Official US Government Icon

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure Site Icon

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

The latest general information on the Coronavirus Disease 2019 (COVID-19) is available on For USDOT specific COVID-19 resources, please visit our page.

DOT Rule 49 CFR Part 40 Section 40.351

Subpart Q - Roles and Responsibilities of Service Agents

§ 40.351 What confidentiality requirements apply to service agents?
Except where otherwise specified in this part, as a service agent the following confidentiality requirements apply to you:
(a) When you receive or maintain confidential information about employees (e.g., individual test results), you must follow the same confidentiality regulations as the employer with respect to the use and release of this information.
(b) You must follow all confidentiality and records retention requirements applicable to employers.
(c) You may not provide individual test results or other confidential information to another employer without a specific, written consent from the employee. For example, suppose you are a C/TPA that has employers X and Y as clients. Employee Jones works for X, and you maintain Jones' drug and alcohol test for X. Jones wants to change jobs and work for Y. You may not inform Y of the result of a test conducted for X without having a specific, written consent from Jones. Likewise, you may not provide this information to employer Z, who is not a C/TPA member, without this consent.
(d) You must not use blanket consent forms authorizing the release of employee testing information.
(e) You must establish adequate confidentiality and security measures to ensure that confidential employee records are not available to unauthorized persons. This includes protecting the physical security of records, access controls, and computer security measures to safeguard confidential data in electronic data bases.
Last updated: Friday, April 8, 2016