April 15, 2020 WPF Statement on the COVID-19 Community Based Testing Sites HIPAA Waiver


April 15, 2020 

In This Statement: 

  • What changes does the Community Based Testing Sites HIPAA waiver create? 
  • What are the privacy concerns? 
  • WPF recommendations to correct the problems with the Community Based Testing Sites HIPAA waiver to ensure patient privacy is protected during and after the emergency  
  • Additional resources: What is a HIPAA waiver? Which waivers are in place during the COVID-19 national emergency? All WPF statements on COVID-19 HIPAA waivers

(PDF of WPF  Statement on COVID-19 Community Based Testing Sites HIPAA Waiver )

In response to the COVID-19 (coronavirus) pandemic, the U.S. Department of Health and Human Services has announced four changes in HIPAA privacy practices in the form of waivers of enforcement of HIPAA requirements. The first waiver was announced March 13, 2020. 

This document discusses the fourth HIPAA waiver, dated April 9, which waives enforcement of all HIPAA privacy and security protections and data breach rules from some health care activities affecting COVID-19 testing. WPF is concerned about the privacy and security implications of this HIPAA waiver. We are also concerned that this waiver will act to erode the public trust in COVID-19 testing, which is an undesirable outcome. 

What changes does the Community Based Testing Sites HIPAA waiver create?

On April 9, 2020, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced a HIPAA waiver that will remain in effect during the COVID-19 public health emergency. See: https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-community-based-testing-sites.pdf. This is now the fourth HIPAA waiver for the Coronavirus pandemic. (WPF statements about previous waivers are linked at the end of this document.) 

The April 9 waiver applies to Community-Based Testing Sites (CBTS), which includes mobile, drive-through, and walk-up sites that only provide COVID-19 specimen collection or testing services to the public. These services may be provided by health care providers covered by the HIPAA health privacy and security rules, including some large pharmacy chains, and their business associates. Some testing sites may not be provided by HIPAA-covered entities, and these sites are not subject to HIPAA privacy and security rule. These sites may not be covered by any privacy rules at all.

It appears that the waiver allows HIPAA-covered entities and business associates to avoid compliance with any and all HIPAA rules in connection with the “good faith” participation in the operation of a Community Based Testing Site during the COVID-19 public health emergency.

HHS properly limited the waiver regarding duration of time to the period of the public health emergency. HHS also narrowly focused the waiver on a specific category of specimen collection and testing services. However, the waiver covers all aspects of HIPAA privacy and security, as well as health data breach. It is the scope of the waiver that is overbroad. The value of a waiver for some Community Based Testing Site activities is clear. However, as explained later, the announcement itself includes illustrations of its overbreadth.

What are the privacy concerns regarding the Community Based Testing Sites HIPAA waiver?

The April 9 HIPAA waiver introduces privacy and trust challenges, and it has the potential to create problems specifically relating to the public trust of Community Based Testing Sites regarding privacy and security practices. In the COVID-19 crisis, trust is mission critical. 

The key privacy concerns are as follows: 

All HIPAA privacy and security rules are waived, not just selected rules

The most objectionable aspect of this waiver is the removal of all requirements to follow the HIPAA privacy and security rules, as well as the HIPAA data breach rules. WPF recognizes the need to make accommodations to privacy and security policies in emergencies, but removing any and all obligations to comply with those policies goes too far. In some circumstances, provisions of state health privacy laws will continue in force so that gross violations of disclosure limitations and other bedrock privacy rules may still inhibit unjustified activities. Standard principles of medical ethics may also provide some protections for privacy.

Community Based Testing Sites test patients for COVID-19. Those getting tested may not want to have neighbors, passersby, or other onlookers know or record their visit to the testing site or the fact of their testing. 

Privacy Buffer Zones are not required 

The waiver “encourages” health care providers to maintain a “buffer zone” to prevent members of the media or the public from observing or filming individuals who approach a Community Based Testing Service, and posting signs prohibiting filming. This is too broad. A buffer zone should be required unless it is significantly impractical to conduct a Community Based Testing Service otherwise. 

Minimum disclosure is “encouraged” but not required 

The waiver “encourages” health care providers to use and disclose only the minimum identifiable health data necessary as provided by the HIPAA privacy rule. However, a health care provider that chooses to allow public viewing of the tests or even to announce test results in a manner that allows the public or press to hear the results would not be sanctioned as a result of the waiver. The “good faith” standard is inadequate, and the waiver of all use and disclosure rules is unprecedented and unnecessary. 

Recommendations Regarding the  Community Based Testing Sites HIPAA Waiver 

  1. HHS needs to narrow the April 9 waiver. First, the waiver should apply when a HIPAA-covered entity undertakes an activity that would violate HIPAA rules after the entity determines, through the exercise of professional judgment, that the activity is operationally necessary to the function of a Community Based Testing Site. 
  2. HHS needs to mandate the use of buffer zones so the public feels secure and safe when seeking testing. We are concerned that by not having adequate privacy protections in place, and by not requiring protections of patients from intrusive cameras or onlookers or from broad disclosures, that public trust will be undermined. Individuals will be less willing to seek testing while under the observation of their friends and neighbors. Protections against casual observation of testing and treatment should be followed unless operationally necessary and there are no alternatives.
  3. The use and dissemination of test results should occur only in accordance with all existing HIPAA privacy and security rules. The HIPAA privacy and security rules already provide for broad and adequate use and dissemination in a public health emergency. There is no need to allow unrestricted use and dissemination.
  4. The waiver of all HIPAA security rules is a significant danger. A security breach could discourage individuals from seeking testing for fear that their results will end up in the hands of fraudsters or on marketing lists. Some security obligations and deadlines might be loosened during the emergency, but a complete waiver is a poor choice.

Background on HIPAA Waivers and Additional Information 

What is a HIPAA Waiver, and which waivers are in place during the COVID-19 national emergency?

The HIPAA privacy rule already provides plenty of flexibility for operation of the health care system under emergency circumstances. See, for example, a discussion of the rule’s provisions and their application in emergency circumstances at: https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.

During emergencies —like hurricanes and other natural disasters — HHS routinely announces that it will waive sanctions and penalties from noncompliance with selected provisions of the HIPAA privacy rule. These waivers are expressly limited in scope and application and include waivers a, b, and c below. During the COVID-19 crisis, HIPAA waivers a, b, and c were activated March 13.

The new COVID-19 HIPAA waivers include d, e, and f. The Telehealth Waiver (d) was put in place March 17, the Business Associate Waiver (e) was put in place April 2, and the Community Based Testing site waiver (f) was put in place April 9.

(a)  the requirements to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to opt out of the facility directory (45 C.F.R. § 164.510);

(b)  the requirement to distribute a notice of privacy practices (45 C.F.R. § 164.520);

(c)  the patient’s right to request privacy restrictions or confidential communications (45 C.F.R. § 164.522);

(d)  March 17, 2020 HHS announced a new HIPAA waiver regarding telehealth. HHS will exercise enforcement discretion and not impose penalties for noncompliance with the HIPAA requirements against covered health care providers who provide in good faith telehealth services during the COVID-19 nationwide public health emergency. See: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/ notification-enforcement-discretion-telehealth/index.html;

(e)  April 2, 2020 HHS announced a new HIPAA waiver regarding Business Associates. The April 2 waiver allows a business associate of a HIPAA-covered entity to make a “good faith” use or disclosure of a covered entity’s health records for public health activities or for health oversight activities. The business associate must inform the covered entity within ten calendar days after the use or disclosure occurs. This is an unprecedented HIPAA waiver that allows business associates, without the permission of the hospital, clinic, or health care provider, to use or release the protected health information of patients; and

(f)  As of April 9, HHS announced a new HIPAA waiver regarding Community Based Testing Sites. This waiver, as discussed in this document, lifted the applicability of the HIPAA privacy and security and data breach rules, and applies to Community-Based Testing Sites (CBTS), which include mobile, drive-through, and walk-up sites that only provide COVID-19 specimen collection or testing services to the public.

The “traditional” waivers plus the new COVID-19 waivers are all in place for the coronavirus pandemic. The traditional waivers were activated March 13, 2020. See: https://www.phe.gov/emergency/news/healthactions/section1135/Pages/covid19-13March20.aspx.

The World Privacy Forum issued a statement about the COVID-19 Telehealth HIPAA waiver, which we found appropriate and sufficiently narrow. That statement is here: https://www.worldprivacyforum.org/2020/03/wpf-statement-on-covid-19-and-changes-in-hipaa-practices/. The WPF statement also included information about the “traditional” HIPAA waivers that were activated March 13, 2020. 

WPF issued a statement regarding the COVID-19 Business Associate HIPAA waiver. That statement is here: https://www.worldprivacyforum.org/2020/04/april-2-2020-wpf-statement-on-covid-19-and-changes-in-hipaa-practices/. We found the Business Associate waiver overbroad and problematic. 

Health Privacy Resources

HHS COVID-19 HIPAA Waiver Announcements: 

World Privacy Forum
Publication date: April 15, 2020