As COVID-19 swab (PCR) and blood (antibody) testing continue to occur in greater numbers and diverse settings, it is important to recognize that the results of such tests are subject to HIPAA privacy and security compliance rules. There is a common public misconception that the declaration of a public health emergency has created a broad exception for covered entities and business associates to use and share COVID-19 testing results. This is not the case.
First, it is important to recognize that the Department of Health and Human Services (HHS) has created an official website for health care providers which contains HIPAA-related information and guidance pertaining to COVID-19. Among the information available are notices issued by the HHS, such as the notice of enforcement discretion for telehealth services relating to COVID-19, which was analyzed in our previous blog post, “OCR Will Not Seek Enforcement Action for Use of Non-Compliance Telehealth Communications During the Coronavirus (COVID-19) National Public Health Emergency.”
In March, the HHS issued an extremely limited waiver of certain HIPAA requirements, which applied narrowly to hospitals that have instituted a disaster protocol, and then only for up to 72 hours after initiation of the protocol. Reports of this waiver led to a common public misconception that HHS was “relaxing” HIPAA rules. Notices and guidance from the HHS have repeatedly emphasized the need to observe HIPAA rules during the COVID-19 public health emergency.
Under HIPAA, a covered entity may disclose COVID-19 test results obviously to the individual patient, and may also use and disclose test results as necessary to treat the patient. There is also an exception that allows disclosure without authorization in cases of a serious and imminent threat to health and safety, to persons in a position to lessen the threat. Disclosure of test results to third parties, such as employers, must be done in compliance with HIPAA privacy rules. As is well known, an individual patient may authorize the release of COVID-19 test results to a third party in a written authorization that meets HIPAA requirements. Covered entities engaged in testing are well-advised to obtain such written authorization from the individual patient as a matter of course if the test results are to be disclosed to an employer. Written authorization is also advisable if the covered entity will use the test results for contact tracing purposes.
The public health activities provision of HIPAA permits covered entities to disclose COVID-19 test results to an employer without the individual’s authorization in very limited circumstances. The covered entity must provide the testing to the individual at the employer’s request, for information concerning a work-related illness or injury or workplace-related medical surveillance, and because such information is needed by the employer to comply with OSHA, the Mine Safety and Health Administration (MHSA), or similar state law requirements. In the context of COVID-19 testing, the public health activities exception may apply when the employer is a licensed health care facility, such as a skilled nursing facility, given that they may have such federal or state-mandated workplace safety reporting requirements. The covered entity must provide the employee with written notice of the disclosure to the employer in all such cases. It is important to recognize that this exception generally would not apply to fitness-for-duty examinations.
For employers who have implemented COVID-19 testing as part of a pre-placement or fitness-for-duty examination, covered entities may not disclose results to the employer absent written authorization from the individual patient to do so.