A client that’s company in the commercial construction industry has asked me a HIPAA question I’m not sure how to answer.  Wondering if any of you has any thoughts.  He says:  “Our customers sometimes want to see drug testing results. We obtain the results lawfully because we require the employee to sign an authorization when hired. But the statute (42 USC § 1320d et seq.) says that any person ‘who knowingly and in violation of this part … (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section [which provides for a fine up to $50,000 and imprisonment for up to a year].’  Just because we’re obtaining the information legally, does that mean we’re free to disclose it to anybody we want to (assuming we’re not a ‘covered entity’ under the implementing HHS regs (45 CFR parts 160 and 164), which is a whole different can of worms)?”

I believe he’s looking for an authority to cite to customers as a reason for declining their request for drug testing results.  Thoughts?

Thanks.

My recommendation is to keep the information confidential.  There is no business reason for the customer to have drug test results.  YOou may have to certify that you do drug test and have a policy thataddresses negative results.  Further, if you are federally funded, you have to drug test and have a no tolerance policy, anyway.  Hope tis helps.

I would not disclose the information.  You have had the EE’s sign a document allowing for their information to be disclosed.  But your company is the only one privy to that information.  Any other third part is not included as an authorized entity to receive that information.  Now you may be able to give the customer a percentage or ratio of how many people pass/fail the test.  But there should not be any identifiable information included in whatever you give them.

That is confidential information. I do not think it wise to release it to anyone. The form the employee signed is for the company only.  Not only that, but the information should only go to employees within the company that have a need to know.

I agree with the other posters and the one that stated a general pass or fail average could be given as long as no individual employees or results were released.

Shirley

This is a common question.
1. HIPPA does NOT APPLY to general workplace drug testing. Drug abuse is considered a legal vs. medical issue unless employers create an issue by mixing workplace drug test results with medical records. Workplace place drug test records must be kept separate from any employee medical records /information.
2. Drug test results should, however, be kept confidential. Typically they are available to supervisors, management, and persons involved in the testing process (test administrator / specimen collector for on-site or lab tests, laboratory, MRO, and associated service providers)
3. Remember that RANDOM DRUG TESTING via OBSERVED SPECIMEN COLLECTION is the most effective method to mitigate workplace substance misuse in association with education and employee assistance programs.
Urine-based testing typcially can not be observed and therefore SHOULD NOT be relied upon exclusively.
4. It is IMPORTANT to test for PRESCRIPTION PAIN RELIEVER’S (Oxycodone, Hydrocodone) in addition to Meth, Cocaine, and traditional opiates (codeine, morphine, heroin).
5. EMPLOYERS ARE LEGALLY RESPONSIBLE for providing a safe work place, and WORKPLACE DRUG TESTING, INCLUDING RANDOM DRUG TESTING IS LEGAL THROUGHOUT THE US, despite misinformation you may hear otherwise.

VISIT WWW.NAVIGENT3.COM FOR MORE INFORMATION

I would also be concerned about possible State invasion of privacy claims (to the extent one exists).  I think an employee would have a reasonable expectation that the results were not being disclosed.  Presumably, you’re only allowing employee to work who have actually passed the appropriate screening (basically, if the employee is working construction, he/she has passed the drug screen).

Although you may be getting the information legally you may not pass this information onto another company without a written consent from that employee or employee to be.  Typically this is done with a release of confidential information form with that company name on it.  This should releave you of legal action.  Make sure that both the employee and employeer reconize that the information may not be passed on to anyone else without written permission from employee it concerns.  Just because you have the information based on the employee’s approval does not mean that you have permission to release the information to anyone else.  Even the drug testing place has to have the employee sign to release this information to your company.  Same applies to you.

If the individual gives his or her authorization, or provides the medical information directly to the employer (e.g., submission of a drug test result required for employees) that medical information becomes part of the employment record and is no longer PHI (Protected Health Information). It is not the nature of the information, but the capacity in which it was generated or received, that determines whether it is subject to HIPAA.  If your authorization form specifically sets forth that the results will go to the employer, there will be no doubt as to the waiver.  However, do keep in mind that individual states may have concurrent privacy laws that need to be accounted for.

The best answer that I can give you is, “it depends”.

Ordinarily, as you know, the release of medical information to a third party requires authorization of the employee however, in reference to DOT drug tests employee authorization is not required – see: http://www.hipaadvisory.com/action/faqs/dot.htm

Realtedly, any physical examination or (non DOT) testing performed by a physician, clinic, or lab that collects individually identifiable health information creates “protected health information.” Because the use is not for treatment, payment, or health care operations, you or your health care provider must obtain an HIPAA-compliant authorization before the physician can release it to you. You may only use the information for the purposes expressly stated in the authorization that has been provided to the physician, that is, to confirm employability for the job that has been offered.

This of course affects the release of drug and alcohol test results for job applicants and employees, as well as reports from Employee Assistance Programs (EAP) and substance abuse rehabilitation programs to which employees may be referred under company substance abuse policies.

If you maintain an on-site medical clinic, you are a “hybrid entity,” and must comply with HIPAA privacy rules.

The foregoing was excerpted from California Chamber of Commerce Law Digest.

Peter is right.  The HIPAA privacy rule does not apply to normal workplace documents, including FMLA and drug testing records.  In addition to the information constituting medical information that should not be disclosed to third parties (DOT regulations have the same provisions with respect to drug test results), the information should be part of the employee’s personnel file.  In many jurisdictions (if not all), personnel files are considered confidential.

Wow, Seems to be a lot of confusions as to what is legal or not. so then look at another way. Is there a business reason why the information must be released or shared. If not why risk it. Just because the law MAY allow you to release the data, does not mean you have to. Do you feel that this is confidential information, then tell your client that. Then explain to them your Workplace Drug policy. Drug testing is not fully legal in all states. The state of Maine has very tight restrictions on what job functions can be tested. Corporations are responsible for providing a safe work place environment, but they can do this with out the use of drug testing. Manage your employees, know their traits, personalities and performance, and when this varies, then investigate it and manage it. Work place drug testing has been going on for over 25 years. That is a whole generation!! Hate to say it, it did not work. I have seen companies spend $100 to $150 per hire to drug test but only spend $1000 a year for a 2 hour training session for their supervisors. Spend as much money on drug use education as you would on drug testing and I will bet you will see better results.

Acutally, while states may attempt to impose conflicting regulatory statutes, corporations are mandated federally to provide a safe workplace.  This can not be done in today’s society without comprehensive drug free worplace policies and programs for many occupational areas…if not all.
Going by previous case law, etc., Maine would not have a chance of forbidding an employer from drug testing randomly for valid safety purposes… Vermont would equally have a problem.  Not that you want to fight a state however… with there “free” lawyers.