Can You Request Employees’ COVID Test Results? HIPAA Rules, Exceptions, Checklist

Employer Access to Employee COVID-19 Test Results

You may ask employees to share their COVID-19 test results when the request is job-related and needed to protect workplace safety. Typical triggers include a confirmed exposure, symptoms at work, return-to-work after illness, or compliance with workplace safety regulations in high‑risk settings.

Practice data minimization. Request only what you need: positive or negative, test type (antigen or PCR), and the test date. Avoid broader medical details. Do not ask about a family member’s results or medical conditions, which could implicate the Genetic Information Nondiscrimination Act.

When notifying others of potential exposure, share only what is necessary for COVID-19 exposure notification without naming the affected employee. Limit who sees results to those with a legitimate need to know, such as HR or a designated safety officer.

HIPAA Applicability to Employers

HIPAA regulates covered entities (health plans and most healthcare providers) and their business associates—not employers in their role as employers. Employment records you maintain are generally outside HIPAA, but you still must honor medical information privacy under other laws and policies.

If you sponsor a group health plan, that plan must follow HIPAA compliance rules. Keep plan data segregated from personnel files and limit access to plan PHI to plan functions only. Do not pull plan-held information (like lab results) into employment decisions without the employee’s explicit authorization.

When a healthcare provider or testing vendor holds the result, they usually need the employee’s signed authorization to disclose it to you. An onsite clinic may be a HIPAA-covered provider; treat disclosures from that clinic the same way—via employee authorization or another valid HIPAA exception.

ADA Requirements for Employers

Under the ADA, requests for medical information must be job-related and consistent with business necessity. COVID-19 testing and documentation fall under medical inquiries, so you need a clear safety or operational basis before requiring proof of results.

ADA confidentiality requirements require you to store employee health information separately from personnel files, restrict access, and share it only on a need‑to‑know basis. Long COVID may qualify as a disability; be prepared to consider reasonable accommodations where appropriate.

Keep your process neutral and consistent. Apply the same criteria to similarly situated roles, and avoid probing broader medical history unrelated to current work duties or safety needs.

Employee Consent for Disclosure

When you need results sent directly from a provider or lab, obtain a HIPAA authorization that specifies what will be disclosed, to whom, for what purpose, and for how long. Make clear that the authorization is limited to the COVID-19 test result, not the employee’s entire medical record.

Offer a choice: employees can upload their own documentation or authorize the provider to send it to you. Avoid blanket, open‑ended consents. Explain how you will safeguard the employee health information and when you will delete it.

State Laws on Medical Information

Many states add protections beyond federal law, including stricter rules for collecting, storing, and disclosing medical information, employee access rights, and data‑breach notification duties. Some states impose penalties for mishandling medical records or for failing to provide adequate safeguards.

Check state and local requirements on retention periods, employee inspection rights, and restrictions on re‑use of medical data for non‑safety purposes. When federal and state rules differ, follow the rule that provides greater medical information privacy protection.

Employer Obligations Upon Positive Test Results

Respond promptly and discreetly. Instruct the employee to follow current public health guidance, begin contact tracing within the workplace, and perform appropriate cleaning protocols. Provide COVID-19 exposure notification to close contacts without identifying the employee.

Evaluate leave and pay obligations under company policy and applicable laws. Consider FMLA eligibility for serious health conditions and reasonable accommodations if long COVID impairs major life activities. Assess any workers’ compensation issues if illness may be work‑related.

Review OSHA and industry requirements that may affect recordkeeping, reporting, or protective measures. Document your steps to demonstrate consistent, good‑faith enforcement of workplace safety regulations.

Handling of Test Results

Adopt strict safeguards. Store results in a secure medical file, separate from personnel records, with access limited to designated staff. Use encryption for digital files, maintain audit logs, and train recipients on confidentiality obligations.

Collect only what you need and keep it only as long as necessary. Establish a retention schedule, define destruction procedures, and ensure vendors handling employee health information follow comparable protections through written agreements.

Employer Checklist

• Confirm business necessity for requesting results and apply criteria consistently.
• Minimize scope: request only result, test type, and date—nothing more.
• Use employee authorization if obtaining results from a provider or lab.
• Segregate medical files; restrict access on a strict need‑to‑know basis.
• Provide de‑identified COVID-19 exposure notification; never name the employee.
• Set retention and destruction timelines; document your process.
• Train staff, monitor compliance, and vet vendors for equivalent safeguards.

Conclusion

You may request COVID-19 test results when it is necessary for safety and operations, but you must minimize data, preserve confidentiality, and follow overlapping rules. Align your process with HIPAA compliance boundaries, ADA confidentiality requirements, state privacy laws, and sound recordkeeping to protect employees and your organization.

FAQs.

Is asking for COVID-19 test results a HIPAA violation?

Generally no. HIPAA does not regulate you in your role as an employer. However, if a provider holds the result, they typically need the employee’s authorization to send it to you. Regardless, you must safeguard the information under the ADA and applicable state privacy laws.

Can employers share employee COVID-19 test results?

Share only on a need‑to‑know basis for safety or compliance, and avoid naming the employee in COVID-19 exposure notification. Do not post or broadly disclose results. Limit internal access and keep disclosures proportional to the legitimate purpose.

What are employers’ obligations under ADA regarding medical information?

Collect only when job‑related and necessary, store separately from personnel files, restrict access, and keep it confidential. Consider reasonable accommodations where needed, especially when long COVID substantially limits major life activities.

Do state laws override HIPAA for COVID-19 test data?

HIPAA sets a federal baseline. States may impose stricter medical information privacy protections. When both apply, follow the more protective rule and ensure your procedures meet the highest applicable standard.