HIPAA and Health Care Employers Conducting Their Own Drug Testing
Question: As a health care employer conducting pre-employment drug testing at our own facility, are there any special HIPAA considerations we need to be concerned with?
Response & Analysis:
Yes. As a health care employer, it may seem logical to conduct pre-employment drug testing at your own facility — and, in fact, many hospitals do just that. This practice, however, can create a major compliance risk under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
While HIPAA encompasses privacy and security rules regulating protected health information (“PHI”), an important HIPAA-related principle is that health information held by an employer is not considered PHI, and is therefore not regulated by HIPAA. Moreover, the health information collected by employers in an employment applica¬tion, for example, is generally not considered to be PHI. Health care organizations, subject to federal and state laws, as “employers” are not “covered entities” under HIPAA, and thus not restricted in taking into consideration drug test results when making an employment decision.
In these circumstances, the distinction between patient health care records, which are PHI, and employee health records, which are not generally PHI, becomes dangerously blurred, given that the drug test was performed by and at the health care facility.
Health care facilities can reduce the risk of violating HIPAA by simply outsourcing the drug testing function. To ensure HIPAA compliance, health care facilities should strongly consider using a third-party drug screening provider. Doing so dramatically reduces the risk of a HIPAA violation by moving the entire process from the health care facility to an unaffiliated lab/collection site, thereby eliminating the risk of treat¬ing health care records as employee health records and/or vice versa.
If, however, a health care employer chooses not to outsource the drug testing function, the employer should adopt best practices in keeping the health care and employer functions separate.
Best Practices for In-House Drug Testing:
- Firewalling all employer/human resource functions from health care delivery functions.
- Clearly distinguishing between employee health records and patient health care records.
- Keeping employee health records separate from patient health care records.
- Placing personnel records in separate files from employee health records.
All Rights Reserved © 2017 Certiphi Screening, Inc.
This document and/or presentation is provided as a service to our customers. Its contents are designed solely for informational purposes, and should not be inferred or understood as legal advice or binding case law, nor shared with any third parties. Persons in need of legal assistance should seek the advice of competent legal counsel. Although care has been taken in preparation of these materials, we cannot guarantee the accuracy, currency or completeness of the information contained within it. Anyone using this information does so at his or her own risk.