Coronavirus Testing and Privacy: Frequently Asked Questions
- Who has the records of my COVID-19 test if I want to get a copy of the results? What privacy law applies?
- How many entities will know that I tested positive for COVID-19?
- How much detail will be collected and revealed about my COVID-19 test?
- Can I get a record of everything related to my COVID-19 treatment?
- Can I get a copy of a deceased person’s health records?
- What are the rules about who gets my health record in a public health emergency?
- What about confidentiality of my records in a public health crisis?
- My health condition and photograph were published on social media or in an online publication. Can I do anything about this? What happens to my privacy rights if this information is published by someone else?
- In the coronavirus pandemic, do I need to send my medical records to my regular doctor if I was seen by a doctor in another city, state, or country?
- What happens to my health records or my child’s health records held at a school?
This FAQ provides responses to the most frequently asked questions about coronavirus and privacy, especially COVID-19 testing, records, and health privacy for people in, or visiting, the U.S.
In this document, when we say HIPAA, it means the HIPAA health privacy rule. HIPAA stands for the Health Insurance Portability and Accountability Act, a 1996 U.S. federal statute.
If you would like additional background about health privacy in the U.S., see our Patient’s Guide to HIPAA, available at: https://www.worldprivacyforum.org/2019/03/hipaa/.
1. Who has the records of my COVID-19 test if I want to get a copy of the results? What privacy law applies?
It depends on who does the test.
Doctor or Hospital: A doctor or hospital that did the test would have the results, and the healthcare providers are subject to HIPAA rules. If you need to make a formal request for your health record, you can use the access procedure established under HIPAA. But that might take 30 days. You might do better just asking informally. In times of crisis, informality may produce better or faster results.
Public Health Clinic or Public Health Agency: If you had your test done at a public health clinic or other public health agency, these entities would have the results, but they might not be subject to HIPAA. This is important because HIPAA is what grants patients the right of access to their health records. There’s no litmus test that will tell you if HIPAA applies. Look at any notice of privacy practices to see if it cites HIPAA.
- If you have had your COVID-19 test done by a federal public health agency, the records will be subject to the Privacy Act of 1974, which also gives individuals a right of access.
- County-level and state-run clinics will fall under state law, which will differ state by state. Again, formal processes may not be the best way in times of crisis. NACCHO has a list of local health departments in the U.S. available at: https://www.naccho.org/membership/lhd-directory.
Public Health Laboratory or Commercial Laboratory: If a laboratory did the testing, the type of lab that did the testing may make a difference as to what privacy law applies. To avoid confusion, it’s a good idea to ask the lab if they are subject to HIPAA. A lab subject to HIPAA has to provide individuals with access to their records. Regarding obtaining a copy of the results, ask the lab where they send the results. In some cases, if you went to a lab with instructions from your doctor, you may be able to request your results directly from the lab. In other circumstances, the lab may send their results back to your doctor, hospital, or healthcare provider.
Academic Institution: Because of the national emergency the coronavirus pandemic created, you may be tested by an academic institution such as a university health center. Depending on circumstances too complicated to explain here, the test results may be subject to HIPAA or, for some students, the Family Educational Rights and Privacy Act (FERPA). See FAQ 10 in this document for more on FERPA. Each law — HIPAA and FERPA — provides a right of access.
As testing for COVID-19 becomes more widely available, others may do testing as well, and the application of privacy laws is hard to predict. Again, it may be best to try informal procedures when you need information quickly. When in doubt, always ask what privacy law applies to the institution.
The CDC keeps a daily update of testing in the U.S. here: https://www.cdc.gov/coronavirus/2019-ncov/cases-updates/testing-in-us.html.
2. How many entities will know that I tested positive for COVID-19?
With a communicable disease like COVID-19, it is highly likely that positive results will be reported to public health authorities pursuant to laws covering communicable diseases. HIPAA allows doctors and hospitals to disclose health information to public health authorities or to anyone to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. This provision allows for the disclosure of test results (especially positive results) to anyone who can benefit from knowing the results either by taking appropriate protective action or warning others. The authority to disclose is not unlimited, however.
In short, positive test results may be widely shared in the interest of protecting others. The Centers for Disease Control (CDC), for example, has been receiving results from laboratory tests for COVID-19.
3. How much detail will be collected and revealed about my COVID-19 test?
A COVID-19 test will typically ask you to disclose information such as your name, date of birth, age, sex, pregnancy status, travel history (foreign and within the U.S.), and country of residence, among other information. If your COVID-19 test is sent along with a biological sample to the CDC, you can reasonably expect the inclusion of data such as: clinical diagnosis, date of onset, pregnancy status, and demographic information, among other data.
Regarding what is revealed to others after the testing results are available, even when privacy rules allow for sharing during a public health crisis, they do not normally allow for the sharing of more information than is needed to accomplish the purpose. If there is no reason to share your name, then it would be enough to tell someone that they were exposed to the virus by someone near them without revealing the name of the individual who tested positive.
4. Can I get a record of everything related to my COVID-19 treatment?
Yes, if you were treated by a HIPAA covered entity like a doctor or hospital. However, getting that information may take some time.
5. Can I get a copy of a deceased person’s health records?
Not usually. If the person was a close relative and you can stand in their shoes and exercise the rights they had under HIPAA, then maybe. Otherwise, HIPAA continues to protect health records until 50 years after death. Even then, disclosures are discretionary with HIPAA covered entities.
6. What are the rules about who gets my health record in a public health emergency?
HIPAA gives broad discretion to health care providers to disclose information to anyone who can prevent or lessen a serious and imminent threat to the health and safety of a person or the public. That discretion is not unlimited, so, for example, publishing names of those infected in the paper would likely go too far. But telling people who’ve been in contact with you is allowed. If there’s no need to give a name (the individual who sat next to you on the bus is infected), then disclosing the name is not permitted.
7. What about confidentiality of my records in a public health crisis?
Confidentiality rules still apply in a crisis, but the rules make reasonable accommodations for emergencies. Indiscriminate disclosures are not allowed. But disclosures that might prevent or lessen a serious and imminent threat to the health and safety of a person or the public are allowed. An indiscriminate disclosure would be one that included an individual’s name, address, age, and other information for publication.
8. My health condition and photograph were published on social media or in an online publication. Can I do anything about this? What happens to my privacy rights if this information is published by someone else?
Social media companies and newspapers are not subject to HIPAA. But doctors and hospitals remain subject to HIPAA’s confidentiality restrictions even if information included in those records became public. But the information that has been released on social media or in other online sources is likely beyond practical control, and it may become be fodder for anyone with a web connection to collect and re-use.
What can you do about it after the fact? It depends of the rules of the social media or web site where your information was published. You might have some way to object. You might ask for it to be taken down. Privacy laws may exist in your state that will be helpful, but this varies widely by state.
It is a good idea to proactively let your family and friends know that while you appreciate their support, you do not want your name, photo, and positive COVID-19 diagnosis published widely.
9. In the coronavirus pandemic, do I need to send my medical records to my regular doctor if I was seen by a doctor in another city, state, or country?
You would certainly want any doctor treating you to know if you tested positive for the virus. You doctor may be able to obtain your records from anyone who treated you in another location. Records transfers can take time, though. In the U.S. and in most countries, you have the right to get a copy of your records. After you have your records, you can give them to your doctor. Do you need to? It sounds like a good idea to us.
10. What happens to my health records or my child’s health records held at a school?
The Family Educational Rights and Privacy Act, (FERPA) is a U.S. student privacy law. It establishes rules controlling how student records can be disclosed, and this includes health information held by schools. FERPA allows a school to disclose information from a student’s record to any person whose knowledge of the information is necessary to protect the health or safety of the student or other individuals if there is an articulable and significant threat to the health or safety of a student or other individuals. This is similar to the disclosure authority in HIPAA. Positive COVID-19 test results may well be shared with public health authorities and others under this authority.
Not all schools are covered under FERPA. The rule of thumb is:
- Most public K-12 schools are covered under FERPA.
- Most private K-12 schools are not covered under FERPA
- Because of how FERPA is applied, most private colleges and universities are covered under FERPA.
If you aren’t sure, ask your school if it is subject to FERPA.
If you would like more information about student health records, see our Student Privacy Series.
Have more questions?
- See our Patient’s Guide to HIPAA for answers to additional health privacy questions. The Patient’s Guide is up to date, and available online, as an eBook, and in PDF. https://www.worldprivacyforum.org/2019/03/hipaa/
- WPF published a statement about the changes made to HIPAA in response to the COVID-19 crisis. That is available here: https://www.worldprivacyforum.org/2020/03/wpf-statement-on-covid-19-and-changes-in-hipaa-practices/.