When Asking for COVID Results Violates HIPAA: Scenarios, Risks, Safeguards

HIPAA Applicability to Employers

Covered entities vs. employers

HIPAA’s Privacy Rule governs how covered entities—health plans, most health care providers, and health care clearinghouses—and their business associates handle Protected Health Information (PHI). Most employers are not covered entities when acting in their role as employers, even though they may receive health details from workers.

However, an employer’s group health plan is a covered entity, and on-site clinics or occupational health providers can be covered entities if they transmit standard electronic transactions. In those contexts, HIPAA’s PHI Disclosure Regulations and Health Information Confidentiality rules apply.

When asking for COVID results violates HIPAA

• A laboratory, clinic, or health care provider discloses an employee’s COVID-19 test result to the employer without the employee’s authorization and outside a specific HIPAA permission. Public health disclosures usually go to health authorities, not directly to the employer.
• A group health plan shares identifiable COVID-19 information with the plan sponsor for employment decisions without required plan documents, firewalls, or “minimum necessary” controls. That improper flow of PHI violates PHI Disclosure Regulations.
• A business associate handling test data for a covered entity over-collects, misuses, or improperly transmits PHI, leading to unauthorized employer access.
• An on-site clinic that is a covered provider reveals results to management without an authorization or a narrow occupational-health exception with proper employee notice.

What is not a HIPAA violation

It is not a HIPAA violation for an employer to ask an employee to share a COVID-19 result, and it is not a HIPAA violation for the employee to provide their own information. The request, however, triggers Workplace Health Privacy duties under other laws, notably Americans with Disabilities Act Compliance requirements.

Employer Rights to Request COVID-19 Test Results

When requests are lawful

Employers may request COVID-19 test results when the request is job-related and consistent with business necessity—such as return-to-work clearances, outbreak response, or roles involving close contact or vulnerable populations. Clear COVID-19 Testing Policies help ensure neutral, consistent application across similar roles.

Limitations you must observe

• Collect only what you need: result, test date, and any required clearance details—avoid broader medical history or family medical information.
• Use a secure intake process and communicate who will see the data, how it will be used, and how long it will be retained.
• Apply the policy uniformly to avoid discrimination, and document the business necessity supporting the request.
• If a vendor or telehealth service collects results on your behalf, ensure contract terms align with PHI Disclosure Regulations for the covered plan or clinic context.

Employee Rights and HIPAA

Your privacy and access rights

Employees have the right to access their own records from health care providers or health plans under HIPAA. That right to access does not prevent an employer from asking for a result, but it empowers you to obtain and share only what is necessary.

Workplace protections you can expect

Under the ADA, COVID-19 test information is treated as confidential Employee Medical Records. Employers must maintain Health Information Confidentiality, store medical data separately from personnel files, restrict access to a need-to-know basis, and use the information only for legitimate safety or leave-management purposes.

If your information is mishandled

You can raise concerns with HR, the privacy officer for the group health plan or clinic, or relevant regulators. You may also request the employer’s written policy describing Workplace Health Privacy practices, retention, and deletion of medical records.

Employer Obligations Under ADA

Confidentiality and storage

Maintain COVID-19 results in a separate, secure medical file with limited access. Share only with supervisors and safety personnel who must act on restrictions or accommodations, not with general management or coworkers.

Job-related, business necessity standard

Screening and medical inquiries must be tied to the job and supported by a legitimate safety objective. Document the rationale—exposure risk, close-contact duties, or outbreak conditions—to demonstrate Americans with Disabilities Act Compliance.

Reasonable accommodation

Be prepared to discuss accommodations for employees affected by COVID-19 or related conditions. Consider telework, reassignment, modified schedules, or protective measures, and document the interactive process.

Consistency and nondiscrimination

Apply COVID-19 Testing Policies consistently across similar roles. Avoid singling out individuals based on protected characteristics, and ensure criteria are objective, current, and aligned with business needs.

Consequences of HIPAA Violations

Regulatory and legal exposure

Covered entities and business associates face significant civil penalties, corrective action plans, audits, and potential criminal liability for knowingly misusing identifiable health data. Even where HIPAA offers no private right of action, state privacy, contract, or negligence laws can expose employers and vendors to litigation.

Operational and reputational risk

Breaches involving COVID-19 results can require notices to affected individuals and regulators, disrupt operations, erode trust, and harm recruiting and retention. Ineffective PHI controls can also jeopardize insurer and vendor relationships.

Safeguards for Handling PHI

Administrative safeguards

• Adopt written policies for Workplace Health Privacy, including data minimization, acceptable use, role-based access, retention, and disposal of Employee Medical Records.
• Train managers and HR on Health Information Confidentiality, the “minimum necessary” standard, and escalation paths for suspected breaches.
• Use documented workflows for intake, review, and de-identification so managers receive only what they need.

Technical safeguards

• Collect results through secure portals or encrypted channels; avoid open email threads and shared drives.
• Enable multi-factor authentication, access logs, and periodic audits. Restrict download/forwarding and use data loss prevention where feasible.
• Store PHI encrypted at rest and in transit, and promptly revoke access when roles change.

Physical safeguards

• Lock paper files, badge-restrict storage areas, and limit printing. Use secure shredding and certified media destruction for disposal.

Vendor and plan governance

• For group health plans or on-site clinics, align contracts with PHI Disclosure Regulations, including confidentiality, breach reporting, and return-or-destruction terms.
• Annually review vendor controls and require incident response and notification commitments.

Data minimization, retention, and reporting

• Collect only the result, date, and clearance status; avoid diagnosis notes or unrelated conditions.
• Retain data only as long as necessary under policy and law, then securely delete. Provide managers aggregated, de-identified trends when possible.

Bottom line

Asking for COVID-19 results does not, by itself, violate HIPAA. Violations arise when covered entities or plans disclose PHI improperly, or when employers mishandle confidential medical data. Pair narrowly tailored requests with strong safeguards to meet legal duties and maintain trust.

FAQs

Is it a HIPAA violation for employers to ask for COVID-19 test results?

No. HIPAA governs how covered entities and their business associates handle Protected Health Information; it does not bar an employer from asking for a result. The risk arises if a provider, lab, group health plan, or on-site clinic discloses PHI to the employer without proper authorization or a permitted exception, or if the employer mishandles the information after receiving it.

What rights do employees have regarding COVID-19 test confidentiality?

Employees can expect Workplace Health Privacy: the employer must keep COVID-19 results as confidential Employee Medical Records, store them separately from personnel files, limit access to a need-to-know basis, and use them only for legitimate safety or leave decisions. Employees can also access their own records from providers or plans and may raise concerns if Health Information Confidentiality is not respected.

How should employers handle COVID-19 health information to comply with HIPAA and ADA?

Collect only the minimum necessary data, use secure submission and storage, limit access, and retain for a defined period before secure disposal. For covered plans or clinics, ensure contracts and workflows align with PHI Disclosure Regulations. Under Americans with Disabilities Act Compliance, keep information confidential, apply requests only when job-related and consistent with business necessity, and document accommodations and decisions consistently.