49 CFR 40.351 - What confidentiality requirements apply to service agents?
Except where otherwise specified in this part, as a service agent the following confidentiality requirements apply to you:
(a) When you receive or maintain confidential information about employees (e.g., individual test results), you must follow the same confidentiality regulations as the employer with respect to the use and release of this information.
(b) You must follow all confidentiality and records retention requirements applicable to employers.
(c) You may not provide individual test results or other confidential information to another employer without a specific, written consent from the employee. For example, suppose you are a C/TPA that has employers X and Y as clients. Employee Jones works for X, and you maintain Jones' drug and alcohol test for X. Jones wants to change jobs and work for Y. You may not inform Y of the result of a test conducted for X without having a specific, written consent from Jones. Likewise, you may not provide this information to employer Z, who is not a C/TPA member, without this consent.
(d) You must not use blanket consent forms authorizing the release of employee testing information.
(e) You must establish adequate confidentiality and security measures to ensure that confidential employee records are not available to unauthorized persons. This includes protecting the physical security of records, access controls, and computer security measures to safeguard confidential data in electronic data bases.