Governance & Resilience Briefing — HHS OCR waives penalties for COVID-19 community-based testing sites
HHS OCR’s 30 March 2020 notice applies enforcement discretion for community-based COVID-19 testing sites, waiving penalties for HIPAA noncompliance if covered entities act in good faith; organizations still need documented safeguards and handoffs to HIPAA-covered systems.
Executive briefing: On , HHS Office for Civil Rights (OCR) announced enforcement discretion for community-based testing sites (CBTS) during the COVID-19 public health emergency. Covered entities and business associates operating mobile, drive-through, or pop-up sites will not face penalties for certain HIPAA Privacy, Security, and Breach Notification provisions when acting in good faith, but must still implement reasonable safeguards.
Validated sources
- HHS OCR enforcement discretion notice describing scope, effective date, and examples of acceptable safeguards.
- HHS emergency preparedness HIPAA resources summarizing how Privacy and Security Rules apply during public health emergencies.
Control mappings
- HIPAA Security Rule 45 CFR 164.308 & 164.312: Administrative and technical safeguards (access control, transmission security) remain expected even under discretion.
- NIST SP 800-66 Rev.2 mapped safeguards: Risk analysis, workforce training, and secure transmission controls remain applicable to CBTS workflows.
- ISO/IEC 27701:2019 6.9 & 7.4: Document processing purposes, retention, and access controls for health data collected at temporary sites.
Implementation checklist
- Post signage and verbal notices explaining data use at testing sites; restrict photography and unauthorized recordings.
- Configure Wi-Fi hotspots, tablets, and laptops with encryption and MFA; limit access to EHRs or scheduling systems to authorized staff.
- Use privacy screens and controlled queues to prevent incidental disclosures; separate intake, testing, and results communication areas.
- Document data flows from CBTS into HIPAA-covered systems, including secure handoff steps and retention/deletion timelines for temporary records.
- Train staff and volunteers on minimum necessary data collection and incident reporting; maintain sign-in sheets for accountability.
Safeguard verification
- Perform onsite walkthroughs to confirm signage, queue control, and privacy screens are in place and that storage media are locked when not in use.
- Review device inventories daily to ensure loaner tablets and hotspots are returned, encrypted, and wiped before redeployment.
- Capture logs showing encrypted transmission to EHR systems, role-based access checks, and any emergency access overrides used during operations.
- Maintain incident logs for misdirected results or lost paperwork and document corrective actions for each occurrence.
Transition planning
- Record the dates and locations where discretion is applied and the safeguards in place; discontinue relaxed practices when the public health emergency ends.
- Develop a transition plan to move CBTS workflows into standard HIPAA-covered operations, including device reclamation, data archival, and updated privacy notices.
- Engage compliance and legal teams early to determine whether any data collected under discretion requires additional patient communications or deletion.
Training and communications
- Issue briefing cards for volunteers and clinicians that summarize acceptable data handling, photo restrictions, and how to escalate privacy concerns.
- Run short drills on incident reporting so staff know how to document misdirected results, missing devices, or overheard disclosures.
- Provide scripts for explaining enforcement discretion to patients while reinforcing that safeguards (encryption, access controls) still apply.
Recordkeeping
- Retain site setup photos, floor plans, and safeguard checklists for each CBTS to show how privacy was preserved in makeshift environments.
- Store copies of public notices and patient handouts alongside logs of when they were distributed or posted.