A client that’s company in the commercial construction industry has asked me a HIPAA question I’m not sure how to answer. Wondering if any of you has any thoughts. He says: “Our customers sometimes want to see drug testing results. We obtain the results lawfully because we require the employee to sign an authorization when hired. But the statute (42 USC § 1320d et seq.) says that any person ‘who knowingly and in violation of this part … (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section [which provides for a fine up to $50,000 and imprisonment for up to a year].’ Just because we’re obtaining the information legally, does that mean we’re free to disclose it to anybody we want to (assuming we’re not a ‘covered entity’ under the implementing HHS regs (45 CFR parts 160 and 164), which is a whole different can of worms)?”
I believe he’s looking for an authority to cite to customers as a reason for declining their request for drug testing results. Thoughts?