HIPAA Privacy Rule Impacts Employer Drug Testing Procedures

March 31, 2003

The new Health Insurance Portability and Accountability Act rule on privacy scheduled to go into effect on April 14 may reach as far as the disclosure of information about workplace drug testing and substance abuse management. The Standards for Privacy of Individually Identifiable Health Information, known as the Privacy Rule, generally will prevent "covered entities" from disclosing protected health information to non-covered entities without authorization from the subject of the protected health information. The disclosure requirements may apply to many collection facilities, laboratories, Medical Review Officers and other service providers who analyze and review applicants' and employees' drug and alcohol test results.

"Covered entities" under HIPAA must require employers using their services to provide HIPAA-compliant authorization before releasing drug and alcohol test results (i.e., protected health information) for employees and job applicants. Forms currently being used by employers for this purpose may not meet the requirements of the regulations which identify the key components and specifics for the authorization form. Additionally, the forms must be signed by the employees or applicants. As a practical matter, since HIPAA compliance ultimately falls on the shoulders of the "covered entity," the collection facility, laboratory or Medical Review Officer may have its own authorization form for employers.

In addition to the release of test results, other aspects of an employer's substance abuse policy may require use of a HIPAA-compliant authorization form. For example, when an employee enters into substance abuse rehabilitation, an employer may require progress reports from the substance abuse professional who evaluated and treated the employee. If the substance abuse professional is a "covered entity" under HIPAA, the employer may then be required to have the employee sign a specific HIPAA-compliant authorization form permitting the release of the "personal health information", i.e., the substance abuse professional's records, to the employer.

Employers also should be aware that this federal law does not preempt more stringent state law requirements, where applicable.

If you would additional information about the Privacy Rule requirements concerning drug testing and substance abuse management programs, including sample forms, or workplace substance abuse generally, please contact the Jackson Lewis attorney with whom you regularly work, or members of the Jackson Lewis Substance Abuse Practice Group.

If you have other questions about HIPAA, please contact the Jackson Lewis attorney with whom you regularly work, or members of the Jackson Lewis Employee Benefits Practice Group.

©2003 Jackson Lewis P.C. This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Jackson Lewis and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.

Focused on labor and employment law since 1958, Jackson Lewis P.C.'s 950+ attorneys located in major cities nationwide consistently identify and respond to new ways workplace law intersects business. We help employers develop proactive strategies, strong policies and business-oriented solutions to cultivate high-functioning workforces that are engaged, stable and diverse, and share our clients' goals to emphasize inclusivity and respect for the contribution of every employee. For more information, visit https://www.jacksonlewis.com.