performing health plan and clearinghouse 
functions. To the extent that an entity performs both plan and provider 
functions, the Notification applies to the entity only in its role as a 
covered health care provider and only to the extent that it 
participates in a CBTS.
    This notification also does not apply to covered health care 
providers or their business associates when such entities are 
performing non-CBTS related activities, including the handling of PHI 
outside of the operation of a CBTS. Potential HIPAA penalties still 
apply to all other HIPAA-covered operations of the covered health care 
provider or business associate, unless otherwise stated by OCR.\6\
---------------------------------------------------------------------------

    \6\ OCR's Notifications of Enforcement Discretion and other 
materials relating to the COVID-19 public health emergency are 
available at https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html.
---------------------------------------------------------------------------

    For example:
     A pharmacy that participates in the operation of a CBTS in 
the parking lot of its retail facility could be subject to a civil 
money penalty for HIPAA violations that occur inside its retail 
facility at that location that are unrelated to the CBTS.
     A covered clinical laboratory that has workforce members 
working on site at a CBTS could be subject to a civil money penalty for 
HIPAA violations that occur at the laboratory itself.
     A covered health care provider that experiences a breach 
of PHI in its existing electronic health record system, which includes 
PHI gathered from the operation of a CBTS, could be subject to a civil 
money penalty for violations of the HIPAA Breach Notification Rule if 
it fails to notify all individuals affected by the breach (including 
individuals whose PHI was created or received from the operation of a 
CBTS).

V. Collection of Information Requirements

    This notification of enforcement discretion creates no legal 
obligations and no legal rights. Because this document imposes no 
information collection requirements, it need not be reviewed by the 
Office of Management and Budget under the Paperwork Reduction Act of 
1995 (44 U.S.C. 3501 et seq.).

    Dated: April 14, 2020.
Roger T. Severino
Director, Office for Civil Rights Department of Health and Human 
Services.
[FR Doc. 2020-09099 Filed 5-15-20; 8:45 am]
BILLING CODE 4153-01-P