HIPAA mainly protects a patient's protected health information (PHI), which drug testing can often fall under. Drug test results are treated like any PHI where consent is needed for disclosure, except when individuals agree to release the information to certain individuals, like their employer.
What HIPAA says about sharing drug test results
The Privacy Rule generally restricts the sharing of PHI without patient consent. The limited instances where consent is not necessary, such as a response to a court order, during a legal investigation, or for worker's compensation claims. To release drug test results to other individuals or entities, the patient will need to provide authorization.
A study published in The Journal of Urgent Care Medicine states, “An employer should have restrictions on how (and if) such information can be shared with others. As part of this process, employees who undergo a drug test will typically sign a release at the time of the test to permit the employer to receive the results.”
Although HIPAA can apply to patient information collected by providers, it does not protect employment records. In short, if drug tests are not handled by healthcare practitioners, HIPAA does not apply.
When can drug test results be shared without consent?
As mentioned, drug testing is treated like any other PHI when handled by providers or covered entities. It can therefore only be shared without consent in the following instances:
- In response to legal orders or investigations. During litigation or in criminal cases drug test results may need to be disclosed, overriding the need for patient consent.
- In the instances where employees make a worker's compensation claim, drug test results can be shared with insurers and related parties.
- When public health and safety are at risk HIPAA allows for disclosures of PHI without patient consent.
How to handle sharing drug test results without consent
Identify the legal basis for disclosure
When disclosure is requested, make sure that the reason for the request aligns with the exceptions mentioned above, such as a court order.
Limit any disclosures to only what is necessary
HIPAA uses the minimum necessary standard to ensure only the necessary information is shared. It means that:
- Only sharing information specifically required by the legal or regulatory request.
- Not disclosing additional information like unrelated results or additional personal information.
- Set mechanisms to ensure only authorized personnel or entities receive results.
Securely document disclosures
Maintain a detailed record of the steps followed from the disclosure request. The information documented includes:
- The reason behind the disclosure.
- The specific exception applies.
- The exact information that was shared and with whom.
- The date, time, and method of disclosure.
- Efforts made to limit the disclosure to what is necessary.
Protect drug results during transmission
Make use of secure methods of sharing any PHI including drug test results. One of the best possible methods of doing so is HIPAA compliant email like Paubox which allows for the inclusion of features like encrypted messaging as well as convenient, consistent communication.
FAQs
Can law enforcement access PHI without consent or a subpoena?
Yes, but only as required by law or to prevent serious threats to the health and safety of persons or populations.
What are the legislative purposes for which PHI can be shared by providers?
A few specific instances include proceedings and enforcement purposes.
Kirsten Peremore
