When Drug Testing Crosses Into FCRA Territory

There is a line in this industry that is easy to cross without realizing it. I know, because I have been close to it myself.

Twenty years ago, when I was building out the services at Unique Background Solutions, the regulatory landscape looked very different. The Fair Credit Reporting Act existed, but the enforcement environment, the state-level overlays, and the plaintiff's bar attention on background screening were nothing like they are today. We operated in gray areas that, frankly, would not be gray anymore. We course-corrected as the regulations tightened, but I learned something important through that process: the line between drug testing and FCRA-regulated consumer reporting is not always obvious, and crossing it without a compliance structure in place is a serious business risk.

That is exactly what I will be discussing at the NDASA Annual Conference later this month, alongside Gina Kesler — a TPA/CRA owner who has navigated the same territory from the drug testing side — and Melissa Foiles, one of the sharper FCRA compliance minds in the industry. Our panel is called Crossing the Line: When Drug Testing Expands into FCRA-Regulated Territory, and I want to give you a preview of what we will be unpacking.

The Bundled Services Trap

It usually starts with a client request. "Can you handle drug testing and background checks for us?" It sounds reasonable. Your client wants a single vendor, you want to grow your business, and adding a service feels like a natural extension of what you already do.

But here is where TPAs run into trouble: drug testing and background screening are governed by completely different regulatory frameworks. Drug testing, i.e., collection, MRO review, result reporting — operates under DOT guidelines and employer policy. Background screening, the moment it involves information used to make employment decisions, falls under the FCRA. And the FCRA does not care what you call the service. It cares what you are doing.

What Actually Triggers FCRA Coverage

This is where I see the most confusion even among experienced operators. There is a common misconception that FCRA coverage only applies to companies that are formally registered as Consumer Reporting Agencies. That is not how it works.

FCRA coverage is triggered by function, not by title. If you are collecting, compiling, or furnishing information about individuals that is used, or expected to be used, for employment purposes, you may already be acting as a CRA whether you have registered as one or not. Specifically, TPAs can inadvertently cross this line when they are:

•       Reporting criminal record information alongside drug test results

•       Verifying identity or employment history as part of a bundled service

•       Acting as the middleman between a data source and an employer who uses that data to make a hiring or termination decision

•       Packaging third-party data — even data you did not generate — into a report delivered to an employer

That last one surprises people. "We didn't generate the data — we just delivered it." That argument does not hold up under the FCRA. Aggregating, packaging, or interpreting consumer data can be enough to trigger CRA obligations, regardless of where the underlying data came from.

The Risks Are Not Theoretical

FCRA litigation has increased significantly over the past decade. Class action exposure around disclosure and authorization failures, adverse action missteps, and accuracy disputes is real and well-documented. For a TPA that has drifted into consumer reporting without the compliance infrastructure to support it, meaning, proper disclosure forms, written authorization, adverse action procedures, a dispute and accuracy process — the exposure can be significant.

This is not meant to scare anyone out of growing their business. It is meant to make sure growth is structured in a way that does not create liability that catches you off guard two years later.

The Smarter Path: Partnership Over DIY

One of the practical takeaways from our panel is that you do not have to become a CRA to meet client demand for bundled services. The smarter path for many TPAs is a structured partnership with an established CRA; one that already has the compliance infrastructure, the FCRA-required permissible purpose certifications, the adverse action process, and the dispute handling in place.

This model lets you serve the client's need without absorbing the full regulatory burden. Clear roles, documented separation of services, and a compliant referral structure can get you where you want to go without the risk of operating as an unregistered CRA.

Three Things to Walk Away With

Whether you attend our session or not, here is what I want you to thinking about:

•       Know where the line is. Understand the functional definition of a Consumer Reporting Agency and audit your current services against it honestly.

•       Compliance cannot be bolted on after the fact. Disclosure, authorization, adverse action, and accuracy procedures need to be in place before you deliver the first report, not after a complaint arrives.

•       Growth is safest when it is structured. The question is not whether to expand services — it is whether the structure you build around them protects you and your clients.

Let's Talk Before You Expand

If your organization is considering adding background screening to your drug testing program or if you are already offering services that might fall into FCRA territory, I would welcome a conversation. This is exactly the kind of compliance and partnership question I work through with clients every day.