Executive Summary
On February 6, 2014, the Centers for Medicare & Medicaid Services (“CMS”) published a final rule amending the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to provide patients with the right to access test reports directly from clinical laboratories subject to HIPAA. The final rule reflects an effort by CMS to empower patients to take a more active role in managing their health care and will result in the preemption of a number of state laws that currently prohibit laboratories from releasing test reports to non-providers. Covered laboratories will have until October 6, 2014 to comply with the final rule and update applicable policies.
Detailed Analysis
New Requirements. The final rule, effective April 7, 2014, removes the existing HIPAA exceptions for CLIA-certified laboratories and CLIA-exempt laboratories by requiring such laboratories to provide patients with the right to access completed test reports directly from the laboratory. Any laboratory that qualifies as a covered entity under HIPAA will now be required to provide a patient or a patient’s personal representative with access, upon request, to the patient’s completed test reports and other information maintained in a designated record set in accordance with the access provisions of the HIPAA Privacy Rule. Additionally, the final rule amends CLIA to specify that a laboratory subject to CLIA may provide a patient or a patient’s personal representative with copies of the patient’s completed test reports upon request.
Time Frame and Format for Providing Access. Under the Privacy Rule, a covered entity must act on an individual’s request for access to protected health information (“PHI”) about the individual in a designated record set within 30 days after receipt of the request. The final rule makes this provision applicable to clinical laboratories that are HIPAA covered entities with respect to laboratory test reports. For purposes of the final rule, CMS clarified that it does not consider laboratory test reports to be part of the designated record set until such reports are “complete.” A report is “complete” when all results associated with an ordered test are finalized and ready for release. Under the final rule, clinical laboratories that are HIPAA covered entities must provide patients with access to complete test reports within 30 days of a patient’s request. If a laboratory determines that it will take more than 30 days to analyze and complete a requested test report, the laboratory is permitted one 30-day extension, provided the laboratory notifies the patient in writing in accordance with the Privacy Rule. Given HIPAA’s tight timeframes for responding to patient requests, clinical laboratories should take steps to ensure that they can comply with these new requirements.
The Privacy Rule requires covered entities to provide individuals with a copy of the requested information in the form and format requested by the individual, if a copy in that form or format is readily producible. If a covered laboratory maintains PHI in electronic form, the Privacy Rule requires the laboratory to provide an individual with an electronic copy of the individual’s PHI upon request. The Privacy Rule permits laboratories to charge an individual a reasonable, cost-based fee for providing copies of requested laboratory test reports, provided that such fee is in accordance with the requirements of the Privacy Rule.
Impact on Providers. CMS clarified that the final rule will not require laboratories to interpret test results for patients, nor does CMS expect the final rule to alter the role of the ordering or treating provider in reporting and explaining test results to patients. In response to comments from providers and laboratories expressing concern about giving patients the ability to receive laboratory test reports without the benefit of provider interpretation, CMS noted that the 30-day timeframe (plus one 30-day extension) will give laboratories enough time to ensure that treating or ordering physicians receive sensitive test reports before patients and have time to counsel patients on test results. CMS stated that it expects the final rule to further encourage ordering and treating providers to be more proactive in discussing with patients the implications of possible test results before or at the time a test is ordered.
Under the final rule, laboratories that operate as part of a larger legal entity that is a hospital or that are part of an affiliated covered entity or organized health care arrangement with a hospital may continue to use the hospital’s already established mechanisms for providing access to patients requesting their test reports from hospital laboratories, provided that the established mechanisms are compliant with the access provisions of the Privacy Rule. To the extent that hospital reference laboratories are covered entities under HIPAA, they will also be required to provide patients with access to test reports upon request in compliance with the final rule. However, because many patients are often not aware of the identity of a reference laboratory to which a treating provider or referring laboratory sends test results, CMS does not expect reference laboratories to encounter many individual requests for access as a result of the final rule. CMS clarified that it does not believe that the final rule will present significant operational issues for hospital laboratories, as hospitals should already have policies and procedures in place to comply with the existing Privacy Rule access provisions and can refer to such policies and procedures for purposes of complying with the final rule.
CMS’s stated goal in enacting the final rule is to give patients a greater ability to access their health information and empower them to take a more active role in their health care decisions. To this end, CMS encourages (but does not require) treating health care providers to inform patients of their right to request test reports directly from HIPAA-covered laboratories. Additionally, CMS encourages providers to supply a patient with the name of the laboratory to which a patient’s specimen is sent.
State Law Preemption. Several states have laws that prohibit a laboratory from releasing test reports directly to a patient or that prohibit the release of test reports without the ordering provider’s consent. The Privacy Rule will preempt such laws upon the effective date of the final rule, and HIPAA-covered laboratories in all states will be required to provide test reports to patients directly upon request. As outlined in the final rule, laboratories in 39 states and territories where there is either no law regarding receipt of test reports or where reports can only go to the provider will be required to update their procedures for providing patients with access to their test results. Additionally, laboratories in most states will need to revise their Notices of Privacy Practices to inform individuals of their right to obtain reports directly from the laboratory, provide a brief description of how to exercise this right and remove any statements to the contrary. Because HIPAA preempts only state laws that are contrary to the Privacy Rule, state laws that provide patients with greater access rights to test reports will continue to apply.
Practical Takeaways
HIPAA-covered laboratories should take steps to ensure that they can comply with the new access requirements outlined in the final rule. To this end, laboratories must revise their HIPAA policies and procedures, including their Notices of Privacy Practices, to incorporate the new access requirements by October 6, 2014 (the compliance date of the final rule). Laboratories should be aware that revised Notices of Privacy Practices must also comply with the requirements of the previously issued HIPAA Omnibus Rule. Finally, health care providers that order laboratory tests for patients should also take note of the new access requirements, as these new requirements may influence the way health care providers choose to discuss laboratory tests with patients.
If you have any questions or would like additional information about this topic, please contact Julie K. Lappas at 317-977-1490 or jlappas@hallrender.com or your regular Hall Render attorney.
Please visit the Hall Render Blog at http://blogs.hallrender.com/ for more information on topics related to health care law.
