Requiring Employees to be Tested for Infectious Disease

Employer Required COVID-19 tests for employees, According to the Americans with Disabilities Act, and EEOC Laws

According to the U.S. Equal Employment Opportunity Commission:

An employer may administer a COVID-19 test (a test to detect the presence of the COVID-19 virus) when evaluating an employee’s initial or continued presence in the workplace


The ADA requires that a mandatory medical test of employees be

“job-related and consistent with business necessity.”

Suppose one applies this Standard to the current circumstances of the COVID-19 pandemic. In that case, employers may take screening steps to determine if employees entering the workplace have COVID-19 because an individual with the virus will pose a direct threat to the health of others.

Based on this Standard, an employer may elect to administer COVID-19 testing to employees before permitting them to enter the workplace to determine if their presence in the workplace poses a direct threat to others.  Re-testing at a reasonable interval may also be permissible.

However, the ADA does not supersede or preempt an employer from following recommendations by the Centers for Disease Prevention and Control (CDC) or other public health authorities regarding whether, when, and for whom testing or additional screening is appropriate. Employers’ testing consistent with current CDC guidance will meet the ADA’s “business necessity” standard.

To meet the ADA Standard, employers should ensure that the tests are considered accurate and reliable.

For example, employers may review information from the U.S. Food and Drug Administration about what may or may not be considered safe and accurate testing, as well as guidance from CDC or other public health authorities.

The CDC and FDA have periodically amended their recommendations based on new information. Employers may need to consider the incidence of false-positives or false-negatives associated with a particular test.

A manager may ask only one employee, instead of asking all employees questions to determine if the individual employee has COVID-19, but ONLY IN CERTAIN CIRCUMSTANCES

Suppose an employer wishes to ask only a particular employee to answer such questions or to have her temperature taken or undergo other screening or testing. In that case, the ADA requires the employer to have a reasonable belief based on objective evidence that this person might have the disease.

Therefore, the employer must consider why it wishes to take these actions regarding this particular employee, such as potential COVID-19 symptoms.  Note also that the employer individual who interprets the symptom and their training may be examined if there is a later dispute regarding the reasonable determination of risk for COVID-19 infection.

Employer Test Request by Types of COVID-19 Tests and Who Should Be Tested According to CDC Guidance

According to CDC guidance, a test for a current infection (viral test) would apply to:

People who have symptoms of COVID-19.
People who have had close contact (within 6 feet of an infected person for a cumulative total of 15 minutes or more over a 24-hour period) with someone with confirmed COVID-19.​​
People who have taken part in activities that put them at higher risk for COVID-19 because they cannot socially distance as needed, such as travel, attending large social or mass gatherings, or being in crowded indoor settings.
People who have been asked or referred to get testing by their healthcare provider, local or state health department.

A viral test checks specimens from your nose or your mouth (saliva) to find out if you are currently infected with SARS-CoV-2, the virus that causes COVID-19.

Two types of viral tests can be used:

    • Nucleic acid amplification tests (NAATs) detect the virus’s genetic material and are commonly used in laboratories. NAATs are generally more accurate, but sometimes take longer to process than other test types.
    • Antigen tests detect viral proteins and are generally not as sensitive as NAATs, particularly if the antigen test is used on someone without COVID-19 symptoms. If you have a positive or negative antigen test, your healthcare provider may need to confirm the test result with a NAAT.

HIPAA Considerations Regarding Reporting of  Infectious Disease Test Results to an Employer

An employer may choose to implement testing using in-house medical staff if applicable or an outside laboratory. Or employees might collect their specimens for COVID-19 testing. Generally, testing laboratories are HIPAA Covered Entities.The test results and personally identifying information are protected health information (PHI) that must only be used or disclosed as provided for by HIPAA.

HIPAA Covered Entities may not disclose PHI unless the patient requests the disclosure to an employer and authorizes it with their signature. State Standards in some jurisdictions add specific requirements to the contents of this authorization form. Employers should include in their employee communication a HIPAA-compliant authorization form that employees must sign and provide to the testing laboratory when the testing laboratory is subject to HIPAA.

Employers, in turn must maintain the privacy of the information they receive and not disclose personally identifying information to others.

  1. First, HIPAA Covered Entity laboratories are required to implement information safeguards required by the HIPAA Security Rule, which, if properly implemented, should reduce the risk of a security breach involving COVID-19 test results.
  2. Second, employees may put more trust a HIPAA-covered testing lab.
  3. Third, the Clinical Laboratory Improvement Amendments Act (CLIA) requires that laboratories implement and document measures to ensure the accuracy of test results, including tracking the chain of custody of specimens, that the specimen is tested and attributed to the correct individual, and that the test results are reported accurately and in a HIPAA compliant manner.

Interpreting COVID-19 Test Results of Employees

A positive test result reveals that an individual most likely has a current infection and may transmit the virus to others. A negative test result means that the individual did not have detectable COVID-19 at the time of testing.  A negative test does not mean the employee will not acquire the virus at a later time. Based on guidance from medical and public health authorities, employers should still require–to the greatest extent possible–that employees observe infection control practices (such as social distancing, regular handwashing, and other measures) in the workplace to prevent transmission of COVID-19.

Privacy of Employee COVID-19 Test Results

Generally, employers should not report or share an individual’s identity that tests positive or negative for a test.  If the employer is a HIPA Covered Entity, any test that it administers and the result of that test are regulated under HIPAA.  If the employer is not a HIPAA Covered Entity, there may be other Standards that apply, but generally, we advise informing only the individual of the test result.  If the employer identifies an employee that tests positive, it may be best to simply state that an individual tested positive and that others should be tested. Quarantine, isolation measures, etc., are a separate issue from protecting the privacy of the individual.

Reporting COVID-19 Positive Results where Protected Health Information (PHI) or Personal Identifiers are Shared

HIPAA Covered Entities (generally not employers unless the employer is a HIPAA Covered Entity) are mandated reporters of infectious disease, but only the ‘minimum necessary’ should be reported (see Minimum Necessary Requirement 45 CFR 164.502(b), 164.514(d) and 45 CFR 164.512(b)).  The report is made to the local public health authority, usually at the County level, who reports to the State Public Health Authority, who in turn reports to the Federal Public Health Authority, which is the CDC.   We advise employers to NOT publicly report or share test results that disclose the identity of the individual, even if they are not a HIPAA Covered Entity.

California Consumer Privacy Act (CCPA) Requirements

An employer that administers temperature tests may be subject to the California Consumer Privacy Act (“CCPA”).  The temperature screening could trigger the CCPA’s notice requirements. The CCPA, effective January 1, 2020 with enforcement beginning on July 1, 2020, protects the personal information of residents of California.

The CCPA, a subject business that collects a California resident’s “personal information” must inform that individual “at or before the point of collection” the categories of personal information being collected and the purposes for which the information will be used.  The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It includes “biometric information”, as well as “udio, electronic, visual, thermal, olfactory, or similar information.” Data that is collected regarding a consumer’s body temperature thus likely qualifies as “personal information” subject to the CCPA if it is collected in a manner that enables the body temperature information to be linked with or reasonably associated with a particular California resident.



(4/23/20; updated 9/8/20 to address stakeholder questions about updates to CDC guidance)

What You Should Know About COVID-19 and the ADA, the ….

The HIPAA Security Rule sets out specific protections that all covered providers must follow to protect health information. These practices include administrative, technical, and physical safeguards. … The HIPAA Security Rule requires three kinds of safeguards: administrative, physical, and technical.

Centers for Medicare and Medicaid. Ref: QSO-21-10-CLIA

Clinical Laboratory Improvement Amendments of 1988 (CLIA) Laboratories Surveyor Guidance for New and Modified CLIA Requirements Related to SARSCoV-2 Test Result Reporting. CLIA is not prescriptive as to how laboratories report SARS-CoV-2 test results. However, the laboratory must have documented evidence that test results were reported, or an attempt was made to report the test results as described above, and must have reported those results as outlined in its policies/procedures. CMS would also expect the laboratory to have verification that the test results were received by the reporting entity. Regardless of the means used to transmit laboratory results, routine checks should be conducted to verify that transmissions are being accurately and reliably conveyed to the final report destination. (Cite D1001 for CoW, D5801 for other certificate types)

Centers for Disease Prevention and Control – Testing for COVID-19

Related Information

Expert Witness Workplace for Disabled

COVID-19 Testing Diagnosis Codes for the Electronic Health Record

HIPAA Expert Witness, what may be reported and to whom may it be reported regarding infectious disease?

Michael F. Arrigo

Michael is Managing Partner & CEO of No World Borders, a leading healthcare management and IT consulting firm. He serves as an expert witness in Federal and State Court and was recently ruled as an expert by a 9th Circuit Federal Judge. He serves as a patent expert witness on intellectual property disputes, both as a Technical Expert and a Damages expert. His vision for the firm is to continue acquisition of skills and technology that support the intersection of clinical data and administrative health data where the eligibility for medically necessary care is determined. He leads a team that provides litigation consulting as well as advisory regarding medical coding, medical billing, medical bill review and HIPAA Privacy and Security best practices for healthcare clients, Meaningful Use of Electronic Health Records. He advises legal teams as an expert witness in HIPAA Privacy and Security, medical coding and billing and usual and customary cost of care, the Affordable Care Act and benefits enrollment, white collar crime, False Claims Act, Anti-Kickback, Stark Law, physician compensation, Insurance bad faith, payor-provider disputes, ERISA plan-third-party administrator disputes, third-party liability, and the Medicare Secondary Payer Act (MSPA) MMSEA Section 111 reporting. He uses these skills in disputes regarding the valuation of pharmaceuticals and drug costs and in the review and audit of pain management and opioid prescribers under state Standards and the Controlled Substances Act. He consults to venture capital and private equity firms on mHealth, Cloud Computing in Healthcare, and Software as a Service. He advises ERISA self-insured employers on cost of care and regulations. Arrigo was recently retained by the U.S. Department of Justice (DOJ) regarding a significant false claims act investigation. He has provided opinions on over $1 billion in health care claims and due diligence on over $8 billion in healthcare mergers and acquisitions. Education: UC Irvine - Economics and Computer Science, University of Southern California - Business, studies at Stanford Medical School - Biomedical Informatics, studies at Harvard Medical School - Bioethics. Trained in over 10 medical specialties in medical billing and coding. Trained by U.S. Patent and Trademark Office (USPTO) and PTAB Judges on patent statutes, rules and case law (as a non-attorney to better advise clients on Technical and Damages aspects of patent construction and claims). Mr. Arrigo has been interviewed quoted in the Wall Street Journal, New York Times, and National Public Radio, Fortune, KNX 1070 Radio, Kaiser Health News, NBC Television News, The Capitol Forum and other media outlets. See and for more about the company.

Leave a Reply