Under the HIPAA Privacy Rule, a Covered Entity is required to revise its notice of privacy practices (“NPP”) where there is a material change to any of its privacy policies. The HIPAA/HITECH Omnibus Final Rule (the “Omnibus Rule”) issued earlier this year requires a number of changes to privacy policies that will need to be reflected in clinical laboratories’ NPPs. The compliance date for such changes was originally due to be on September 23, 2013, but as explained below, HHS has delayed the compliance mandate for certain laboratories that are regulated under the Clinical Laboratory Improvement Amendments (“CLIA”). This enforcement delay is due to the fact that HHS has indicated that it will soon be issuing a final rule for clinical laboratories regulated under CLIA that will also require these laboratories to amend their NPPs.
Under the current rules, a laboratory regulated under CLIA is only able to disclose a patient’s laboratory results to three specific categories of people: (1) “authorized person”; (2) persons responsible for using the laboratory test in the treatment context; and (3) the referring laboratory. Covered Entities regulated under CLIA are specifically exempted from the HIPAA rule requiring patients be able to access their PHI. As a result, many patients are unable to receive their laboratory results directly from the laboratory performing the test and must instead receive the results through the ordering medical or health care provider.
In order to provide patients with greater access to their protected health information, HHS issued a proposed rule in 2011 that would eliminate the CLIA-regulated laboratory exemption to the HIPAA rule requiring patients be able to access their PHI. Specifically, the proposed rule would allow patients to request their results from a laboratory directly, and would require laboratories to comply with these requests unless disclosure would otherwise be prohibited by law, or where the laboratory would be unable to authenticate an individual’s identity. While this rule has yet to be officially adopted, HHS has stated that it anticipates publishing a final rule in the very near future.
HHS has also stated that it will not immediately enforce the Privacy Rule requirement that clinical laboratories amend their NPP’s to comply with the Omnibus Rule due to the “burden and expense” of complying with two rules in such a short period of time. In other words, these clinical laboratories can wait until after the CLIA final rule is published to amend their NPP’s to reflect the changes required by both the Omnibus Rule and the CLIA final rule. It should be noted, however, that not all clinical laboratories will qualify for this enforcement delay. In order to qualify, a laboratory must be regulated under CLIA and be subject to the exemptions to the right of access listed at § 164.524(a)(1)(iii)(A) or (B), meaning the laboratory must be either “CLIA-certified” or “CLIA-exempt.” In addition, the laboratory must have its own, laboratory-specific NPP, meaning a laboratory that is part of a larger legal entity such as a hospital and operates under that entity’s NPP would not qualify for the enforcement delay.