HIPAA and COVID Test Results: Employer Requirements, What You Can Ask

Employer's Right to Request COVID-19 Test Results

You may request employees’ COVID-19 viral test results when the request is job-related and consistent with business necessity. This is most clear for onsite roles, frequent close contact with others, health care or congregate settings, and safety-sensitive work where transmission risks are elevated.

Limit your request to what you truly need: the test type (PCR/NAAT or antigen), the date, and the result (positive/negative). Apply the same criteria to similarly situated employees and document your employer screening requirements so they are transparent and consistently enforced.

Avoid unnecessary or overbroad inquiries. Do not ask for unrelated diagnoses, detailed medical histories, or copies of full medical records. Do not rely on antibody tests to make employment decisions; they indicate past exposure, not current infectiousness.

Offer practical options to reduce friction and privacy concerns, such as accepting verified test results from reputable providers, offering on-site testing, or allowing telework while awaiting results. Always communicate why the information is needed and how it will be protected to support COVID-19 test result privacy.

HIPAA Applicability to Employers

Requesting or receiving an employee’s COVID-19 test result directly from the employee is generally not a HIPAA issue. HIPAA regulates covered entities (health plans and health care providers) and their business associates—not employers acting in their capacity as employers or handling employment records.

If your organization operates a health clinic or sponsors a group health plan, HIPAA applies to those operations. Keep these functions walled off from HR, and do not route protected health information through employment channels. Regardless of HIPAA, you still must safeguard confidentiality of medical information under other laws.

Confidentiality of Medical Information

Maintain strict confidentiality of medical information. Store COVID-19 test results in medical files separate from personnel files. Limit access to those with a legitimate business need-to-know, and share only the minimum necessary details (for example, a supervisor may be told that an employee is under a work restriction, not the diagnosis).

Adopt written protocols for collection, storage, retention, and disposal of records. Train HR and managers on the rules, and ensure vendors handling screening or recordkeeping are contractually bound to protect data. Thoughtful processes uphold confidentiality of medical information while meeting operational needs.

Genetic Information Nondiscrimination Act Restrictions

The Genetic Information Nondiscrimination Act prohibits employers from requesting, requiring, or purchasing genetic information, which includes family medical history. Do not ask whether an employee’s family member has COVID-19 or about relatives’ health conditions.

Use neutral exposure questions that avoid family references, such as, “Have you had close contact with someone diagnosed with COVID-19?” COVID-19 viral tests are not “genetic tests” under GINA, but questions that elicit family medical history are restricted. Include a GINA safe-harbor notice on forms where appropriate.

Employer's Right to Exclude Employees from Workplace

You may implement employee workplace exclusion for those who test positive, are symptomatic, or decline reasonable, job-related screening that is necessary for safety. Tailor the response to the risk: temporary leave, remote work, or reassignment may be appropriate. Apply rules consistently and document the rationale.

Share only what is necessary to protect others. For example, notify close contacts of potential exposure without naming the source. Pair exclusion decisions with clear return-to-work criteria so employees understand expectations.

ADA Considerations for Medical Inquiries

Under the ADA, medical inquiries and examinations must be job-related and consistent with business necessity. Asking for COVID-19 test results, symptom screening, or permitting viral testing can meet this standard when tied to transmission risk in the workplace. Avoid fishing expeditions or questions unrelated to current fitness for duty.

Be prepared to provide reasonable accommodations, especially for individuals at higher risk or with long COVID. Consider options like telework, schedule changes, or enhanced protective measures. Do not use antibody testing for employment decisions, and keep all ADA medical inquiries confidential.

State and Local Law Considerations

State employment privacy laws may add obligations beyond federal requirements. Some jurisdictions mandate notices before collecting health data, impose retention limits, or require secure destruction. Others have specific rules on employer screening requirements, paid sick leave, or isolation practices that affect staffing policies.

Track applicable public health guidance and any sector-specific regulations. Coordinate among HR, safety, and legal to align notices, consent language, data handling, and return-to-work criteria. When in doubt, seek counsel familiar with your state and local rules to calibrate policies that respect employee rights and maintain COVID-19 test result privacy.

In summary, you can request COVID-19 viral test results when necessary for workplace safety, but you must minimize what you collect, keep it confidential, avoid family medical history under the Genetic Information Nondiscrimination Act, and apply ADA-compliant, risk-based practices—always checking state employment privacy laws that may impose additional guardrails.

FAQs

Is asking for COVID-19 test results from employees a HIPAA violation?

No. HIPAA generally does not apply to employers acting in their role as employers. However, once you collect results, you must protect confidentiality of medical information under the ADA and applicable state employment privacy laws.

What medical information can employers legally request during the COVID-19 pandemic?

You may request limited information needed for safety: the type and date of a viral test and the result, symptom and exposure information, and compliance with employer screening requirements. Do not ask for unrelated diagnoses or family medical history, and do not rely on antibody tests for employment decisions.

Can employers exclude employees who refuse to provide COVID-19 test results?

Yes, if the request is job-related and consistent with business necessity and applied uniformly. Before exclusion, consider alternatives such as on-site testing, temporary telework, or leave, and ensure any employee workplace exclusion is documented and nondiscriminatory.

How does the Genetic Information Nondiscrimination Act affect inquiries about family members' health?

GINA bars employers from requesting or relying on genetic information, including family medical history. Do not ask if a family member has COVID-19. Instead, use neutral exposure questions that avoid referencing relatives while still addressing workplace risk.