• E-mail
• Print
• RSS

Q: Our company performs forensic urine drug tests. Most of our business comes from probation agencies. We also occasionally perform preemployment urine drug tests. Are we a covered entity under HIPAA?

HIPAA Weekly Advisor, August 13, 2007

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: Our company performs forensic urine drug tests. Most of our business comes from probation agencies. We also occasionally perform preemployment urine drug tests. Are we a covered entity under HIPAA?

A: If your company sends and receives HIPAA-covered transactions electronically, either directly or indirectly (this includes Web-based or direct data entry [DDE] transactions), you are a covered entity, because HIPAA would classify you as a healthcare provider. If you perform tests only as part of a preemployment screening process for your own company, you are not a HIPAA-covered entity.

Even if you don't send your transactions electronically, you shouldn't ignore the HIPAA privacy and security requirements. Courts have decided against organizations that have access to PHI, but do not take into account appropriate privacy and security, because the courts considered HIPAA to be appropriate standards for the healthcare industry.

Also, you need to be especially aware of 42 CFR Part 2, which governs federally funded alcohol and chemical dependency programs. Even though you may not operate these programs directly, you do provide information that assists such programs. This would be an important topic to address with your attorney, as it is better to take extra precautions than to find yourself on the wrong end of a civil suit.

Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive