Healthcare Legal Alert: HIPAA Waiver for Entities Operating COVID-19 Community-Based Testing Sites (“CBTS”)

On April 9, 2020, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) announced that it will exercise its enforcement discretion and will not impose penalties for violations of the HIPAA rules against covered entities or business associates in connection with good faith participation in the operation of CBTS during the COVID-19 nationwide public health emergency.  The waiver is effective immediately and is retroactive to March 13, 2020.

Covered entities and business associates that facilitate operation of CBTS are still encouraged to implement reasonable safeguards to protect privacy and security of individuals’ PHI, such as:

  • Using and disclosing only the minimum PHI necessary, except when disclosing PHI for treatment;
  • Setting up canopies or similar opaque barriers to provide privacy to individuals during the collection of samples;
  • Controlling foot and car traffic to maintain adequate distancing at the point of service and minimize what people see or overhear during screening interactions (a distance of at least six feet furthers social distancing recommendations and minimizes incidental disclosures of PHI);
  • Establishing a buffer zone to prevent members of the media or public from observing or filming individuals who approach a CBTS and posting signs prohibiting filming;
  • Using secure technology to record and transmit electronic PHI; and
  • Posting a Notice of Privacy Practices (NPP) or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.

Note, however, that this waiver does not apply to covered entities or business associates when they are performing non-CBTS related activities.  For example, a covered entity that experiences a breach of PHI in its existing electronic health record system which includes PHI gathered from the operation of a CBTS could still be subject to a civil money penalty for violations of the HIPAA Breach Notification Rule if it fails to notify all individuals affected by the breach (including individuals whose PHI was created or received from the operation of a CBTS).

A full copy of the OCR Notification is available here:

Please visit our Healthcare Law Practice Area to learn more about the legal services we can provide in this area. If you have any questions or would like more information on the issues discussed in this communication please contact any member of our Healthcare Law practice. 


This communication is for informational purposes and is not intended as legal advice.