Is COVID-19 Testing Protected by HIPAA? Your Privacy Rights Explained

Overview of HIPAA and Protected Health Information

What HIPAA protects

HIPAA safeguards Protected Health Information (PHI)—any individually identifiable health data created or received by a health care provider, health plan, or clearinghouse. When a lab, clinic, pharmacy, or telehealth service performs COVID-19 testing, your identity plus the fact and results of the test are PHI.

HIPAA applies to Covered Entities and their Business Associates. Covered Entities include health care providers that transmit claims electronically, health plans, and clearinghouses. Business Associates are vendors or subcontractors that handle PHI on a Covered Entity’s behalf under a written agreement.

Key principles that shape privacy

• Minimum necessary: limit uses and disclosures to what’s reasonably needed for the purpose (not applicable to treatment or disclosures authorized by the patient).
• Individual rights: you may access, obtain copies of, and request corrections to your COVID-19 test records.
• Security: entities must protect electronic PHI with administrative, physical, and technical safeguards.

Handling COVID-19 Test Results by Covered Entities

Permitted uses and disclosures

Covered Entities may use or disclose COVID-19 test results without Patient Authorization for treatment, payment, and health care operations. They may also disclose results to public health authorities when required or permitted by law, and to other recipients in narrow, rule-defined circumstances.

Patient access and delivery

You have a right to timely access to your results, typically within 30 days of your request. Covered Entities can deliver results through secure portals, mail, or phone after verifying identity. If you request unencrypted email or SMS, they should warn you of risks and honor your preference.

Role of Business Associates

Labs and providers may rely on Business Associates—such as cloud services, billing vendors, or patient portals—under Business Associate Agreements. These contracts require Business Associates to safeguard PHI and limit how it is used or shared.

HIPAA Enforcement Discretion During the Public Health Emergency

Temporary flexibilities (now expired)

During the federal COVID-19 Public Health Emergency, the Office for Civil Rights (OCR) announced limited HIPAA Enforcement Discretion to support pandemic response. Examples included good-faith telehealth use of common video tools and operations at Community-Based Testing Sites.

The Public Health Emergency ended on May 11, 2023. OCR’s temporary flexibilities expired, with a brief transition period for certain telehealth provisions. Today, standard HIPAA compliance and enforcement apply in full.

What this means now

• Covered Entities and Business Associates must meet all Privacy and Security Rule requirements, including risk analysis and appropriate safeguards.
• Any workflows built under temporary flexibilities should have been remediated to meet full HIPAA standards.

Privacy Obligations of Employers Receiving Test Results

When HIPAA applies—and when it does not

HIPAA generally does not apply to employers in their role as employers. It protects COVID-19 test results when held by a Covered Entity (such as a lab or provider) or its Business Associate. An employer-sponsored group health plan is a Covered Entity, but the employer itself typically is not.

Getting results from a provider

A health care provider may send an employee’s results to an employer only with a valid, written Patient Authorization, or in limited situations allowed by law (for example, certain workplace medical surveillance required by safety regulations with proper notice to the employee). Absent such bases, providers should send results directly to the individual.

Employer confidentiality duties

Under the Americans with Disabilities Act (ADA), any employee medical information—including COVID-19 test results—must be kept confidential, stored separately from personnel files, and shared strictly on a need-to-know basis. State privacy or recordkeeping laws may add further limits.

Practical steps for employers

• Collect only what is job-related and necessary; prefer visual confirmation over retaining copies when feasible.
• Limit access to HR/occupational health staff and secure records with defined retention schedules.
• Train managers not to disclose an employee’s medical information to coworkers.

Legal Interactions Between HIPAA and ADA

Different laws, complementary protections

HIPAA governs how Covered Entities and Business Associates may use and disclose PHI. The ADA governs employers’ collection, use, and storage of employee medical information and restricts disability-related inquiries and medical exams unless job-related and consistent with business necessity.

Common scenarios

• Provider to employer: requires Patient Authorization or a specific legal allowance; otherwise, send results to the employee.
• Employer handling records: ADA confidentiality applies; HIPAA usually does not unless the employer is operating a health plan or clinic covered by HIPAA.
• Public health reporting: providers may report positive results to public health authorities without patient authorization when permitted or required by law.

Patient Authorization and Disclosure Requirements

When authorization is required

A written Patient Authorization is typically required to disclose COVID-19 test results to an employer, school, or other third party not involved in your care, unless another HIPAA permission or legal requirement applies. Authorizations must be in plain language and specify what information will be disclosed, to whom, for what purpose, and for how long.

When authorization is not required

• Treatment, payment, and health care operations.
• Public health activities and health oversight, when permitted or required by law.
• Disclosures to the individual or their personal representative.
• Disclosures required by law or pursuant to a valid court order.

Minimum necessary and safeguards

Outside of treatment and patient-directed disclosures, Covered Entities should follow the minimum necessary standard and implement reasonable safeguards—such as private check-in processes, secure portals, and identity verification—before sharing results.

Implications for Community-Based Testing Sites

Does HIPAA apply at these sites?

Community-Based Testing Sites operated by a Covered Entity (for example, a hospital-run drive-through) or its Business Associate must follow HIPAA. If a site is run by an organization not acting as a Covered Entity or Business Associate, HIPAA may not apply, though state laws and consumer protection rules still can.

Operational best practices

• Collect only necessary data and separate identifiers from results where feasible.
• Position staff and signage to protect spoken privacy; avoid calling out results within earshot of others.
• Secure forms, printers, and sample labels; minimize visible PHI at check-in.
• Provide clear notices about who operates the site, how PHI is used, and how individuals can access their results.

Conclusion

COVID-19 test results are protected as PHI when held by Covered Entities or their Business Associates. Disclosures to employers usually require Patient Authorization, while public health reporting follows legal allowances. After the Public Health Emergency ended, full HIPAA compliance and enforcement apply to all testing operations.

FAQs

Are COVID-19 test results considered protected health information under HIPAA?

Yes. When a health care provider, lab, health plan, or their Business Associates create or receive your test results, those results—along with identifying details—are Protected Health Information (PHI) and are covered by HIPAA.

Does HIPAA apply to employers who receive COVID-19 test results?

Generally, HIPAA does not apply to employers in their capacity as employers. A provider may disclose results to an employer only with Patient Authorization or under narrow legal allowances. Once an employer has medical information, the ADA requires it be kept confidential and separate from personnel files.

What HIPAA enforcement changes occurred during the COVID-19 public health emergency?

OCR exercised HIPAA Enforcement Discretion to support pandemic response (for example, good-faith telehealth and certain Community-Based Testing Sites). These temporary flexibilities have expired; full HIPAA compliance and enforcement now apply.

How must covered entities handle patient authorization for COVID-19 test result disclosures?

Authorizations must be written in plain language and specify the information to be disclosed, the recipient, purpose, and expiration. Covered Entities should verify identity, honor the individual’s directions, and disclose only the minimum necessary unless the disclosure is for treatment or is patient-directed to a designated third party.