As the spread of the coronavirus seems to be slowing, many people are preparing to get back to life as usual. Consumers are anxiously awaiting the reopening of the country, with some states further along than others. The goal is to safely reopen retail stores, restaurants, and theme parks. This has led some of these establishments to require proof of negative COVID-19 test results, causing many consumers to cry HIPAA violation. Is this a HIPAA violation? Who has to comply with HIPAA and coronavirus privacy is discussed below.

Are you adequately protecting patient data? 

Find out now with our HIPAA compliance checklist.

HIPAA and Coronavirus Privacy

The coronavirus pandemic has caused many businesses to reevaluate how well they are protecting consumers. Many businesses have increased cleaning protocols to prevent the spread of the virus, as well as implemented new standards for consumers entering the establishments. Several businesses are requiring employees and consumers to wear masks, are conducting temperature checks on anyone entering the business, and requiring proof of negative COVID-19 test results. These new requirements have many consumers concerned that their privacy rights under HIPAA are being violated.

HIPAA established industry standards for the privacy of protected health information (PHI). Under HIPAA, coronavirus test results are considered PHI. As PHI, covered entities and business associates cannot disclose a patient’s coronavirus test results outside of treatment, payment, or healthcare operations. 

But what about during a global pandemic? These entities are permitted to disclose coronavirus test results to public health authorities for the purpose of public safety. This is to notify people who may have come into contact with a coronavirus positive patient. However, disclosed information must only be the minimum necessary information to accomplish the purpose of the disclosure.

Can Consumer Businesses Ask Patrons for Test Results?

Consumer businesses such as retail stores, restaurants, and theme parks are neither covered entities nor business associates. Since they are neither covered entities or business associates, these establishments do not fall under the jurisdiction of HIPAA law. As such, they can ask patrons for proof of negative COVID-19 test results, without fear of violating HIPAA, before they are permitted entry to these establishments. 

See How It Works