Requiring Employees to be Tested for Infectious Disease

Employer Required COVID-19 tests for employees, According to the Americans with Disabilities Act, and EEOC Laws

According to the U.S. Equal Employment Opportunity Commission:

An employer may administer a COVID-19 test (a test to detect the presence of the COVID-19 virus) when evaluating an employee’s initial or continued presence in the workplace


The ADA requires that a mandatory medical test of employees be

“job-related and consistent with business necessity.”

Suppose one applies this Standard to the current circumstances of the COVID-19 pandemic. In that case, employers may take screening steps to determine if employees entering the workplace have COVID-19 because an individual with the virus will pose a direct threat to the health of others.[1]

Based on this Standard, an employer may elect to administer COVID-19 testing to employees before permitting them to enter the workplace to determine if their presence in the workplace poses a direct threat to others.  Re-testing at a reasonable interval may also be permissible.

However, the ADA does not supersede or preempt an employer from following recommendations by the Centers for Disease Prevention and Control (CDC) or other public health authorities regarding whether, when, and for whom testing or additional screening is appropriate. Employers’ testing consistent with current CDC guidance will meet the ADA’s “business necessity” standard.

To meet the ADA Standard, employers should ensure that the tests are considered accurate and reliable.

For example, employers may review information from the U.S. Food and Drug Administration about what may or may not be considered safe and accurate testing, as well as guidance from CDC or other public health authorities.

The CDC and FDA have periodically amended their recommendations based on new information. Employers may need to consider the incidence of false-positives or false-negatives associated with a particular test.

A manager may ask only one employee, instead of asking all employees questions to determine if the individual employee has COVID-19, but ONLY IN CERTAIN CIRCUMSTANCES

Suppose an employer wishes to ask only a particular employee to answer such questions or to have her temperature taken or undergo other screening or testing. In that case, the ADA requires the employer to have a reasonable belief based on objective evidence that this person might have the disease.

Therefore, the employer must consider why it wishes to take these actions regarding this particular employee, such as potential COVID-19 symptoms.  Note also that the employer individual who interprets the symptom and their training may be examined if there is a later dispute regarding the reasonable determination of risk for COVID-19 infection.

Employer Test Request by Types of COVID-19 Tests and Who Should Be Tested According to CDC Guidance

According to CDC guidance,[4] a test for a current infection (viral test) would apply to:

People who have symptoms of COVID-19.
People who have had close contact (within 6 feet of an infected person for a cumulative total of 15 minutes or more over a 24-hour period) with someone with confirmed COVID-19.​​
People who have taken part in activities that put them at higher risk for COVID-19 because they cannot socially distance as needed, such as travel, attending large social or mass gatherings, or being in crowded indoor settings.
People who have been asked or referred to get testing by their healthcare provider, local or state health department.

A viral test checks specimens from your nose or your mouth (saliva) to find out if you are currently infected with SARS-CoV-2, the virus that causes COVID-19.

Two types of viral tests can be used:

    • Nucleic acid amplification tests (NAATs) detect the virus’s genetic material and are commonly used in laboratories. NAATs are generally more accurate, but sometimes take longer to process than other test types.
    • Antigen tests detect viral proteins and are generally not as sensitive as NAATs, particularly if the antigen test is used on someone without COVID-19 symptoms. If you have a positive or negative antigen test, your healthcare provider may need to confirm the test result with a NAAT.

HIPAA Considerations Regarding Reporting of  Infectious Disease Test Results to an Employer

An employer may choose to implement testing using in-house medical staff if applicable or an outside laboratory. Or employees might collect their specimens for COVID-19 testing. Generally, testing laboratories are HIPAA Covered Entities.The test results and personally identifying information are protected health information (PHI) that must only be used or disclosed as provided for by HIPAA.

HIPAA Covered Entities may not disclose PHI unless the patient requests the disclosure to an employer and authorizes it with their signature. State Standards in some jurisdictions add specific requirements to the contents of this authorization form. Employers should include in their employee communication a HIPAA-compliant authorization form that employees must sign and provide to the testing laboratory when the testing laboratory is subject to HIPAA.

Employers, in turn must maintain the privacy of the information they receive and not disclose personally identifying information to others.

  1. First, HIPAA Covered Entity laboratories are required to implement information safeguards required by the HIPAA Security Rule,[2] which, if properly implemented, should reduce the risk of a security breach involving COVID-19 test results.
  2. Second, employees may put more trust a HIPAA-covered testing lab.
  3. Third, the Clinical Laboratory Improvement Amendments Act (CLIA) requires that laboratories implement and document measures to ensure the accuracy of test results, including tracking the chain of custody of specimens, that the specimen is tested and attributed to the correct individual, and that the test results are reported accurately and in a HIPAA compliant manner.[3]

Interpreting COVID-19 Test Results of Employees

A positive test result reveals that an individual most likely has a current infection and may transmit the virus to others. A negative test result means that the individual did not have detectable COVID-19 at the time of testing.  A negative test does not mean the employee will not acquire the virus at a later time. Based on guidance from medical and public health authorities, employers should still require–to the greatest extent possible–that employees observe infection control practices (such as social distancing, regular handwashing, and other measures) in the workplace to prevent transmission of COVID-19.

Privacy of Employee COVID-19 Test Results

Generally, employers should not report or share an individual’s identity that tests positive or negative for a test.  If the employer is a HIPA Covered Entity, any test that it administers and the result of that test are regulated under HIPAA.  If the employer is not a HIPAA Covered Entity, there may be other Standards that apply, but generally, we advise informing only the individual of the test result.  If the employer identifies an employee that tests positive, it may be best to simply state that an individual tested positive and that others should be tested. Quarantine, isolation measures, etc., are a separate issue from protecting the privacy of the individual.

Reporting COVID-19 Positive Results where Protected Health Information (PHI) or Personal Identifiers are Shared

HIPAA Covered Entities (generally not employers unless the employer is a HIPAA Covered Entity) are mandated reporters of infectious disease, but only the ‘minimum necessary’ should be reported (see Minimum Necessary Requirement 45 CFR 164.502(b), 164.514(d) and 45 CFR 164.512(b)).  The report is made to the local public health authority, usually at the County level, who reports to the State Public Health Authority, who in turn reports to the Federal Public Health Authority, which is the CDC.   We advise employers to NOT publicly report or share test results that disclose the identity of the individual, even if they are not a HIPAA Covered Entity.

California Consumer Privacy Act (CCPA) Requirements

An employer that administers temperature tests may be subject to the California Consumer Privacy Act (“CCPA”).  The temperature screening could trigger the CCPA’s notice requirements. The CCPA, effective January 1, 2020 with enforcement beginning on July 1, 2020, protects the personal information of residents of California.

The CCPA, a subject business[1] that collects a California resident’s “personal information” must inform that individual “at or before the point of collection” the categories of personal information being collected and the purposes for which the information will be used.  The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It includes “biometric information”, as well as “[a]udio, electronic, visual, thermal, olfactory, or similar information.” Data that is collected regarding a consumer’s body temperature thus likely qualifies as “personal information” subject to the CCPA if it is collected in a manner that enables the body temperature information to be linked with or reasonably associated with a particular California resident.



(4/23/20; updated 9/8/20 to address stakeholder questions about updates to CDC guidance)

[1] What You Should Know About COVID-19 and the ADA, the ….

[2] The HIPAA Security Rule sets out specific protections that all covered providers must follow to protect health information. These practices include administrative, technical, and physical safeguards. … The HIPAA Security Rule requires three kinds of safeguards: administrative, physical, and technical.

[3] Centers for Medicare and Medicaid. Ref: QSO-21-10-CLIA

Clinical Laboratory Improvement Amendments of 1988 (CLIA) Laboratories Surveyor Guidance for New and Modified CLIA Requirements Related to SARSCoV-2 Test Result Reporting. CLIA is not prescriptive as to how laboratories report SARS-CoV-2 test results. However, the laboratory must have documented evidence that test results were reported, or an attempt was made to report the test results as described above, and must have reported those results as outlined in its policies/procedures. CMS would also expect the laboratory to have verification that the test results were received by the reporting entity. Regardless of the means used to transmit laboratory results, routine checks should be conducted to verify that transmissions are being accurately and reliably conveyed to the final report destination. (Cite D1001 for CoW, D5801 for other certificate types)

[4] Centers for Disease Prevention and Control – Testing for COVID-19

Related Information

Expert Witness Workplace for Disabled

COVID-19 Testing Diagnosis Codes for the Electronic Health Record

HIPAA Expert Witness, what may be reported and to whom may it be reported regarding infectious disease?

Michael F. Arrigo

Michael Arrigo, an expert witness, and healthcare executive, brings four decades of experience in the software, financial services, and healthcare industries. In 2000, Mr. Arrigo founded No World Borders, a healthcare data, regulations, and economics firm with clients in the pharmaceutical, medical device, hospital, surgical center, physician group, diagnostic imaging, genetic testing, health I.T., and health insurance markets. His expertise spans the federal health programs Medicare and Medicaid and private insurance. He advises Medicare Advantage Organizations that provide health insurance under Part C of the Medicare Act. Mr. Arrigo serves as an expert witness regarding medical coding and billing, fraud damages, and electronic health record software for the U.S. Department of Justice. He has valued well over $1 billion in medical billings in personal injury liens, malpractice, and insurance fraud cases. The U.S. Court of Appeals considered Mr. Arrigo's opinion regarding loss amounts, vacating, and remanding sentencing in a fraud case. Mr. Arrigo provides expertise in the Medicare Secondary Payer Act, Medicare LCDs, anti-trust litigation, medical intellectual property and trade secrets, HIPAA privacy, health care electronic claim data Standards, physician compensation, Anti-Kickback Statute, Stark law, the Affordable Care Act, False Claims Act, and the ARRA HITECH Act. Arrigo advises investors on merger and acquisition (M&A) diligence in the healthcare industry on transactions cumulatively valued at over $1 billion. Mr. Arrigo spent over ten years in Silicon Valley software firms in roles from Product Manager to CEO. He was product manager for a leading-edge database technology joint venture that became commercialized as Microsoft SQL Server, Vice President of Marketing for a software company when it grew from under $2 million in revenue to a $50 million acquisition by a company now merged into Cincom Systems, hired by private equity investors to serve as Vice President of Marketing for a secure email software company until its acquisition and multi $million investor exit by a company now merged into Axway Software S.A. (Euronext: AXW.PA), and CEO of one of the first cloud-based billing software companies, licensing its technology to Citrix Systems (NASDAQ: CTXS). Later, before entering the healthcare industry, he joined Fortune 500 company Fidelity National Financial (NYSE: FNF) as a Vice President, overseeing eCommerce solutions for the mortgage banking industry. While serving as a Vice President at Fortune 500 company First American Financial (NYSE: FAF), he oversaw eCommerce and regulatory compliance technology initiatives for the top ten mortgage banks and led the Sarbanes Oxley Act Section 302 internal controls I.T. audit for the company, supporting Section 404 of the Sarbanes Oxley Act. Mr. Arrigo earned his Bachelor of Science in Business Administration from the University of Southern California. Before that, he studied computer science, statistics, and economics at the University of California, Irvine. His post-graduate studies include biomedical ethics at Harvard Medical School, biomedical informatics at Stanford Medical School, blockchain and crypto-economics at the Massachusetts Institute of Technology, and training as a Certified Professional Medical Auditor (CPMA). Mr. Arrigo is qualified to serve as a director due to his experience in healthcare data, regulations, and economics, his leadership roles in software and financial services public companies, and his healthcare M&A diligence and public company regulatory experience. Mr. Arrigo is quoted in The Wall Street Journal, Fortune Magazine, Kaiser Health News, Consumer Affairs, National Public Radio (NPR), NBC News Houston, USA Today / Milwaukee Journal Sentinel, Medical Economics, Capitol ForumThe Daily Beast, the Lund Report, Inside Higher Ed, New England Psychologist, and other press and media outlets. He authored a peer-reviewed article regarding clinical documentation quality to support accurate medical coding, billing, and good patient care, published by Healthcare Financial Management Association (HFMA) and published in Healthcare I.T. News. Mr. Arrigo serves as a member of the board of directors of a publicly traded company in the healthcare and data analytics industry, where his duties include: member, audit committee; chair, compensation committee; member, special committee.

Leave a Reply