Human Resources

Can Providers Release COVID-19 Test Results to Employers: Yes or No?

Hey Compliance Warriors!

One of the most frequent questions we get at HelpDeskSuites.com is “Can Providers Release COVID-19 Test Results to Employers?” This is a complicated topic that needs to be FULLY understood. So, check out an explanation by attorney Laura Gerdes Long with Danna McKitrick, PC Attorneys at law. Read on…

By Laura Gerdes Long

So, your furloughed employee[i] is returning to work – Hooray!? Not so fast. Employers and the medical providers who are treating and perhaps testing these employees/patients for COVID-19 need to be wary about who is able to disclose and use testing information and to whom.  Both sides must tread carefully and follow strict guidelines in such situations.

For over two decades, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) has governed disclosure of an individual’s protected health information and has prevented a medical provider from unilaterally disclosing sensitive health information to employers.  Even faced with a previously unimaginable global pandemic, from its implementation in 2003, the HIPAA Privacy Rule has had procedures in place that address this thorny legal issue.

Take the following hypothetical example: An employer furloughs an employee as a reduction in work force for financial reasons. While on furlough, the rumor mill is active and the employer “hears” that this employee may have been experiencing COVID-19 symptoms while on furlough.  May the employer reach out to the employee’s medical provider to obtain medical information specifically related to COVID-19 testing? May the provider release such information if the employer contacts the provider to inquire? Work-arounds exist under the HIPAA Privacy Rule or may exist when the employer pays for COVID-19 testing.

Option 1:  Consent Upfront.

A medical provider’s best practices suggest that at the time the patient is initially seen, the medical provider obtains the patient’s consent/authorization to directly release COVID-19 testing data to the individual’s employer.  Indeed, the HIPAA Privacy Rule has always allowed a provider to refuse to examine the patient unless she executes a legal authorization.[ii]  In this way, the provider is conditioning the patient’s testing on the receipt of a valid HIPAA authorization directed to the patient’s employer, which is perfectly legal under HIPAA.

Option 2: HIPAA Workplace Medical Surveillance Exception

Similarly, the HIPAA Privacy Rule has always contained a myriad of exceptions to allow disclosure of an individual’s health information data under discrete circumstances such as in cases of child or adult abuse or neglect, to a public health authority that is collecting information to control disease, injury or disability, or for data on births, deaths, public health surveillance, investigations and interventions, and the list goes on.

Within this list is buried another exception when the employer is legally mandated to perform workplace health monitoring.[iii] In this scenario, the minimum necessary medical information may be disclosed to the employer. Of course, the medical provider is required, at the outset, to inform his patient (the employee) in writing of this legal obligation and that the patient’s information will be disclosed to her employer at the time the patient is tested. Upon closer examination, this exception may be further limited in scope to the situation where the medical provider actually provides health care to the employee at the employer’s request, such as for workers’ compensation matters.

Option 3: Employer-subsidized testing

Employers who pay for employees to have COVID-19 testing may lead to the employer obtaining information concerning the identity of the specific employees tested and when the testing was conducted. The disclosed information, however, would not entitle the employer to the test results.

While all of these options must be considered in light of Missouri state law, where Missouri law is silent on the particular issue or does not contain a more stringent requirement in furtherance of patient privacy, the HIPAA Privacy Rule governs.

The take-away:  This is mostly uncharted territory, so employers and medical providers are cautioned to tread carefully, and in consultation with experienced legal counsel.

Posted by Attorney Laura Gerdes Long. Long practices in tort, insurance defense, legal malpractice, health care, and employment law. Well-versed in employment law policies and processes related to HIPAA, she serves as a trainer and advisor to health care providers, insurers, self-insured employers, and municipalities.

[i]       For purposes of this article, we are assuming the furlough was due to economic consideration caused by the COVID-19 epidemic, not because the employee had actually been stricken with the virus.

[ii]     45 § 164.508 Uses and disclosures for which an authorization is required. * * * *

(b)(4) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except:  * * * * *

(iii)  A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party. . . . .

[iii]     45 § 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required.  * * * * *

(b)   Standard: Uses and disclosures for public health activities. * * * *

(1)   Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: * * * *

(v)   An employer, about an individual who is a member of the workforce of the employer, if:

(A)   The covered entity is a covered health care provider who provides health care to the individual at the request of the employer:

(1)   To conduct an evaluation relating to medical surveillance of the workplace; or

(2)   To evaluate whether the individual has a work-related illness or injury;

(B)   The protected health information that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance;

(C)   The employer needs such findings in order to comply with its obligations, under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under state law having a similar purpose, to record such illness or injury or to carry out responsibilities for workplace medical surveillance; and

(D)   The covered health care provider provides written notice to the individual that protected health information relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer.


Lisa Smith is CEO of Andere Corporation and Chief Content Developer at HelpDeskSuites.com. Follow her on Twitter, connect with her on LinkedIn, listen to her Small Business Spoonfuls Podcast, and find more in her Compliance Warriors Facebook Group.

Log in or Register to save this content for later.