On Feb. 6, 2014, the Centers for Medicare and Medicaid Services, the Centers for Disease Control and Prevention, and the Office for Civil Rights finalized the Patients’ Access to Test Reports final rule (79 FR 7290).
The rule amends provisions of the Clinical Laboratory Improvement Amendments of 1988 (CLIA) to require clinical laboratories covered under CLIA to make available to patients, upon request, completed test reports. The rule also amends the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to grant individuals the right to access such reports directly from laboratories without the ordering provider’s approval. The rule became effective on April 7, 2014; however, HIPAA-covered entities have until Oct. 6, 2014, to comply. These changes to the CLIA regulations and the HIPAA Privacy Rule provide individuals with a greater ability to access their health information and empower them to take a more active role in managing their health and health care.
This article discusses key provisions of the rule and highlights 10 things a clinical laboratory should know.
Background
The objective of the rule, which became effective on April 7, 2014, is to formalize an additional mechanism through which individuals may obtain test reports in order to reduce the instances of patients not being informed of test results. Hopefully, greater access to test reports will reduce the number of patients who fail to seek appropriate care and will further reduce unnecessary duplicate testing. To this end, the rule applies “broadly and uniformly” to all HIPAA-covered laboratories, including primary laboratories, reference laboratories, and hospital laboratories.
Prior to the amendments, a CLIA laboratory could only disclose laboratory test results to three categories of individuals or entities: (1) an “authorized person,” (2) the person responsible for using the test results in the treatment context, and (3) the laboratory that initially requested the test. In states that did not allow individuals to access their own test results, patients were required to receive their test results through their health care providers. The rule amends the CLIA regulations and gives patients the right to access their test reports directly from laboratories.
HIPAA and its implementing regulations apply to “covered entities.” A laboratory, as a health care provider, is only a covered entity if it conducts one or more covered transactions electronically. The rule does not alter the requirements for what makes a laboratory a HIPAA-covered entity; therefore, if a laboratory does not conduct any HIPAA standard transactions electronically, then the laboratory is not subject to the HIPAA Privacy Rule. Under the rule, HIPAA-covered laboratories will be required to provide an individual (or the individual’s personal representative) with access, upon request, to the individual’s completed test reports in accordance with the Privacy Rule.
10 Things to Know
The rule amends the CLIA regulations and the Privacy Rule in various ways. Listed below are 10 things HIPAA-covered laboratories should fully understand prior to the rule’s compliance date.
1. The Rule Preempts State Laws Prohibiting Release of Test Reports
The rule, and the CLIA and HIPAA amendments it finalizes, preempt a number of state laws that prohibit laboratories from releasing test reports directly to individuals or individuals without their ordering provider’s approval. Now, under the HIPAA Privacy Rule, all HIPAA-covered laboratories are required to provide test results upon patient requests and may provide the results directly to the requesting patients.
2. Who May Access Laboratory Results
The rule gives an individual, or the individual’s personal representative, the right to request access to their protected health information (PHI) directly from HIPAA-covered laboratories; these laboratories may not require these individuals to make such requests through their providers. Under the HIPAA Privacy Rule, an individual generally has a broad right of access to any or all of his or her health information maintained in a designated record set. The rule extends that broad right to the laboratory setting. However, patient access to laboratory results is not unqualified. For example, patient direct access to “sensitive” test results, such as genetic, cancer, pregnancy, sexually transmitted disease, and mental health tests may be limited if a licensed health professional determines, in the exercise of professional judgment, that the access is reasonably likely to endanger the “life or physical safety” of the individual or another person. Patients who are denied access to “sensitive” test results may challenge the denial by having the decision reviewed by an unaffiliated health care professional.
3. What Records May Be Requested
Pursuant to HIPAA, individuals have a right to access PHI about themselves in a designated record set. With respect to laboratory tests, results are not considered part of the designated record set until they are “complete.” To maintain consistency with CLIA, a test report under the rule is considered complete when all results associated with an ordered test are finalized and ready for release. Additionally, the rule requires the clinical laboratory to provide access to all maintained records in the designated record set for as long as the laboratory maintains the information (even in those cases where the information is maintained beyond CLIA’s applicable record-retention requirements). The requirement to provide access to all records in the designated record set applies to records that precede the effective date of the rule.
4. Patient Authentication Requirements
The identity of patients requesting information from laboratories and their authority to request such information must be verified by the laboratory prior to releasing any information. Depending on the circumstances, a HIPAA-covered laboratory could verify a person’s authority by asking for documentation of a health care power of attorney, general power of attorney, durable power of attorney that includes the power to make health care decisions, proof of legal guardianship, or, in the case of a parent, information that establishes the relationship of the person to the minor individual. Although the amendments do not specifically address the verification process, other than to point to the HIPAA Privacy Rule’s requirements for verification, laboratories may not attempt to avoid the reporting obligation by imposing unreasonable verification measures on an individual. Nevertheless, no reporting obligation exists when the laboratory receives insufficient information to permit verification of the requestor with the patient for whom the analysis is being undertaken.
5. Transmitting PHI to Another Entity
Under the rule, HIPAA-covered laboratories will be required to abide by an individual’s request to have the laboratory transmit the copy of the individual’s PHI to another person or entity designated by the individual. The Privacy Rule requires that such requests must be made in writing, signed by the individual, clearly identify the designated person or entity, and provide information regarding where to send the copy of the protected health information. In addition, HIPAA-covered laboratories may include digital signatures on electronic copies of test reports given to individuals, provided the electronic copy is still in a format that has either been requested by the individual or is an alternative that has been agreed to by the individual and the laboratory.
6. Deadline for Responding to Information Requests
Generally, laboratories will be required to provide individuals with access to their laboratory test reports within 30 days of the request. In instances when retrieving records may take longer than 30 days, laboratories may request one 30-day extension, as long as the laboratory provides the reason for the delay in writing to the requesting individual. Additionally, in instances when the report is unlikely to be “complete” within 30 days, laboratories may suggest an individual withdraw and resubmit a request at a time when the requested results will be “complete” within the 30-day response time frame.
7. Interpreting Lab Reports
The rule does not require laboratories to interpret test results for patients. Patients merely have the right to inspect and receive a copy of their completed test reports and other individually identifiable health information maintained in a designated record set by a HIPAA-covered laboratory. Laboratories may continue to refer patients with questions about the test results back to their ordering or treating providers. Therefore, the rule does not alter the role of the ordering or treating provider in reporting and explaining test results to patients. Patients should continue to obtain test results and advice about the meaning of the test results through their ordering or treating providers.
8. Employment-Related Testing
As for employment-related testing, the CLIA regulations do not apply to an employer or entity that performs substance abuse testing strictly for the purpose of employment screening where test results are merely used to determine compliance with conditions of employment, as opposed to counseling or some other form of treatment. However, substance abuse testing is covered by CLIA if it is part of a treatment program. Even if CLIA does not apply to the conduct of certain types of laboratory tests, HIPAA may still apply and require access to certain test reports to the extent the laboratory is a HIPAA-covered entity that has access to PHI. Individuals have a right to access test reports in designated record sets held by or for HIPAA-covered laboratories that constitute PHI under the Privacy Rule, including reports that relate to the past, present, or future physical or mental health or condition of an individual, or the provision of health care to an individual, and identify the individual even if the information includes testing for the presence of alcohol or drugs.
9. Charges for Producing PHI
A HIPAA-covered laboratory may charge an individual a reasonable, cost-based fee that includes only the cost of (1) labor for copying the requested PHI, (2) supplies for creating the paper copy or electronic media, (3) postage, when the individual has requested the copy be mailed, and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual. HIPAA-covered laboratories may not charge fees to reflect the costs they incur in searching for and retrieving the information that is the subject of the individual’s request. Fees that are expressly permitted under state law for copying and postage are deemed reasonable as long as they do not include amounts associated with fees not provided for under the HIPAA Privacy Rule—such as the fees for the cost of search and retrieval or other costs.
10. Revising Notices of Privacy Practices
The rule provides individuals with a right to access their PHI directly from HIPAA-covered laboratories. A change in an individual’s access rights constitutes a material change to the privacy practices of HIPAA-covered laboratories. Whenever there is a material change to any of its privacy practices, including those pertaining to individuals’ rights to access their protected health information, a covered entity is required to promptly revise its HIPAA notices of privacy practices. Therefore, by the compliance date of the rule, Oct. 6, 2014, HIPAA-covered laboratories must revise their privacy practices to inform individuals of their right to access their own test results directly from the laboratory and must include a brief description of how the patient can exercise this right.
Conclusion
The newly enacted rule gives patients greater access to their laboratory records so that these patients may begin taking more active roles in managing their health care. Although the rule allows patients greater access to their PHI, it imposes additional regulatory obligations upon HIPAA-covered laboratories. These HIPAA-covered laboratories should begin taking affirmative steps to ensure that they are in compliance with the amended CLIA regulations and Privacy Rules before Oct. 6, 2014, the compliance date of the rule.
Mark Armstrong can be reached at 713-300-3210 or MArmstrong@ebglaw.
Ali Lakhani can be reached at 202-861-1826 or Alakhani@ebglaw.com.