On September 14, 2011 the US Department of Health & Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS) proposed changes to the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to specify that, upon a patient’s request, a laboratory may provide access to completed test reports. In addition, the HHS Office for Civil Rights (OCR) proposed a rule that would amend the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to provide individuals the right to receive their test reports directly from laboratories.
Currently, individuals may access laboratory reports from their health care provider. Because few jurisdictions currently permit access to these records directly from a laboratory, the proposed rule would affect more than 22,000 laboratories in 39 states and territories at an estimated cost of up to US$56 million in its initial year. Comments on the proposed rules are due by November 14, 2011.
The Health Information Technology (HIT) Policy Committee, a federal advisory committee established by the Health Information Technology for Economic and Clinical Health (HITECH) Act, has sought to identify barriers to the adoption and use of health information technology. The committee has broad representation from major health care constituencies and provides recommendations to the Office of the National Coordinator for Health Information Technology (ONC) on issues related to the implementation of an interoperable, nationwide health information infrastructure. According to the committee, CLIA regulations are perceived by some stakeholders as imposing barriers to the exchange of health information. These stakeholders include large and midsize laboratories, some public health laboratories, electronic health record (EHR) system vendors, health policy experts, health information exchange organizations (HIOs) and health care providers who believe that an individual’s access to his or her own records is impeded, preventing patients from taking a more active role in their personal health care decisions. Additionally, HHS believes health reform concepts (for example, individualized medicine and an individual’s active involvement in his or her own health care) would best be served by revisiting the CLIA limitations on the disclosure of laboratory test reports.
Under the current regulations, CLIA regulations limit a laboratory’s disclosure of test reports to three categories of individuals:
- the individual authorized under state law to order or receive test reports
- the person responsible for using the test reports in the treatment context
- in the case of reference laboratories, the referring lab
In states that do not provide individuals access to their test reports, they must receive their reports through the ordering provider. If adopted, the proposed changes to the Privacy Rule would preempt any contrary state laws that prohibit the HIPAA-covered laboratory from providing individuals direct access.
HHS estimates that the cost to laboratories to provide patients with a copy of their test reports upon request would fall between US$3 million and US$56 million in 2011. HHS projects that the costs would diminish in subsequent years. In addition, laboratory provision of test reports could benefit patients by reducing the chance of the individual not being informed of a laboratory test result. Direct patient access could benefit health care providers by reducing their workload and reducing the number of patients lost through failure to follow up on reports. However, many providers are concerned that the provision of lab reports without a physician’s explanation could result in patients misinterpreting their results.
Effective and Compliance Dates
If the changes are finalized, HIPAA-covered laboratories would be required to comply with the revised provision within 180 days of the effective date of the final rule. The effective date of the final rule would be 60 days after publication in the Federal Register, so laboratories would have a total of 240 days after publication of the final rule to come into compliance.
Squire Sanders lawyers have significant experience in HIPAA compliance efforts, including privacy and security assessments. We routinely advise clients on matters related to HIPAA policies and procedures and business associate agreements. We continue to monitor the proposed changes to CLIA and HIPAA and are available to assist clients in structuring their privacy and security practices to comply with these changes. For more information on how we can help you, please contact your principal Squire Sanders lawyer or one of the lawyers listed in this alert.