HIPAA Rule Changes for LaboratoriesLabs Must Give Patients Test Results Directly
The Department of Health and Human Services has issued a final rule that gives patients the right to obtain their medical test results directly from labs. The change means that laboratories will also need to update their notices of privacy practices under HIPAA.
The rule, which is slated for publication in the Federal Register on Feb. 6 but became available on the Federal Register's inspection desk on Feb. 3, amends the Clinical Laboratory Improvement Amendments of 1988 to allow laboratories to give a patient, or a person designated by the patient, access to test reports upon request. Previously, most labs were exempt from a HIPAA requirement to provide patients with a copy of their medical information. Under the new rule, HHS says patients have the new option to obtain their test reports directly from the laboratory, or they can continue to get access to their lab reports from their doctors.
The rule means that labs must also update their HIPAA notice of privacy practices to inform individuals of this new right and include a brief description of how to exercise the right.
"HIPAA requires covered entities to promptly revise NPPs whenever there is a material change to any of their privacy practices, including those pertaining to individuals' right to access their information," says Alice Leiter, policy counsel at the Center for Democracy & Technology, a consumer advocacy group.
"This constitutes a material change. As a result, by the compliance date of the new final rule - 240 days from publication in the Federal Register - HIPAA-covered labs must revise their notices to inform individuals of this right and provide a brief description of how to exercise it," she says.
In the rule, HHS says impeding an individual's access to their own records prevents patients from playing a more active role in their healthcare. And some consumer advocates, including Leiter, agree.
"This rule is significant because it increases patients' access to their health information, allowing them to be as involved as they choose in their health and care by increasing their ability to obtain and organize electronic copies of their own data," Leiter says.
"Direct access to lab results can cut down on duplicate tests, may reduce the burden on providers to promptly route data to patients themselves, and has the potential to decrease dangerous medical errors caused by lost test results," she tells Information Security Media Group.
HHS notes in a statement about the new rule that when obtaining test results directly from labs, "the patient or the personal representative may have to put their request in writing and pay for the cost of copying, mailing or electronic media on which the information is provided, such as a CD or flash drive."
In most cases, copies must be given to the patient within 30 days of his or her request, HHS notes.
No Changes in Workflow
"It's important to note that this rule does not alter any existing data flows between laboratories and providers," Leiter says. "It merely adds another available flow of information - one directly from the lab to the patient, upon patient request."
Also, the rule doesn't require labs to send results to doctors first. It notes, however, that during its proposed rule and public comment phase, "a number of providers and laboratories expressed concerns about giving individuals a way to receive laboratory test reports without the benefit of provider interpretation and without contextual knowledge that may be necessary to properly read and understand the reports."
Leiter points out that the rule provides opportunity for physicians to review a patient's lab results in case the individual has questions. "HIPAA provides a 30-day timeframe within which individuals must be granted access to test reports after a request is made, which, according to HHS's comments in the rule, likely will be sufficient time for a treating provider to receive a test report in advance of a patient's receipt of the report, and to communicate that result and counsel the patient as necessary," she says
In anticipation of issuing the HIPAA Privacy Rule and CLIA amendments, OCR in September issued a statement saying it was giving CLIA labs more time than other covered entities to update their privacy notices under the HIPAA Omnibus Rule, which OCR began enforcing on Sept. 23 (see: Regulators to Tackle Privacy Issues).
The final lab reporting rule was issued jointly by three agencies within HHS: the Centers for Medicare & Medicaid Services, which is generally responsible for laboratory regulation under CLIA; the Centers for Disease Control and Prevention, which provides scientific and technical advice to CMS related to CLIA, and OCR, which is responsible for enforcing the HIPAA Privacy Rule.