Governance & Resilience — HHS OCR waives penalties for COVID-19 community-based testing sites

Quick summary

On 30 March 2020, HHS Office for Civil Rights announced enforcement discretion for community-based COVID-19 testing sites (CBTS) during the public health emergency. Covered entities operating drive-through, mobile, or pop-up testing facilities will not face HIPAA penalties when acting in good faith, provided they implement reasonable safeguards. This guidance enables rapid testing deployment while maintaining baseline privacy protections.

Scope of Enforcement Discretion

The enforcement discretion applies specifically to community-based testing sites—locations established rapidly to meet surge testing demand that may lack the infrastructure typical of permanent healthcare facilities. Covered activities include patient registration, specimen collection, results communication, and data transmission to public health authorities and healthcare providers.

OCR emphasized that discretion does not waive HIPAA requirements entirely. Covered entities must still implement reasonable safeguards appropriate to the testing environment. The discretion addresses the practical impossibility of full HIPAA compliance in field conditions (parking lots, tents, mobile units) while expecting good-faith privacy protection efforts.

The notice applies during the declared public health emergency. If you are affected, track emergency declaration status and prepare transition plans for when normal enforcement resumes.

Reasonable Safeguards Expected

OCR guidance describes safeguards you should implement at CBTS:

• Physical privacy: Queue management, privacy screens, separation between intake areas and testing stations, and restrictions on photography.
• Access controls: Limited system access for temporary staff, role-based permissions, and encryption for devices handling patient data.
• Data transmission: Encrypted connections for transmitting test results to EHRs, labs, and public health systems.
• Workforce training: Staff and volunteers briefed on minimum necessary data collection, incident reporting, and patient privacy expectations.
• Notice: Signage and verbal explanations informing patients about data use and privacy protections.

Operational Implementation

Healthcare organizations establishing CBTS should implement structured privacy programs:

Device management: Configure tablets, laptops, and mobile hotspots with encryption, MFA, and remote wipe capabilities. Maintain daily device inventories and wipe devices before redeployment.

Data flow documentation: Map how patient information flows from CBTS registration through specimen tracking, result communication, and public health reporting. Identify each system involved and verify security controls.

Incident procedures: Establish reporting channels for privacy incidents including misdirected results, lost devices, and overheard conversations. Document incidents and corrective actions.

Coordination with Covered Entity Operations

CBTS operations typically connect to established healthcare organizations that maintain HIPAA compliance programs. If you are affected, define clear handoff points where CBTS data enters covered entity systems, ensuring appropriate access controls, audit logging, and retention policies apply from that point forward.

Business associate relationships may be implicated when third parties support CBTS operations. If you are affected, document relationships and confirm that business associate agreements or enforcement discretion coverage applies.

Post-Emergency Transition Planning

If you are affected, prepare for enforcement discretion termination:

• Document dates, locations, and safeguards applied at each CBTS for compliance demonstration.
• Develop plans to transition temporary operations to standard HIPAA compliance or orderly closure.
• Archive CBTS records appropriately and communicate retention periods to patients.
• Review whether any data collected under discretion requires additional patient notification or deletion.

Final assessment

The CBTS enforcement discretion enables healthcare organizations to deploy testing capacity rapidly while maintaining reasonable privacy protections. If you are affected, document their good-faith safeguards, prepare for post-emergency transitions, and monitor OCR guidance for any modifications to the discretion scope.

Related articles

Curated signals from the same pillar or overlapping topics.

Governance · Credibility 86/100 · March 26, 2020

DHS extends REAL ID enforcement deadline to October 2021

REAL ID got pushed back again—DHS moved the enforcement deadline from October 2020 to October 2021 because of COVID. States and travelers got another year to get compliant IDs sorted out.

Governance · Credibility 87/100 · March 19, 2020

CISA issues Essential Critical Infrastructure Workforce guidance v1.0

CISA released Version 1.0 of its Essential Critical Infrastructure Workforce list on 19 March 2020 to help jurisdictions and companies identify personnel who should maintain on-site access during COVID-19 restrictions.

Governance · Credibility 86/100 · March 16, 2020

White House issues "15 Days to Slow the Spread" COVID-19 guidance

Remember '15 Days to Slow the Spread'? This is the March 16, 2020 guidance that kicked off remote work for millions. The White House and CDC told everyone to stay home, limit gatherings, and work remotely. Many companies…

Governance · Credibility 91/100 · March 11, 2020

WHO declares COVID-19 a pandemic

It is official: COVID-19 is a pandemic. WHO made the declaration on March 11, 2020. At this point, cases were exploding globally and governments were scrambling to implement lockdowns.

Governance · Credibility 73/100 · March 11, 2020

Governance — COVID-19

March 11, 2020—the day everything changed. WHO officially declared COVID-19 a global pandemic, triggering business continuity plans, travel shutdowns, and the largest remote work experiment in history. If your…

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Board Oversight Governance Blueprint

  Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

• Third-Party Governance Control Blueprint

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Public-Sector Governance Alignment Playbook

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published

March 30, 2020

Coverage pillar

Governance

Source credibility

87/100 — high confidence

Topics

HIPAA · COVID-19 · Enforcement discretion

Sources cited

3 sources (hhs.gov)

Reading time

5 min

References

1. Notification of Enforcement Discretion for Community-Based Testing Sites during the COVID-19 Nationwide Public Health Emergency — U.S. Department of Health and Human Services
2. OCR Announces Notification of Enforcement Discretion for Community-based Testing Sites During the COVID-19 Nationwide Public Health Emergency — U.S. Department of Health and Human Services
3. HIPAA Emergency Preparedness, Planning, and Response — U.S. Department of Health and Human Services