As we continue to perform greater numbers of COVID-19 swab (PCR) and blood (antibody) testing under assorted settings, it is important to keep in mind that the results of these tests are subject to HIPAA privacy and security compliance rules. With the declaration of a public health emergency and exception to HIPAA compliance, many covered entities and business associates now have a misconception that they can use and share COVID-19 testing results. In reality, that is not the case. In today’s article, we will try to clear up this misconception.

COVID-19 Compliance for Health Care Providers

First, it is important to know that the Department of Health and Human Services (HHS) has created an official website for health care providers. This site contains HIPAA-related information and guidance related to COVID-19, such as the notices issued by the HHS regarding enforcement discretion for telehealth services relating to COVID-19.

In March, the HHS issued an extremely limited waiver of certain HIPAA requirements, which led to a common public misconception that HHS was “relaxing” HIPAA rules. The rule was actually applied narrowly to hospitals that have instituted a disaster protocol, and then only for up to 72 hours after initiation of the protocol. After that, numerous notices and guidance from the HHS have repeatedly emphasized the need to abide by HIPAA rules during the COVID-19 public health emergency.

HIPAA Compliance Management Application

Reduce Administrative Burden

See all the information in a centralized space

Keep your team updated with regular information

Contact Us

COVID-19 Testing and Exception of HIPAA Compliance

COVID-19 Testing and Exception to HIPAA Compliance

According to HIPAA rules, a covered entity may disclose COVID-19 test results obviously to the individual patient, and may also use and disclose test results as necessary to treat the patient. There is also an exception for persons in a position to lessen health and safety threats, to disclose test results without authorization. Test results can also be disclosed to third parties, such as employers in compliance with HIPAA privacy rules. As we know already, the patient himself may also authorize the release of COVID-19 test results to a third party in a written authorization that meets HIPAA requirements. Covered entities engaged in COVID-19 testing are well-advised to obtain this kind of written authorization from the individual patient as a matter of course if the test results are to be disclosed to an employer. Written authorization is also advisable in case the test results are used for contact tracing purposes by the covered entity.

In some very limited circumstances, the public health activities provision of HIPAA permits covered entities to disclose COVID-19 test results to an employer without the individual’s authorization. The covered entity must provide the test results to the individual at the employer’s request, for information concerning a work-related illness or injury or workplace-related medical surveillance. This kind of information is needed by the employer to comply with OSHA, the Mine Safety and Health Administration (MSHA), or similar state law requirements.

In the context of COVID-19 testing, the public health activities exception may apply when the employer is a licensed health care service provider, such as a skilled nursing facility, given that they may have such federal- or state-mandated workplace safety reporting requirements. The covered entity must provide the employee with written notice of the disclosure to the employer in all such cases.  It is important to recognize that this exception generally would not apply to fitness-for-duty examinations.

Many employers have implemented COVID-19 testing as part of a replacement or fitness-for-duty examination. Covered entities may not disclose their results to the employer without written authorization from the individual patient to do so.

In order to remain HIPAA compliant and avoid penalties during this time of the global pandemic, you can rely on HIPAA Ready. The HIPAA Ready app is designed to be a modern, affordable, and effective way of simplifying HIPAA compliance. This robust application streamlines the HIPAA compliance management process by managing a digital checklist of tasks, meetings, and training information.