HIPAA Compliance Reminder
Laboratories must now comply with changes to the HIPAA Privacy Rule that enhance patient rights and provide patients direct access to laboratory test results.
HHS had delayed its enforcement of the requirement that certain HIPAA covered laboratories revise their Notice of Privacy Practices (NPP), but as of October 6, 2014, all HIPAA covered laboratories are expected to have NPPs in place that meet all applicable legal requirements.
If your laboratory has not recently updated its NPP and HIPAA policies, now is the time to get back in compliance.
Final Rule Requirements
In February 2014, the Centers for Medicare and Medicaid Services (CMS) and Health and Human Services (HHS) published a final rule amending CLIA and HIPAA to grant patients access to the laboratory results.
Effective October 6, 2014, all Covered Entities must comply with the Federal Rules granting Patient Access to Laboratory Test Results.
CLIA § 493.1291 Standard: Test report.
Upon request by a patient (or the patient’s personal representative), the laboratory may provide patients, their personal representatives, and those persons specified under 45 CFR 164.524(c)(3)(ii), as applicable, with access to completed test reports that, using the laboratory’s authentication process, can be identified as belonging to that patient.
HIPAA § 164.524 Access of individuals to protected health information removed the HIPAA exemption for CLIA and state laws prohibiting the release of results to patients.
Patient Requests for Test Results
In addition to receiving laboratory results from their physician, CLIA now allows patients to request test reports directly from CLIA laboratories, and HIPAA requires laboratories to fulfill such requests within 30 days or once the results are available.
Laboratories are to use their standard verification processes to confirm the identity of the requesting patient, or their authorized representative, prior to release of results.
A limited denial exception exists if a licensed professional determines that release of results is reasonably likely to endanger the life or physical safety of the individual or another person. Under this limited exception, the requesting individual is provided a right to have the denial of access reviewed by a second health care professional.
The federal rules preempt all state laws that prohibit the release of patient results without the consent of the ordering provider except for those that grant greater access (such as release requirements less than 30 days).
Required Policy and Procedure Updates
CLIA laboratories need to review and update their internal policies and procedures relating to individuals’ right to access their PHI and 30 day fulfillment requirements. The laboratory “Designated Record Set” must now include include test results. Request denial and denial review procedures also need to reflect that requests for patient results. Training materials should also be updated.
Because this revision is a “material change” to privacy practices, laboratories need to also update their Notice of Privacy Practices (“NPP”) to reflect the change. The NPP should be updated to include individuals’ rights to access their PHI, and any statements or examples indicating that requests for laboratory results will be denied should be removed.
Remove of phrases such as:
“…where Federal and state laws regulating laboratories prohibit us from disclosing test results directly to a patient...”
“…some states require physician authorization to release laboratory test results to patients, and other states prohibit a laboratory from releasing test results directly to a patient.”
The NPP should include a brief description of how patients can access their test results, and may optionally require requests to be in writing. The laboratory can provide additional materials to help explain laboratory test reports but should direct patients to their ordering provider for clinical questions about the results.
Additional Guidance for NPP Updates
We recommend that laboratories to review and update other elements of their privacy practices to ensure compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule – the “Compliance Date” was September 23, 2013.
Health and Human Services has posted general model NPP’s online that are helpful templates, but are not perfectly specific for laboratories and do not appear to include clear provisions for access to laboratory results.
As of October 6, 2014 laboratory online NPPs must include all of latest provisions from the HIPAA Omnibus Rule including:
- Handling of requests for restriction of disclosures when tests are paid “out-of-pocket” and “in-full”
- Patient Requests for Access to Test Reports
- Patient Requests for electronic copies of health information
- Restrictions on sale of PHI without authorization
- Breach Risk Assessment and Notification Requirements
- Change the Effective Date
1) Information on the HIPAA Omnibus Final Rule:
2) See our previous blog post regarding policy and procedure updates.
3) American College of Physicians
If you have specific questions on updates to your policies, procedures, or NPP please contact us.