While the Notice of Enforcement Discretion has been published, the HHS’ Office for Civil Rights is encouraging covered entities and their business associates to ensure reasonable security measures are implemented to protect the privacy of users of the service and prevent the accidental exposure or disclosure of PHI to unauthorized people.
Privacy controls such as canopies and barriers should be used to separate the testing area to protect the privacy of users of the service and there should be a buffer zone to stop members of the public from observing people being tested.
Social distancing measures need to be put in place to reduce the risk of transmission of SARS-CoV-2. A distance of at least 6 feet should be maintained between patients at all times. These social distancing measures will help to ensure conversations between a patient and CBTS staff cannot be overheard. OCR also recommends posting signs forbidding filming at testing facilities.
A Notice of Privacy Practices should also be published in a place where it can be easily read by visitors. The NPP should also be published on the Internet, with information included in the printed notice outlining how the NPP can be viewed online.
Uses and sharing of PHI should be limited to the minimum necessary amount to achieve the purpose for which the information is shared, other than when disclosing PHI for treatment reasons.