On Oct. 6, 2014, a final rule issued jointly by the Centers for Medicare & Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and Office for Civil Rights (OCR) will require all HIPAA-covered labs (i.e., labs that conduct certain electronic transactions, such as electronic submission of claims) to provide individuals with direct access to completed test reports and other protected health information (PHI) maintained about the individual. Labs not covered by HIPAA will be permitted, but not required, to provide individuals with direct access to completed test reports. The U.S. Department of Health and Human Services (HHS) cited the lack of direct access to test reports as a barrier to the adoption and widespread use of health information technology.

Some HIPAA-covered labs operate in states where patients previously had the right to directly access their records. For labs that have not previously provided individuals with direct access to test results, however, this final rule will cause significant operational changes. As a result, labs should ensure that their policies, procedures, and notices of privacy practices have been revised by the Oct. 6, 2014 deadline.

Patient right to access: Before and after
The Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations, as recently amended by the final rule, will allow CLIA labs to provide a patient, the patient’s personal representative, or a person designated by the patient, with a copy of completed test reports that the lab can identify as belonging to the patient. Prior to the new rule, the CLIA regulations deferred to state law regarding whether labs could directly provide test reports to patients, and HIPAA excepted labs from a patient’s right of access where CLIA and state law prohibited such access.

HIPAA will now require labs that are also HIPAA covered entities to provide patients (as well as their personal representatives, with a few exceptions, and their designees) with access to complete test reports and other PHI in the form and format requested (e.g., paper or electronic) if they are readily producible in that manner.

As a result of the final rule, HIPAA will preempt state laws that prohibit patients’ direct access to test reports. This will establish a national standard for patient access to test results from labs.

30-day requirement (and exceptions)
For HIPAA-covered labs that receive access requests directly from individuals, the labs will generally have 30 days to provide access. These labs will be required to provide access to all applicable patient information, including information maintained offsite or archived. During this time period, the lab may still coordinate with the ordering physician to have the physician deliver test results to the patient.

Under HIPAA, covered entities must provide individuals, upon request, with access to the PHI about the individual maintained in a designated record set. HHS clarified in its commentary to the final rule that it expects HIPAA-covered labs to provide individuals with access to the entire designated record set maintained about the individual. In addition to the completed test report, this may include test orders, provider information, billing information and insurance information. The rule applies to all information held by the lab, even if created prior to the publication of this final new rule.

However, HIPAA-covered labs are not required to provide access to test reports prior to “completion.” HHS interprets a test report as part of the designated record set only after it is “complete.” According to HHS, a test report should be deemed complete “when all results associated with an ordered test are finalized and ready for release.” According to CLIA regulations, labs have an obligation to “ensure test results and other patient-specific data are accurately and reliably sent from the point of data entry... to final report destination....”¹ Given this regulation, the labs must determine when the test reports are considered finalized. Otherwise, the labs would not be fulfilling the requirement to send accurate and reliable data.

Where the test report will not be complete within the 30-day requirement, the HIPAA-covered lab has three choices: (1) explain the circumstances to the individual and ask that they withdraw their access request until a later time so that the HIPAA-covered lab will be able to comply with the HIPAA timeframe; (2) inform the individual in writing that there will be a delay, citing the specific reason for the delay and provide the individual with access within 60 days of the individual’s request, if the report will be final at that time; or (3) provide the individual with all PHI in the designated record set at that time (but not the incomplete test report). In the commentary to the final rule, HHS explains that it expects labs to explain the circumstances for the delay to individuals, prior to denying the access request or providing individuals with access to the PHI maintained in their designated record set (but not the incomplete test report).

Professional liability concerns
During the comment period for the new rule, some labs expressed concerns about possible increased risks of professional liability resulting from patients receiving directly, without the benefit of the treating provider’s concurrent interpretation and guidance, highly complicated or highly sensitive test results. Concerns with releasing test reports directly to patients include worries about: patients’ inability to understand complex lab testing results, which are often expressed in ranges; results that must be interpreted in the context of other medical conditions and treatments; test results that may indicate different issues for co-morbid conditions; test results that have varying significance for different age groups; and added risks to patients (and potential liability to laboratories and doctors) from “unfiltered” test results in connection with difficult diagnoses or highly sensitive illnesses such as human immunodeficiency virus, abnormal pathology, and genetic testing.

Despite these industry concerns, HHS makes clear that it believes the rule “provides laboratories with sufficient time to ensure treating or ordering physicians receive test reports before the patient’s receipt of the test report, which will allow them to counsel the patient with respect to the test result” (emphasis added). This may require additional coordination with other providers. In states that require providers to counsel patients before giving them test results related to sensitive conditions, this may require labs to use the additional 30-day extension, to provide access within 60 days, to allow providers sufficient time to counsel such patients.

Another safeguard that labs may choose to adopt is to develop and send a cover letter to patients to accompany some or all test results, especially test results that involve highly sensitive or complicated information. Such a protocol could be adopted for specific categories of testing, including sexually transmitted diseases, drug and substance use, HIV, Hepatitis, genetics, pre-natal care and/or cancer. The cover letter should make clear that the results are being provided at the patient’s express request, that they are copies of test results previously communicated directly to the patient’s physician, and that the patient should consult the physician about any questions about the results.

Of course, it is important for the lab director, compliance officer and/or legal counsel to be involved in establishing and approval of any protocols of this nature, as well as in approval of the patient cover letter.

The challenge of patient authentication
An additional hurdle for labs that have not previously provided individuals with direct access to test reports is authenticating and verifying the individual. Under CLIA, a lab is permitted to provide an individual with access to only those completed test reports that, using the lab’s authentication processes, can be identified as belonging to that patient. HHS outlined its version of the general process necessary for a lab to respond to a patient request for records, including verification of the individual, as follows:

“Processing a request for a test report, either manually or electronically, would require completion of the following steps: (1) Receipt of the request from the patient; (2) authentication of the identification of the patient; (3) retrieval of test reports; (4) verification of how and where the patient wants the test report to be delivered and provision of the report by mail, fax, e-mail or other electronic means; and (5) documentation of test report issuance.”

The HIPAA Privacy Rule likewise requires covered entities to “verify the identity of a person requesting protected health information and the authority of any such person... if the identity or such authority of such person is not known to the [provider].”² HIPAA does not prescribe technical requirements for individual verification and authentication, thus, allowing covered entities flexibility to adopt reasonable and appropriate procedures for their organization. HHS guidance further provides that HIPAA covered entities can accept oral or written verification, in most instances, as long as oral verification is documented. Labs should use their professional judgment and look to industry standards when adopting or updating verification and authentication procedures.

Although many labs presently are able to offer patients the option to obtain requested test reports through an electronic “portal” that is programmed to limit access to a unique patient identifier, there are also many labs that have not yet adopted such technologies. Moreover, there are likewise many patients who have not adapted to such systems. As a result, labs may also need to have a “low-tech” protocol to authenticate patients who opt to make in-person requests. This protocol could be relatively straightforward—the lab can simply require that when an individual presents him/herself at the lab, the person must present some type of government issued photo identification, such as a driver’s license, whereupon the lab should also document its “authentication” of the patient. Labs will need procedures in place for authenticating the authority of an individual, where the individual is requesting access to someone else’s test results or other PHI.

Labs also should consider procedures for responding to requests made by telephone, mail or fax. Since HHS has stated that oral verification is permissible, in certain circumstances, labs may be able to sufficiently verify an individual’s identity and authority to access the requested records over the phone. In such cases, the lab should clearly document the conversation. Alternatively, if reasonable and appropriate, labs may require that telephone requests be completed by mail or fax. For mail or fax requests, labs can require the same information that would otherwise be required for in-person verification (i.e., government issued photo identification and documentation of authority if requesting access to someone else’s records). HHS does not require covered entities, including labs, to develop or adopt new systems requiring unique passwords or other identifiers, providing labs the flexibility to adopt procedures that fit their organization. In some cases, such as where the majority of testing is performed for patients within a particular community or region, it may be reasonable for the lab’s authentication processes to request patients to come to the lab with appropriate photo identification. In other cases, where the testing is performed for patients across the country, in-person verification will not be practicable. Labs should ensure that policies and procedures are developed for these different scenarios.

To streamline the verification and authentication process, labs may want to coordinate with referring physicians to obtain the necessary information to verify or authenticate an individual with the test order. For example, a physician could include with the order a request from the individual to receive the test results directly from the lab, and note the physician’s verification and authentication of the individual.

Notice of privacy practices
Finally, by Oct. 6, 2014, HIPAA-covered labs are required to update their notices of privacy practices (NPPs), if the new rule creates material changes. In September 2013, OCR issued a statement of enforcement discretion, in which it delayed the requirement for some HIPAA-covered labs to revise their NPPs as a result of Omnibus Rule changes. For most covered entities, the revisions to HIPAA through the Omnibus Rule have required material changes to their NPPs. For some HIPAA-covered labs, this rule also created a material change requiring NPPs to be updated. To reduce burdens and expenses for these labs, OCR announced it would not seek enforcement action against labs that waited to update their NPPs. Hospital labs were excluded from this enforcement discretion. As a result, HIPAA-covered labs must now update their NPPs and hospital labs may need to update NPPs for the second time in just over a year.

Conclusion: What should labs do now?

• Update notice of privacy practices: Labs should update their NPPs regarding access to lab test reports and other Omnibus Rule changes, if applicable

• Update/draft new policies and procedures: Labs should update and/or implement new policies and procedures to address the provision of direct access to individuals. We recommend that a lab’s policies and procedures address the following:
  • No limitation of direct access: Eliminate any provision that prohibits the direct access of test results as required by state law.

• Communication with individuals and providers: Address coordination with the treating/ordering provider and explaining access denials or delays to individuals, as applicable. Labs should consider preparing a “cover letter” to patients regarding sensitive information (e.g., HIV information, genetic testing, STDs, cancer screening); provide informational and general materials about the test or disease or condition being tested; establish and implement a policy for handling “alert values.”

• Authentication process: Include mechanisms for verifying individuals and their authority to access the requested records. This includes creating or revising existing policies and training workforce.

• Electronic access: Provide electronic access to individuals, in accordance with HIPAA.

• Train staff members: Labs should train staff members on new policies and procedures, so they are prepared to handle patient requests for test reports. DWT offers in-person and/or online training for labs and its employees on this issue.

• Update/establish fee schedules: Labs should update or establish fee schedule for records, ensuring compliance with HIPAA and state law (note: HIPAA covered entities cannot deny individual access based on a failure to pay for provision of services).

• Ensure compliance with other laws: Labs should ensure compliance with other laws when communicating directly with individuals, including civil rights laws, which may require translation services.

FOOTNOTES
1 42 C.F.R. § 493.1291(a) (emphasis added).
2 See 45 C.F.R. 164.514(h)(1).