Introduction
HIPAA — the Health Insurance Portability and Accountability Act of 1996 — sets the federal rules for how protected health information (PHI) must be handled. This module is for drug testing and specimen collection businesses, the staff who work there, and the third parties who handle the records. The goal: you leave knowing what PHI is, how to handle it, and what to do when something goes wrong.
What This Module Covers
- What HIPAA is, and the three operational rules
- What counts as PHI and the 18 identifiers
- Whether your business is a Covered Entity or Business Associate
- The Privacy Rule and the Minimum Necessary standard
- Drug testing records, consent, and release
- Email, text, fax, and phone risks
- Secure storage and disposal
- Breach basics, notification rules, and your role in incident response
- Employee responsibilities and personal sanctions
Who This Module Is For
- Specimen collectors (DOT and non-DOT) who handle CCFs, ATFs, and lab paperwork
- Collection site / clinic staff — front desk, scheduling, billing
- C/TPA staff and administrators handling employer records and lab/MRO communications
- HR and DERs who receive verified results
- Business owners standing up a new collection site or TPA
Important Disclaimer
Completing this course helps satisfy training documentation. It does not by itself make your company HIPAA-compliant. There is no such thing as "HHS certification" of a HIPAA course or "HIPAA-certified employee." Anyone who tells you otherwise is misrepresenting the law.
How Often Should You Take This?
HIPAA doesn't mandate a specific frequency — but the Privacy Rule requires training "as necessary and appropriate" for each workforce member to carry out their job functions. The widely-followed industry standard is annually, plus when roles or systems change. The Certificate of Completion you earn at the end of this module is dated; renew yearly.
What HIPAA Is
HIPAA is a federal law with three operational rules: Privacy (who can see and use PHI), Security (how electronic PHI is protected), and Breach Notification (what to do when PHI is exposed). Drug testing companies often touch all three.
The Law
- 1996 — Health Insurance Portability and Accountability Act passed
- 2003 — Privacy Rule effective
- 2005 — Security Rule effective
- 2009 — HITECH Act expanded HIPAA, including Breach Notification Rule and direct BA liability
- 2013 — Omnibus Rule finalized HITECH changes
- Authority: U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR) enforces
The Three Operational Rules
Privacy Rule
Who can use or share PHI, when, and how much. Sets the "permitted uses and disclosures" framework and patient rights to access their own records.
Security Rule
Administrative, physical, and technical safeguards specifically for electronic PHI (ePHI). Encryption, access controls, audit logs, contingency plans.
Breach Notification Rule
What to do when PHI is exposed: notify the individual, HHS, and (for large breaches) the media. Tight timelines.
Why It Matters
HIPAA isn't just paperwork. Civil penalties tier by intent:
| Tier | Penalty per violation | Annual cap |
|---|---|---|
| Did not know | ~$137 – $68,928 | ~$2.07M |
| Reasonable cause | ~$1,379 – $68,928 | ~$2.07M |
| Willful neglect — corrected | ~$13,785 – $68,928 | ~$2.07M |
| Willful neglect — uncorrected | ~$68,928 – $2,067,813 | ~$2.07M |
Amounts adjusted annually for inflation. Criminal penalties (up to 10 years + $250,000) for knowing disclosure for personal gain or malicious harm.
State Laws Layer On Top
State health-privacy laws (California CMIA, New York SHIELD Act, Texas Medical Records Privacy Act, etc.) often go further than HIPAA. HIPAA is the floor, not the ceiling. Where state law is stricter, follow state law.
PHI & the 18 Identifiers
Protected Health Information (PHI) is health information tied to an identifiable person. HIPAA lists 18 specific identifiers that turn otherwise-generic data into PHI. Knowing them tells you which records, faxes, and emails fall under the rule.
What PHI Is
Protected Health Information (PHI) = any information about a person's past, present, or future health condition, treatment, or payment for healthcare, when it can be linked to that person. Includes paper records, electronic records, oral conversations, X-rays, photos, video — any format.
The 18 HIPAA Identifiers
Health info becomes PHI when combined with any of these:
- 1Names
- 2Geographic subdivisions smaller than a state (street, city, county, ZIP)
- 3Dates directly related to the individual (DOB, admission, discharge, death) — and all ages over 89
- 4Phone numbers
- 5Fax numbers
- 6Email addresses
- 7Social Security numbers
- 8Medical record numbers
- 9Health plan beneficiary numbers
- 10Account numbers
- 11Certificate / license numbers (incl. CDL when tied to drug test)
- 12Vehicle identifiers (VIN, plate)
- 13Device identifiers / serial numbers
- 14Web URLs
- 15IP addresses
- 16Biometric identifiers (fingerprint, voice, retina)
- 17Full-face photographs and comparable images
- 18Any other unique identifying number, characteristic, or code
ePHI
Electronic PHI (ePHI) is PHI in electronic form — email, files on a laptop, records in a cloud database, text messages, photos in a phone's camera roll. ePHI is covered by the Security Rule in addition to the Privacy Rule.
What Is NOT PHI
- — Employment records held by an employer in its role as an employer (e.g., disciplinary file referencing a drug-test result after the DER receives it — though that data is still confidential under DOT rules)
- — Education records covered by FERPA
- — Health information about someone who is deceased more than 50 years
- — De-identified information (all 18 identifiers stripped)
- — Aggregate / statistical data with no individual identifiers
Covered Entities vs. Business Associates
Not every business handling health info is a "covered entity" under HIPAA — but most drug testing companies are business associates of one. The two categories carry different obligations. Knowing which one you are determines what you must do.
Covered Entities (CEs)
Three categories of organization that directly transmit certain health transactions electronically:
- 1Healthcare providers — doctors, clinics, hospitals, labs, dentists, pharmacies — who electronically transmit any HIPAA-covered transaction (billing, eligibility check, etc.)
- 2Health plans — insurers, HMOs, government health plans
- 3Healthcare clearinghouses — services that translate health data between formats
Business Associates (BAs)
A person or entity that performs functions or services on behalf of a covered entity that involve PHI. Classic examples in drug testing:
- A drug testing collection site contracted by a clinic or hospital
- A C/TPA performing drug program management for an employer's health plan
- An MRO's office (independent contractor reviewing lab results)
- An IT vendor with access to ePHI
- A document destruction company
- A cloud storage vendor hosting PHI
The BAA
A Business Associate Agreement (BAA) is a written contract between a CE and BA that requires the BA to safeguard PHI per HIPAA. Required by law before any PHI changes hands.
Where Drug Testing Businesses Usually Sit
- Clinical / occ-health practice doing drug tests — usually a covered entity (they bill electronically for medical services)
- Standalone collection site (no medical billing) — often not a covered entity, but typically a business associate of clinics, MROs, or employer health plans they contract with
- C/TPA — usually a business associate (sometimes of a health plan)
- MRO — covered entity (healthcare provider)
BAA Required Provisions
- What PHI the BA may use and disclose
- Safeguards the BA will use
- Subcontractor obligations (down-stream BAA)
- Reporting of impermissible uses/disclosures and breaches
- Return / destruction of PHI at end of contract
- Termination rights
The Privacy Rule & Minimum Necessary
The HIPAA Privacy Rule sets the default: PHI may not be used or disclosed without authorization, except in specific permitted situations. The minimum necessary rule overlays all of it — use and disclose only what's needed.
The Default: PHI Is Closed
The Privacy Rule's starting point is that PHI may not be used or disclosed without the individual's written authorization. Then it carves out specific permitted uses.
Permitted Uses & Disclosures (No Authorization Needed)
- Treatment, Payment, Healthcare Operations (TPO) — the daily operations of healthcare
- To the individual about their own PHI
- Required by law (court order, public-health reporting, certain law enforcement)
- Public health activities (CDC reporting, disease surveillance)
- Coroners, medical examiners, funeral directors
- Specialized government functions (military, national security, certain intelligence)
- Workers' compensation as authorized by state law
The Minimum Necessary Standard
Even when a use or disclosure IS permitted, use and disclose only the minimum necessary to accomplish the purpose.
- Don't fax the whole patient chart when a single result is requested
- Don't print full SSN on a routing form when an internal ID suffices
- Don't copy the whole team on PHI emails — copy only those who need it
- Don't leave full PHI on a voicemail — leave callback only
Minimum Necessary Does NOT Apply To
- — Disclosures to the individual themselves
- — Treatment-purpose disclosures between providers
- — Disclosures authorized by the individual
- — Disclosures required by law
- — HHS investigations
Notice of Privacy Practices (NPP)
Covered entities must give every individual a Notice of Privacy Practices at first contact, describing how the entity uses and discloses PHI and the individual's rights. Most clinics post it on the wall and on their website too. BAs don't issue an NPP directly — they follow the CE's notice.
Drug Testing Records & Confidentiality
Drug testing records are PHI. The collector's CCF, the lab report, the MRO's verified result — all of it. State workplace drug-testing laws layer additional confidentiality requirements on top. The donor's employer is not entitled to the underlying clinical data — only the verified result.
Drug Testing Records as PHI
- The CCF (Federal CCF or non-DOT CCF) — donor identifiers + test details = PHI
- The specimen + label — donor ID + biological sample = PHI
- The lab report — full PHI
- The MRO verified result — full PHI
- The ATF for alcohol tests — full PHI
- Any medication disclosure to the MRO — full PHI
- Any SAP report related to follow-up testing — full PHI
The Special DOT Layer — §40.321
DOT testing records carry a second layer of confidentiality under 49 CFR §40.321. Highlights:
- Testing records released only to the employer DER, MRO, the donor (or their authorized recipient), and as required by law
- Donor may request a copy of their own records — must be provided promptly
- Records may NOT be shared with new employers without donor authorization (subject to specific Clearinghouse rules)
- Lab cannot release results except to the MRO
- The MRO controls what gets shared with the DER (verified result, not the underlying medication disclosure)
What the DER Receives
The DER receives the verified result — positive, negative, refusal, cancelled. NOT:
- — The specific drug detected (in most cases)
- — The cutoff levels or lab values
- — The donor's medication disclosure
- — The MRO's clinical notes
Casual Conversation Risks
- ! Discussing a donor by name in the break room
- ! Posting on social media about "the guy who tried to use a Whizzinator today"
- ! Telling family about funny incidents using identifying details
- ! Leaving the CCF visible on the counter for the next donor
- ! Calling the donor's name from the lobby with their employer's name
Consent, Release & Authorization
Authorization is the mechanism that lets PHI move where it otherwise couldn't. Drug testing programs lean heavily on signed donor authorizations — for the collection itself, for the MRO interview, for sharing the result with the employer.
Authorization vs. Consent
- Authorization — a HIPAA-specific written form letting PHI be used or disclosed for a purpose NOT otherwise permitted
- Consent — a more general term sometimes used for permission to receive treatment or be tested
- The drug testing CCF's donor-signature panel functions as both — confirming the test and authorizing the disclosure chain
Required Elements of a Valid HIPAA Authorization
- 1Specific and meaningful description of the information
- 2Name of the person(s) authorized to make the disclosure
- 3Name of the person(s) to whom the disclosure may be made
- 4Description of the purpose
- 5Expiration date or event
- 6Signature and date
- 7Notice of right to revoke
- 8Notice that re-disclosure may no longer be protected
When Authorization Cannot Be Required
You can't condition treatment, payment, enrollment, or benefits eligibility on a person signing an authorization — except in specific permitted situations (research, employment-related drug testing where the test itself is the service being provided).
Donor Authorizations in Drug Testing
- CCF donor signature acknowledges the collection and the chain
- Separate medical-explanation authorization to the MRO when needed
- Release to a new employer or other third party requires a fresh, specific authorization
- Authorization must be in plain language and the donor must understand it
Revocation
An individual can revoke an authorization at any time, in writing. The revocation isn't retroactive — disclosures made BEFORE revocation are still valid. Document the revocation date.
Email, Text, Fax & Phone Risks
Email, text, fax, and phone calls are the daily high-risk surfaces. Most HIPAA breaches start with a routine communication sent to the wrong person, an unencrypted email, or a fax to a recycled phone number. Knowing the rules here prevents the majority of small-business breaches.
- 1Standard unencrypted email is NOT secure. Sending PHI by regular Gmail / Outlook / Yahoo without encryption is a Security Rule violation.
- 2Encrypted email (TLS in transit + at rest) is the minimum. Services like ProtonMail, Paubox, Virtru, or properly-configured Microsoft 365 / Google Workspace with encryption add-on satisfy the standard.
- 3Patient-initiated unencrypted email — if a donor emails you first with their own info, you can reply in the same channel after warning them of the risk. Document the warning.
- 4Recipient verification — always re-check the To: line before clicking send.
Text Messages (SMS)
- ! Regular SMS is NOT secure — carriers can read content, recipient may not be the patient, no audit trail
- Use a HIPAA-compliant secure messaging app with a BAA in place (TigerConnect, OhMD, Spruce, etc.)
- If you must text, send appointment-only reminders with no clinical content
- Get a documented written consent to SMS communication
Fax
- Verify the fax number BEFORE sending — call the recipient to confirm
- Use a cover sheet with confidentiality notice
- Place fax machines in non-public areas
- Keep faxed sheets out of view while incoming
- Update your auto-dial / favorites list as recipients change numbers
Phone Calls
- Verify the caller before sharing PHI (full name + DOB + phone on file)
- Don't leave detailed PHI on voicemails — leave callback only
- Keep speakerphone use limited to private rooms
- Don't take work calls in public spaces where conversation can be overheard
Secure Storage & Disposal
Paper records and electronic records both need safeguards. Locked file cabinets, encrypted hard drives, secure passwords, controlled access. Disposal matters too — a "shred bin" and "delete key" aren't equally secure.
Physical Storage
- 1Paper records in locked file cabinets or rooms — keys controlled
- 2Work surfaces cleared at end of day
- 3Visitor sign-in + escort policy in PHI areas
- 4Screens positioned away from public view; privacy filters where appropriate
- 5"Walking the floor" check — are any CCFs visible right now?
Electronic (ePHI) Safeguards
The Security Rule requires three categories of safeguards:
| Category | Examples |
|---|---|
| Administrative | Risk analysis, workforce training, sanctions policy, contingency plan, BAAs |
| Physical | Facility access controls, workstation use policy, device disposal, media re-use |
| Technical | Unique user IDs, automatic logoff, encryption, audit logs, transmission security |
Passwords & Access
- Unique credentials per user — never share
- Strong passwords + multi-factor authentication where available
- Lock screen when stepping away
- No personal accounts (personal Gmail, personal Dropbox) for PHI
- Access removed promptly when staff change roles or leave
Disposal — Paper
- ! Throwing in regular trash is a breach in waiting
- Cross-cut shred — strip-shred is not enough
- Contracted destruction service must have a BAA + certificate of destruction
- Locked shred bins until pickup
Disposal — Electronic
- Delete + empty trash is not secure — files can be recovered
- Wipe drives with DoD-grade overwrite OR physically destroy
- Old smartphones, tablets, USB drives, copier hard drives all need secure wipe
- Document destruction in an asset disposition log
Breach Basics & Notification
A breach is the impermissible use or disclosure of PHI that compromises its security or privacy. Some breaches must be reported to the donor, HHS, and (for large ones) the media. Knowing what counts, what to do first, and the timeline keeps a small mistake from becoming an enforcement action.
What Counts as a Breach
An impermissible acquisition, access, use, or disclosure of PHI that compromises its security or privacy. Default rule: any impermissible disclosure is presumed to be a breach unless the entity can demonstrate a low probability of compromise via a 4-factor risk analysis.
The 4-Factor Risk Analysis
- 1Nature and extent of PHI involved (identifiers, sensitive content)
- 2Who received the unauthorized access (employee vs stranger)
- 3Was PHI actually acquired or viewed (or just possibly accessible)
- 4Extent to which the risk has been mitigated (recovered, destroyed, attestation)
Notification Timeline
| Who is notified | When |
|---|---|
| Affected individuals | No later than 60 days after discovery |
| HHS (small breach: <500 individuals) | Annual log submitted within 60 days after end of calendar year |
| HHS (large breach: ≥500 individuals) | Within 60 days of discovery — and posted to the public HHS Wall of Shame |
| Media (large breach in a state/jurisdiction) | Within 60 days of discovery — to prominent local media outlets |
| Business Associates → Covered Entity | Per BAA terms (typically as soon as possible, often within hours/days) |
If You Spot a Possible Breach — Your Job
Stop the bleed
Recall the email, retrieve the misdirected fax, log out the unauthorized session.
Tell your Privacy / Compliance Officer immediately
Don't wait, don't hide it. The clock starts at "discovery" — which is when ANY employee learns of it, not just management.
Document what happened
What, when, who, what PHI, what you did.
Let leadership lead the response
Risk analysis, notifications, remediation are organizational responsibilities. Your role is honest, timely reporting.
Common Breach Examples
- ! Email with PHI sent to wrong recipient
- ! Fax sent to wrong number
- ! Lost / stolen unencrypted laptop or USB drive
- ! Trash bin containing un-shredded CCFs
- ! Employee snooping on a record they had no business reason to see
- ! Ransomware that may have accessed PHI
- ! Misconfigured cloud storage exposing files publicly
Employee Responsibilities & Sanctions
HIPAA puts duties on the organization, but individuals can also face personal sanctions — civil monetary penalties, employer discipline, criminal liability in extreme cases. Knowing the do's and don'ts protects you personally as well as your employer.
Your Responsibilities
- 1Know and follow your employer's HIPAA policies and procedures
- 2Take refresher training when offered
- 3Protect PHI in your possession at all times
- 4Use minimum necessary PHI for the task at hand
- 5Use secure systems (encrypted email, secure messaging) for PHI
- 6Report potential breaches and suspicious activity immediately
- 7Don't access records you don't need to do your job
- 8Don't share login credentials
Individual Civil Liability
HIPAA penalties primarily apply to organizations — but states (California, Texas, others) and tort law allow individuals to be named in civil cases over privacy violations. Your employer's sanction policy may also impose discipline up to termination.
Criminal Liability
Federal HIPAA crime (42 USC §1320d-6) attaches when a person knowingly obtains or discloses PHI:
| Conduct | Max penalty |
|---|---|
| Knowing violation | 1 year + $50,000 |
| Under false pretenses | 5 years + $100,000 |
| For personal gain or malicious harm | 10 years + $250,000 |
Real cases: employees fired and prosecuted for snooping on celebrity records, family members' records, or selling PHI for identity theft.
Whistleblower Protections
Federal and state law protect employees who report HIPAA violations in good faith from retaliation. Do not stay silent because you fear retaliation — the law has your back.
Scenarios & Best Practices
Real-world scenarios pull all the pieces together. Walk through these, run the best-practices checklist, and lock in the habits. This section ends with the disclaimer that closes out the course.
Scenario 1 — The Friendly Question
Setup: A neighbor at a barbecue mentions her son drives for a local trucking company. She asks "Hey, did he get tested at your site last week? Was he okay?"
Correct response: "I can't confirm whether anyone is or isn't a customer. Even if he was, I can't discuss it. Please ask your son directly." Even acknowledging he was a donor is a disclosure of PHI.
Scenario 2 — The Misdirected Email
Setup: You're emailing a CCF copy to the DER at jsmith@example.com. After hitting send, you realize you typed jsmith@examp1e.com (1 instead of l).
Correct response: Immediately attempt recall in your email client. Document the misdirect (time, content, recipient address). Notify your Privacy Officer same day. Don't hope it goes unnoticed — the clock has started.
Scenario 3 — The "Just Curious" Coworker
Setup: A coworker asks if their cousin came in last week for a pre-employment drug test and "how it went."
Correct response: "I can't share that with you — same as I couldn't share yours with someone else. It's a HIPAA matter." Even looking it up to see is a Privacy violation if you don't have a job-related need.
Scenario 4 — The Donor Calls Back
Setup: A donor calls and asks for a copy of their CCF + result.
Correct response: Verify identity (full name + DOB + a second identifier on file). Provide the donor's own records — they have a right under both HIPAA and §40.329 (DOT). Document the request and what was sent.
Scenario 5 — The Lost Phone
Setup: You leave your phone in an Uber. It has the secure messaging app with PHI in it.
Correct response: Remote-wipe immediately. Notify your Privacy Officer same day. Change all account passwords. Document the incident. Outcome depends on whether the device had MFA, a strong PIN, and whether wipe succeeded.
Best Practices Checklist
- Treat every CCF, lab report, and ATF as PHI
- Minimum necessary, every time
- Verify the recipient before sending PHI
- Encrypted email + secure messaging only
- Locked storage, cross-cut shred, asset disposition log
- Report potential breaches immediately — discovery starts the clock
- Know your employer's Privacy Officer and how to reach them
- Don't access records you don't need
- When in doubt, ask
Annual refresh recommended. Set a calendar reminder for 12 months from your certificate date.