Section 1 of 12

Introduction

HIPAA — the Health Insurance Portability and Accountability Act of 1996 — sets the federal rules for how protected health information (PHI) must be handled. This module is for drug testing and specimen collection businesses, the staff who work there, and the third parties who handle the records. The goal: you leave knowing what PHI is, how to handle it, and what to do when something goes wrong.

What This Module Covers

  • What HIPAA is, and the three operational rules
  • What counts as PHI and the 18 identifiers
  • Whether your business is a Covered Entity or Business Associate
  • The Privacy Rule and the Minimum Necessary standard
  • Drug testing records, consent, and release
  • Email, text, fax, and phone risks
  • Secure storage and disposal
  • Breach basics, notification rules, and your role in incident response
  • Employee responsibilities and personal sanctions

Who This Module Is For

  • Specimen collectors (DOT and non-DOT) who handle CCFs, ATFs, and lab paperwork
  • Collection site / clinic staff — front desk, scheduling, billing
  • C/TPA staff and administrators handling employer records and lab/MRO communications
  • HR and DERs who receive verified results
  • Business owners standing up a new collection site or TPA

Important Disclaimer

This training is for general HIPAA privacy and security awareness. It does not replace legal advice, a company's required internal HIPAA policies and procedures, or a compliance program built for your specific organization.

Completing this course helps satisfy training documentation. It does not by itself make your company HIPAA-compliant. There is no such thing as "HHS certification" of a HIPAA course or "HIPAA-certified employee." Anyone who tells you otherwise is misrepresenting the law.

How Often Should You Take This?

HIPAA doesn't mandate a specific frequency — but the Privacy Rule requires training "as necessary and appropriate" for each workforce member to carry out their job functions. The widely-followed industry standard is annually, plus when roles or systems change. The Certificate of Completion you earn at the end of this module is dated; renew yearly.

Section 1 of 12
Section 2 of 12

What HIPAA Is

HIPAA is a federal law with three operational rules: Privacy (who can see and use PHI), Security (how electronic PHI is protected), and Breach Notification (what to do when PHI is exposed). Drug testing companies often touch all three.

The Law

  • 1996 — Health Insurance Portability and Accountability Act passed
  • 2003 — Privacy Rule effective
  • 2005 — Security Rule effective
  • 2009 — HITECH Act expanded HIPAA, including Breach Notification Rule and direct BA liability
  • 2013 — Omnibus Rule finalized HITECH changes
  • Authority: U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR) enforces

The Three Operational Rules

1

Privacy Rule

Who can use or share PHI, when, and how much. Sets the "permitted uses and disclosures" framework and patient rights to access their own records.

2

Security Rule

Administrative, physical, and technical safeguards specifically for electronic PHI (ePHI). Encryption, access controls, audit logs, contingency plans.

3

Breach Notification Rule

What to do when PHI is exposed: notify the individual, HHS, and (for large breaches) the media. Tight timelines.

Why It Matters

HIPAA isn't just paperwork. Civil penalties tier by intent:

TierPenalty per violationAnnual cap
Did not know~$137 – $68,928~$2.07M
Reasonable cause~$1,379 – $68,928~$2.07M
Willful neglect — corrected~$13,785 – $68,928~$2.07M
Willful neglect — uncorrected~$68,928 – $2,067,813~$2.07M

Amounts adjusted annually for inflation. Criminal penalties (up to 10 years + $250,000) for knowing disclosure for personal gain or malicious harm.

State Laws Layer On Top

State health-privacy laws (California CMIA, New York SHIELD Act, Texas Medical Records Privacy Act, etc.) often go further than HIPAA. HIPAA is the floor, not the ceiling. Where state law is stricter, follow state law.

Section 2 of 12
Section 3 of 12

PHI & the 18 Identifiers

Protected Health Information (PHI) is health information tied to an identifiable person. HIPAA lists 18 specific identifiers that turn otherwise-generic data into PHI. Knowing them tells you which records, faxes, and emails fall under the rule.

What PHI Is

Protected Health Information (PHI) = any information about a person's past, present, or future health condition, treatment, or payment for healthcare, when it can be linked to that person. Includes paper records, electronic records, oral conversations, X-rays, photos, video — any format.

The 18 HIPAA Identifiers

Health info becomes PHI when combined with any of these:

  • 1Names
  • 2Geographic subdivisions smaller than a state (street, city, county, ZIP)
  • 3Dates directly related to the individual (DOB, admission, discharge, death) — and all ages over 89
  • 4Phone numbers
  • 5Fax numbers
  • 6Email addresses
  • 7Social Security numbers
  • 8Medical record numbers
  • 9Health plan beneficiary numbers
  • 10Account numbers
  • 11Certificate / license numbers (incl. CDL when tied to drug test)
  • 12Vehicle identifiers (VIN, plate)
  • 13Device identifiers / serial numbers
  • 14Web URLs
  • 15IP addresses
  • 16Biometric identifiers (fingerprint, voice, retina)
  • 17Full-face photographs and comparable images
  • 18Any other unique identifying number, characteristic, or code

ePHI

Electronic PHI (ePHI) is PHI in electronic form — email, files on a laptop, records in a cloud database, text messages, photos in a phone's camera roll. ePHI is covered by the Security Rule in addition to the Privacy Rule.

What Is NOT PHI

  • Employment records held by an employer in its role as an employer (e.g., disciplinary file referencing a drug-test result after the DER receives it — though that data is still confidential under DOT rules)
  • Education records covered by FERPA
  • Health information about someone who is deceased more than 50 years
  • De-identified information (all 18 identifiers stripped)
  • Aggregate / statistical data with no individual identifiers
The DOT twist: Once a verified drug test result lands with the employer's DER, that record is treated as an employment record (not PHI) — but it remains protected by 49 CFR §40.321 confidentiality rules, which are roughly as strict as HIPAA.
Section 3 of 12
Section 4 of 12

Covered Entities vs. Business Associates

Not every business handling health info is a "covered entity" under HIPAA — but most drug testing companies are business associates of one. The two categories carry different obligations. Knowing which one you are determines what you must do.

Covered Entities (CEs)

Three categories of organization that directly transmit certain health transactions electronically:

  • 1Healthcare providers — doctors, clinics, hospitals, labs, dentists, pharmacies — who electronically transmit any HIPAA-covered transaction (billing, eligibility check, etc.)
  • 2Health plans — insurers, HMOs, government health plans
  • 3Healthcare clearinghouses — services that translate health data between formats

Business Associates (BAs)

A person or entity that performs functions or services on behalf of a covered entity that involve PHI. Classic examples in drug testing:

  • A drug testing collection site contracted by a clinic or hospital
  • A C/TPA performing drug program management for an employer's health plan
  • An MRO's office (independent contractor reviewing lab results)
  • An IT vendor with access to ePHI
  • A document destruction company
  • A cloud storage vendor hosting PHI

The BAA

A Business Associate Agreement (BAA) is a written contract between a CE and BA that requires the BA to safeguard PHI per HIPAA. Required by law before any PHI changes hands.

If you're a BA, you need a BAA with every CE you work for AND with every sub-BA you use. Cloud services, billing services, email providers handling PHI — they all need a BAA.

Where Drug Testing Businesses Usually Sit

  • Clinical / occ-health practice doing drug tests — usually a covered entity (they bill electronically for medical services)
  • Standalone collection site (no medical billing) — often not a covered entity, but typically a business associate of clinics, MROs, or employer health plans they contract with
  • C/TPA — usually a business associate (sometimes of a health plan)
  • MRO — covered entity (healthcare provider)
Key point: Even if YOUR business isn't a covered entity, you are almost certainly a business associate. HITECH (2009) gave BAs direct liability for HIPAA violations. You can be fined directly.

BAA Required Provisions

  • What PHI the BA may use and disclose
  • Safeguards the BA will use
  • Subcontractor obligations (down-stream BAA)
  • Reporting of impermissible uses/disclosures and breaches
  • Return / destruction of PHI at end of contract
  • Termination rights
Section 4 of 12
Section 5 of 12

The Privacy Rule & Minimum Necessary

The HIPAA Privacy Rule sets the default: PHI may not be used or disclosed without authorization, except in specific permitted situations. The minimum necessary rule overlays all of it — use and disclose only what's needed.

The Default: PHI Is Closed

The Privacy Rule's starting point is that PHI may not be used or disclosed without the individual's written authorization. Then it carves out specific permitted uses.

Permitted Uses & Disclosures (No Authorization Needed)

  • Treatment, Payment, Healthcare Operations (TPO) — the daily operations of healthcare
  • To the individual about their own PHI
  • Required by law (court order, public-health reporting, certain law enforcement)
  • Public health activities (CDC reporting, disease surveillance)
  • Coroners, medical examiners, funeral directors
  • Specialized government functions (military, national security, certain intelligence)
  • Workers' compensation as authorized by state law

The Minimum Necessary Standard

Even when a use or disclosure IS permitted, use and disclose only the minimum necessary to accomplish the purpose.

  • Don't fax the whole patient chart when a single result is requested
  • Don't print full SSN on a routing form when an internal ID suffices
  • Don't copy the whole team on PHI emails — copy only those who need it
  • Don't leave full PHI on a voicemail — leave callback only

Minimum Necessary Does NOT Apply To

  • Disclosures to the individual themselves
  • Treatment-purpose disclosures between providers
  • Disclosures authorized by the individual
  • Disclosures required by law
  • HHS investigations

Notice of Privacy Practices (NPP)

Covered entities must give every individual a Notice of Privacy Practices at first contact, describing how the entity uses and discloses PHI and the individual's rights. Most clinics post it on the wall and on their website too. BAs don't issue an NPP directly — they follow the CE's notice.

Section 5 of 12
Section 6 of 12

Drug Testing Records & Confidentiality

Drug testing records are PHI. The collector's CCF, the lab report, the MRO's verified result — all of it. State workplace drug-testing laws layer additional confidentiality requirements on top. The donor's employer is not entitled to the underlying clinical data — only the verified result.

Drug Testing Records as PHI

  • The CCF (Federal CCF or non-DOT CCF) — donor identifiers + test details = PHI
  • The specimen + label — donor ID + biological sample = PHI
  • The lab report — full PHI
  • The MRO verified result — full PHI
  • The ATF for alcohol tests — full PHI
  • Any medication disclosure to the MRO — full PHI
  • Any SAP report related to follow-up testing — full PHI

The Special DOT Layer — §40.321

DOT testing records carry a second layer of confidentiality under 49 CFR §40.321. Highlights:

  • Testing records released only to the employer DER, MRO, the donor (or their authorized recipient), and as required by law
  • Donor may request a copy of their own records — must be provided promptly
  • Records may NOT be shared with new employers without donor authorization (subject to specific Clearinghouse rules)
  • Lab cannot release results except to the MRO
  • The MRO controls what gets shared with the DER (verified result, not the underlying medication disclosure)

What the DER Receives

The DER receives the verified result — positive, negative, refusal, cancelled. NOT:

  • The specific drug detected (in most cases)
  • The cutoff levels or lab values
  • The donor's medication disclosure
  • The MRO's clinical notes
Common mistake: A collector or office staff member casually mentions to the employer "they tested positive for X." That oversharing is a Privacy violation AND a §40.321 violation.

Casual Conversation Risks

  • ! Discussing a donor by name in the break room
  • ! Posting on social media about "the guy who tried to use a Whizzinator today"
  • ! Telling family about funny incidents using identifying details
  • ! Leaving the CCF visible on the counter for the next donor
  • ! Calling the donor's name from the lobby with their employer's name
Section 6 of 12
Section 7 of 12

Consent, Release & Authorization

Authorization is the mechanism that lets PHI move where it otherwise couldn't. Drug testing programs lean heavily on signed donor authorizations — for the collection itself, for the MRO interview, for sharing the result with the employer.

Authorization vs. Consent

  • Authorization — a HIPAA-specific written form letting PHI be used or disclosed for a purpose NOT otherwise permitted
  • Consent — a more general term sometimes used for permission to receive treatment or be tested
  • The drug testing CCF's donor-signature panel functions as both — confirming the test and authorizing the disclosure chain

Required Elements of a Valid HIPAA Authorization

  • 1Specific and meaningful description of the information
  • 2Name of the person(s) authorized to make the disclosure
  • 3Name of the person(s) to whom the disclosure may be made
  • 4Description of the purpose
  • 5Expiration date or event
  • 6Signature and date
  • 7Notice of right to revoke
  • 8Notice that re-disclosure may no longer be protected

When Authorization Cannot Be Required

You can't condition treatment, payment, enrollment, or benefits eligibility on a person signing an authorization — except in specific permitted situations (research, employment-related drug testing where the test itself is the service being provided).

Donor Authorizations in Drug Testing

  • CCF donor signature acknowledges the collection and the chain
  • Separate medical-explanation authorization to the MRO when needed
  • Release to a new employer or other third party requires a fresh, specific authorization
  • Authorization must be in plain language and the donor must understand it

Revocation

An individual can revoke an authorization at any time, in writing. The revocation isn't retroactive — disclosures made BEFORE revocation are still valid. Document the revocation date.

Section 7 of 12
Section 8 of 12

Email, Text, Fax & Phone Risks

Email, text, fax, and phone calls are the daily high-risk surfaces. Most HIPAA breaches start with a routine communication sent to the wrong person, an unencrypted email, or a fax to a recycled phone number. Knowing the rules here prevents the majority of small-business breaches.

Email

  • 1Standard unencrypted email is NOT secure. Sending PHI by regular Gmail / Outlook / Yahoo without encryption is a Security Rule violation.
  • 2Encrypted email (TLS in transit + at rest) is the minimum. Services like ProtonMail, Paubox, Virtru, or properly-configured Microsoft 365 / Google Workspace with encryption add-on satisfy the standard.
  • 3Patient-initiated unencrypted email — if a donor emails you first with their own info, you can reply in the same channel after warning them of the risk. Document the warning.
  • 4Recipient verification — always re-check the To: line before clicking send.

Text Messages (SMS)

  • ! Regular SMS is NOT secure — carriers can read content, recipient may not be the patient, no audit trail
  • Use a HIPAA-compliant secure messaging app with a BAA in place (TigerConnect, OhMD, Spruce, etc.)
  • If you must text, send appointment-only reminders with no clinical content
  • Get a documented written consent to SMS communication

Fax

  • Verify the fax number BEFORE sending — call the recipient to confirm
  • Use a cover sheet with confidentiality notice
  • Place fax machines in non-public areas
  • Keep faxed sheets out of view while incoming
  • Update your auto-dial / favorites list as recipients change numbers
Most common fax error: the recipient changed phone numbers and the line was reassigned. Verify periodically.

Phone Calls

  • Verify the caller before sharing PHI (full name + DOB + phone on file)
  • Don't leave detailed PHI on voicemails — leave callback only
  • Keep speakerphone use limited to private rooms
  • Don't take work calls in public spaces where conversation can be overheard
Section 8 of 12
Section 9 of 12

Secure Storage & Disposal

Paper records and electronic records both need safeguards. Locked file cabinets, encrypted hard drives, secure passwords, controlled access. Disposal matters too — a "shred bin" and "delete key" aren't equally secure.

Physical Storage

  • 1Paper records in locked file cabinets or rooms — keys controlled
  • 2Work surfaces cleared at end of day
  • 3Visitor sign-in + escort policy in PHI areas
  • 4Screens positioned away from public view; privacy filters where appropriate
  • 5"Walking the floor" check — are any CCFs visible right now?

Electronic (ePHI) Safeguards

The Security Rule requires three categories of safeguards:

CategoryExamples
AdministrativeRisk analysis, workforce training, sanctions policy, contingency plan, BAAs
PhysicalFacility access controls, workstation use policy, device disposal, media re-use
TechnicalUnique user IDs, automatic logoff, encryption, audit logs, transmission security

Passwords & Access

  • Unique credentials per user — never share
  • Strong passwords + multi-factor authentication where available
  • Lock screen when stepping away
  • No personal accounts (personal Gmail, personal Dropbox) for PHI
  • Access removed promptly when staff change roles or leave

Disposal — Paper

  • ! Throwing in regular trash is a breach in waiting
  • Cross-cut shred — strip-shred is not enough
  • Contracted destruction service must have a BAA + certificate of destruction
  • Locked shred bins until pickup

Disposal — Electronic

  • Delete + empty trash is not secure — files can be recovered
  • Wipe drives with DoD-grade overwrite OR physically destroy
  • Old smartphones, tablets, USB drives, copier hard drives all need secure wipe
  • Document destruction in an asset disposition log
Section 9 of 12
Section 10 of 12

Breach Basics & Notification

A breach is the impermissible use or disclosure of PHI that compromises its security or privacy. Some breaches must be reported to the donor, HHS, and (for large ones) the media. Knowing what counts, what to do first, and the timeline keeps a small mistake from becoming an enforcement action.

What Counts as a Breach

An impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy. Default rule: any impermissible disclosure is presumed to be a breach unless the entity can demonstrate a low probability of compromise via a 4-factor risk analysis.

The 4-Factor Risk Analysis

  • 1Nature and extent of PHI involved (identifiers, sensitive content)
  • 2Who received the unauthorized access (employee vs stranger)
  • 3Was PHI actually acquired or viewed (or just possibly accessible)
  • 4Extent to which the risk has been mitigated (recovered, destroyed, attestation)

Notification Timeline

Who is notifiedWhen
Affected individualsNo later than 60 days after discovery
HHS (small breach: <500 individuals)Annual log submitted within 60 days after end of calendar year
HHS (large breach: ≥500 individuals)Within 60 days of discovery — and posted to the public HHS Wall of Shame
Media (large breach in a state/jurisdiction)Within 60 days of discovery — to prominent local media outlets
Business Associates → Covered EntityPer BAA terms (typically as soon as possible, often within hours/days)

If You Spot a Possible Breach — Your Job

1

Stop the bleed

Recall the email, retrieve the misdirected fax, log out the unauthorized session.

2

Tell your Privacy / Compliance Officer immediately

Don't wait, don't hide it. The clock starts at "discovery" — which is when ANY employee learns of it, not just management.

3

Document what happened

What, when, who, what PHI, what you did.

4

Let leadership lead the response

Risk analysis, notifications, remediation are organizational responsibilities. Your role is honest, timely reporting.

Common Breach Examples

  • ! Email with PHI sent to wrong recipient
  • ! Fax sent to wrong number
  • ! Lost / stolen unencrypted laptop or USB drive
  • ! Trash bin containing un-shredded CCFs
  • ! Employee snooping on a record they had no business reason to see
  • ! Ransomware that may have accessed PHI
  • ! Misconfigured cloud storage exposing files publicly
Section 10 of 12
Section 11 of 12

Employee Responsibilities & Sanctions

HIPAA puts duties on the organization, but individuals can also face personal sanctions — civil monetary penalties, employer discipline, criminal liability in extreme cases. Knowing the do's and don'ts protects you personally as well as your employer.

Your Responsibilities

  • 1Know and follow your employer's HIPAA policies and procedures
  • 2Take refresher training when offered
  • 3Protect PHI in your possession at all times
  • 4Use minimum necessary PHI for the task at hand
  • 5Use secure systems (encrypted email, secure messaging) for PHI
  • 6Report potential breaches and suspicious activity immediately
  • 7Don't access records you don't need to do your job
  • 8Don't share login credentials

Individual Civil Liability

HIPAA penalties primarily apply to organizations — but states (California, Texas, others) and tort law allow individuals to be named in civil cases over privacy violations. Your employer's sanction policy may also impose discipline up to termination.

Criminal Liability

Federal HIPAA crime (42 USC §1320d-6) attaches when a person knowingly obtains or discloses PHI:

ConductMax penalty
Knowing violation1 year + $50,000
Under false pretenses5 years + $100,000
For personal gain or malicious harm10 years + $250,000

Real cases: employees fired and prosecuted for snooping on celebrity records, family members' records, or selling PHI for identity theft.

Whistleblower Protections

Federal and state law protect employees who report HIPAA violations in good faith from retaliation. Do not stay silent because you fear retaliation — the law has your back.

Section 11 of 12
Section 12 of 12

Scenarios & Best Practices

Real-world scenarios pull all the pieces together. Walk through these, run the best-practices checklist, and lock in the habits. This section ends with the disclaimer that closes out the course.

Scenario 1 — The Friendly Question

Setup: A neighbor at a barbecue mentions her son drives for a local trucking company. She asks "Hey, did he get tested at your site last week? Was he okay?"

Correct response: "I can't confirm whether anyone is or isn't a customer. Even if he was, I can't discuss it. Please ask your son directly." Even acknowledging he was a donor is a disclosure of PHI.

Scenario 2 — The Misdirected Email

Setup: You're emailing a CCF copy to the DER at jsmith@example.com. After hitting send, you realize you typed jsmith@examp1e.com (1 instead of l).

Correct response: Immediately attempt recall in your email client. Document the misdirect (time, content, recipient address). Notify your Privacy Officer same day. Don't hope it goes unnoticed — the clock has started.

Scenario 3 — The "Just Curious" Coworker

Setup: A coworker asks if their cousin came in last week for a pre-employment drug test and "how it went."

Correct response: "I can't share that with you — same as I couldn't share yours with someone else. It's a HIPAA matter." Even looking it up to see is a Privacy violation if you don't have a job-related need.

Scenario 4 — The Donor Calls Back

Setup: A donor calls and asks for a copy of their CCF + result.

Correct response: Verify identity (full name + DOB + a second identifier on file). Provide the donor's own records — they have a right under both HIPAA and §40.329 (DOT). Document the request and what was sent.

Scenario 5 — The Lost Phone

Setup: You leave your phone in an Uber. It has the secure messaging app with PHI in it.

Correct response: Remote-wipe immediately. Notify your Privacy Officer same day. Change all account passwords. Document the incident. Outcome depends on whether the device had MFA, a strong PIN, and whether wipe succeeded.

Best Practices Checklist

  • Treat every CCF, lab report, and ATF as PHI
  • Minimum necessary, every time
  • Verify the recipient before sending PHI
  • Encrypted email + secure messaging only
  • Locked storage, cross-cut shred, asset disposition log
  • Report potential breaches immediately — discovery starts the clock
  • Know your employer's Privacy Officer and how to reach them
  • Don't access records you don't need
  • When in doubt, ask
Course Disclaimer: This training is for general HIPAA privacy and security awareness. It does not replace legal advice, your company's required internal HIPAA policies and procedures, or a compliance program built for your specific organization. Completing this course helps satisfy training documentation. It does not by itself make your company HIPAA-compliant. There is no such thing as "HHS certification" of a HIPAA course or "HIPAA-certified employee."
You've completed the HIPAA Privacy & Security Awareness module!
Annual refresh recommended. Set a calendar reminder for 12 months from your certificate date.
← Back to My Progress
Section 12 of 12