covid testing and HIPAACOVID-19 Testing vs HIPAA is starting to play out all over the country as businesses reopen and the virus continues to spread. Today we will discuss some of the confusion about all the COVID-19 testing and HIPAA.


A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

 COVID-19 Testing vs HIPAA- Ep 261

The HIPAA Boot Camp

2020 COVID Session Dates

August 18, 19, 20

Online Version!!

For info go to

Registration Form

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at

Like us and leave a review on our Facebook page:

COVID-19 Testing vs HIPAA

Before we get started we have a couple of quick things to share.

Quick Questions and Follow up

Question from Tom who sent in the conman and HIPAA video or should we say HIPPPPA video. He asks a question that stumps many people about law firms and their relationship to HIPAA when they are clearly accepting and storing PHI as part of their business.

Remember HIPAA isn’t about medical records possession it is about the healthcare providers and payers with access to vast amounts of patient information. If you aren’t classified as a CE or a BA then HIPAA doesn’t apply to you no matter what patient information you have on file.

Here is a simple rule when it comes to law firms. If they are representing a CE or a BA and require access to patient information to do their job then they fall under HIPAA as a BA. That is the only time they do.

If they represent a patient and the patient authorizes them to have the information then HIPAA goes away at that point.

There is a lot of confusion when it comes to HIPAA because it doesn’t apply to everyone. There are plenty of healthcare providers who provide care but only take cash and never file an electronic healthcare claim. They aren’t covered under HIPAA either.

There is a very specific definition for a provider to be a CE. The BA is easier if they are providing services to a CE or another BA and require access to PHI they too are a BA.

And just as a follow up, let me tell you about my experience with Nuvei Payment Technology Network. I mentioned how the new bank account information was on a form that they instructed merchants to either fax or email to them.

I waited until the end of the day because I have real work to do plus they said on the website that their compliance and security team was available until 7pm. After spending a half an hour on the phone I learned that I will be looking for new merchant services as soon as I get the bank accounts switched. To hear the whole story listen in on the podcast.

Testing options

A lot of businesses are doing their best to get people back to work in person safely for all involved. It may be easier in a provider setting since they already have a lot of precautions in place but not as easy as you may think. Workflows have to change and they still have the same issues worrying about checking employees and people entering the facilities.

It is essential that you create written policies and procedures explaining your plans and keep notes on what information you were basing your decisions on. Everything is happening real time these days. We won’t know the repercussions for weeks, months, or years. Just like everything big we do it will always be helpful to have notes related to the information you used and logic you used to make decisions regarding these new policies and procedures.

Based on information from lawyers here in GA there are limitations on what you can and can not test for with your employees. Very much like when we reviewed Jack’s question last week employers are asking about COVID symptoms. This part isn’t HIPAA but it is important to consider when you are developing your plans. In GA right now the advice is you are allowed to do a COVID-19 test but NOT an antibody test of employees. Understand what your state will allow you to actually test your employees for and when.

Many groups are instituting temperature checks when you arrive. You have to do it more than once a day though because people are developing symptoms throughout the day. This stuff goes from virtually no symptoms to a fever over 101 in minutes.

How HIPAA applies

First we go back to who has HIPAA obligations. If you are a covered entity who provides care you need to make sure that performing the tests do not cross the line to your employees receiving treatment. In my opinion you will likely be in that spot. Even if you aren’t in that spot all employers have to realize that testing employees all in front of each other will create a quandary when someone is asked to step aside. Everyone will know they had some issue. Sharing their diagnosis will happen just by doing tests and people not coming into work.

If you are a business associate don’t think you are off scot free. There is a great potential that your team will abuse the access they have to look at records they should be looking at. They may also take it upon themselves to share what your clients have happening in their offices when they shouldn’t.

We also have the other issue with the article sent in a few weeks ago where a gym owner told employees they were not allowed to tell other employees if they were infected with the virus because it would be a HIPAA violation. There are a lot of folks throwing HIPAA around like crazy these days and it will not get better any time soon.

How do you handle the positive cases?

Just as we discussed in our recent episode HIPAA privacy still exists. If you are getting these results and requiring employees to be tested and monitored for symptoms how will you protect their privacy? What about local businesses that ask for your help in doing the testing of their staff?

Your employee policies and procedures should clearly define that COVID-19 information that you gather is not there for everyone to share. In fact, it may be a time to add new sanctions for people who violate the rules and share it because they felt it was within their rights to violate other people’s rights.

Yes this is very complicated because we have never been here before. If you don’t take the time now to make specific decisions and teach your people how to handle these things it will be worse. I am certain that none of you want to be the ones dealing with these tough questions after something has gone wrong and you are in the middle of a privacy complaint.

Here are a few areas you should make sure you include in your review and plans

  • Discussions between staff about patients or other staff remind them about TPO especially if you determine a staff member is also a patient now.
  • Social media posts on the company website as well as on employee pages. The current policy should be reiterated and if you don’t have one now is definitely the time to make one.
  • Abuse of access to your information as well as access to hospitals, lab systems, etc – TPO.

We know that there will continue to be confusion because the situation continues to change day by day. The best rule to follow is to remember that testing or not, we still have a right to privacy under HIPAA. Until that law is rescinded don’t infringe on someone’s rights. There are public health mechanisms in place to address positive tests with contact tracing and proper protocols in place to protect patient privacy. Let’s try our best to work within that system.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.