On Sept. 19, 2013, the Department of Health and Human Services (HHS) announced its postponement of the Sept. 23, 2013, deadline under the Health Insurance Portability and Accountability Act (HIPAA) omnibus rule for most clinical laboratories to revise their notices of privacy practices (NPPs), resulting in a temporary reprieve from HHS enforcement for clinical laboratories that have not yet revised their NPPs. HHS’s enforcement delay extends to all CLIA and CLIA-exempt clinical laboratories (i.e., licensed in the states of New York or Washington), except clinical laboratories presently required by state law to provide individuals with access to their laboratory test reports, and clinical laboratories that operate as part of a larger legal entity, such as a hospital (and do not use laboratory-specific NPPs). HHS delayed enforcement to allow time for HHS to finalize its amendments (proposed Sept. 14, 2011) to the HIPAA privacy rule and CLIA regulations to permit individuals to receive their laboratory results directly from CLIA and CLIA-exempt laboratories (the “proposed rule”) and to allow affected laboratories to avoid the burden and expense of multiple revisions to their NPPs within a short period of time—once to meet the deadline and yet again to incorporate the changes of the impending CLIA/HIPAA amendment. Although HHS indicated in its Sept. 19 announcement that the rule would be finalized “within a short period of time,” sources from the Centers for Medicare and Medicaid Services (CMS) indicated as recently as Oct. 30, 2013:

[D]ue to the recent Federal Government shutdown, publication of the Patient’s Access to Test Reports rule has been delayed. At this time the expected publication date has not been determined.

As affected laboratories watch and wait for the final CLIA/HIPAA rule regarding access to laboratory results, and for HHS’s announcement that the enforcement delay will end, laboratories should continue to identify and make ready both the changes to their NPPs necessitated by the omnibus rule and their other protocols for responding to patient requests for laboratory results so that they can be prepared once the rule is finalized and issued by HHS. Laboratory professionals nevertheless continue to express apprehension about the changes proposed by HHS more than two years ago. This article will discuss two commonly expressed concerns, the first procedural—the challenge of patient authentication, and the second substantive—the potential for greater professional liability resulting from releasing directly to patients highly complex or highly sensitive test results (such as human immunodeficiency virus (HIV), abnormal pathology, and genetic testing) without the benefit of the treating provider’s interpretation and guidance. This article will suggest that one way to lessen these concerns is for laboratories to keep the ordering physician in the picture. Specifically, laboratories should note that the proposed rule does not require laboratories to provide a patient with immediate access to laboratory reports. Rather, once the proposed rule takes effect, the HIPAA rules give the laboratory 30 days to provide access in response to a patient request (with one additional 30-day extension available), leaving the laboratory time and opportunity to address either or both of these concerns with the patient’s physician. Background Patients’ direct access to laboratory test results is governed by two federal laws: (1) the Clinical Laboratory Improvement Amendments of 1988 (CLIA), which regulates all clinical laboratory testing performed on human specimens for diagnosis, prevention, or treatment of disease or impairment; and (2) the HIPAA privacy rule, which exempts CLIA laboratories from providing laboratory test results directly to patients unless states allow it. Under CLIA, a laboratory may disclose patient test results only to (1) a referring laboratory, (2) an individual responsible for using the test results in the treatment context, or (3) an “authorized person.” States may define an “authorized person” as either a health care provider or a patient, or both. According to HHS in its September 2011 comments to the proposed rule, 23 states have no laws addressing who may receive a laboratory test report directly from a laboratory (which means that laboratories may not directly release test results to patients), 13 states explicitly prohibit laboratories from releasing reports directly to patients, seven states and the District of Columbia allow direct reporting of test results by laboratories to patients, and seven other states allow the laboratory to provide test reports to the patient but only with the requesting provider’s prior approval.¹ The Proposed Rule In the proposed rule published Sept. 14, 2011, CMS, the Centers for Disease Control and Prevention, and the Office for Civil Rights jointly proposed a rule requiring clinical laboratories covered under CLIA and HIPAA to report test results directly to patients upon request (most laboratories must comply with both laws). The proposed rule was prompted by a concern that current CLIA and HIPAA regulations prevent patients from taking a more active role in their personal health care decisions. In essence, the proposed rule proposes to preempt states’ direct patient access laws as well as regulations that restrict patients’ direct access to laboratory results and to establish a national standard for such patient access. If finalized as proposed, it will preempt state laws and regulations to the extent that the state laws and regulations are in conflict with HIPAA because they prohibit clinical laboratories from directly providing test results to patients. Specifically, the proposed rule would directly affect clinical laboratories in the 36 states with laws that currently either prohibit or are silent regarding direct reporting of laboratory results to patients. Further, it also would preempt state laws that allow direct reporting only with provider approval. Once the proposed rule is finalized, laboratories would be required under the HIPAA privacy rule to provide these test results to patients in the form or format requested (i.e., paper or electronic) if they are readily producible in that manner. According to HHS, laboratories “that have electronic reporting capabilities are expected to provide the individual with a machine readable or other electronic copy of the individual’s protected health information. (The individual always retains the right to request and receive a paper copy, if desired.)” The Challenge of Patient Authentication However, before a laboratory may disclose test results in response to a request for direct access, the proposed rule requires that the laboratory must first verify that the person requesting access to test results is the same individual who provided the specimen for testing. A laboratory is permitted to provide an individual with access to only those completed test reports that, using the laboratory’s authentication processes, can be identified as belonging to that patient. HHS outlined its version of the process necessary for a laboratory to respond to a patient request for records, as follows:

Processing a request for a test report, either manually or electronically, would require completion of the following steps: (1) Receipt of the request from the patient; (2) authentication of the identification of the patient; (3) retrieval of test reports; (4) verification of how and where the patient wants the test report to be delivered and provision of the report by mail, fax, e-mail or other electronic means; and (5) documentation of test report issuance.

Although the HIPAA privacy rule likewise requires covered entities to “verify the identity and authority of a person requesting protected health information (PHI). . . if the identity or authority of the person is not already known to the provider,”²  neither HIPAA regulations nor the applicable HHS guidance provide any implementation specifications for “authentication of the identification of the patient” other than that it must be done using the laboratory’s “authentication processes.” As a result, laboratories must review their protocols to ensure that they have in place reasonable and workable “authentication processes.” Although many laboratories presently are able to offer patients the option to obtain requested laboratory records through an electronic “portal” that can be programmed to limit access to a unique patient identifier, there are also many laboratories that have not yet adopted such technologies. Moreover, there are many patients who have yet to adapt to such systems. As a result, laboratories will need to have a “low-tech” protocol to authenticate patients who opt to make in-person requests. This protocol could be relatively straightforward—the laboratory can simply require that when an individual presents himself or herself at the laboratory, the person must present some type of picture identification, such as a driver’s license, whereupon the laboratory should also document its “authentication” of the patient. Likely more complicated are requests made by telephone or mail or fax. Absent HHS specifications or recommendations, it is uncertain whether for telephonic, faxed, or mailed patient requests, laboratories have any obligation to develop and adopt new systems requiring unique “passwords” or other identifiers or whether they are permitted to rely on less precise or secure identifiers, such as caller ID or handwriting comparisons. In some cases, such as where the majority of testing is performed for patients within a particular community or region, it may be reasonable for the laboratory’s authentication processes to require patients to come to the laboratory with appropriate photo identification. One option is to enlist the help of the patient’s referring physician (and staff). Because laboratories have 30 days to respond to the request for records, laboratories might offer patients the choice of picking up the records directly from the laboratory (which may require in-person authentication) or to obtain the records through the treating physician (who may be more convenient or have more efficient means of verifying the patient’s identity or authority to receive the results). Professional Liability Concerns Despite its laudable aim of enabling patients to take a more active role in their personal health care decisions, the proposed rule nevertheless causes concern for some laboratory professionals due to the increased risks of professional liability resulting from patients receiving directly, without the benefit of the treating provider’s concurrent interpretation and guidance, highly complicated or highly sensitive test results. Concerns with releasing laboratory test results directly to patients include worries about patients’ inability to understand complex laboratory testing results, which are often expressed in ranges; results that must be interpreted in the context of other medical conditions and treatments; test results that may indicate different issues for comorbid conditions; test results that have varying significance for different age groups; and added risks to patients (and potential liability to laboratories and doctors) from “unfiltered” test results in connection with difficult diagnoses or highly sensitive illnesses such as HIV, abnormal pathology, and genetic testing.³ However, it is important for laboratory professionals to keep in mind that even though the proposed rule removes CLIA as an obstacle to providing test results to patients immediately, the proposed rule nevertheless gives laboratories the discretion to delay providing more sensitive results for 30 days. Nor does the proposed rule limit a laboratory’s communicating with the treating or ordering provider about any of the patient’s test results prior to releasing the reports to the patient in order to alleviate any of the above concerns. Another safeguard that laboratories may choose to adopt is to develop and send a cover letter to patients to accompany some or all test results, especially results that involve highly sensitive or complicated information. Such a protocol could be adopted for certain categories of testing, including sexually transmitted diseases (STDs), drug and substance use, HIV, hepatitis, genetics, prenatal care, and cancer. The cover letter should make clear that the results are being provided at the patient’s express request, that they are copies of results that previously have been communicated directly to the patient’s physician, and that the patient should consult the physician about any questions about the results. By way of example only, the New York State Department of Health has recommended the following language be included in a prominent position on direct-to-consumer laboratory test reports:

[This] report should not be viewed as medical advice and is not meant to replace direct communication with a physician or other health care practitioner.

Of course, it is important for the laboratory director to be involved in establishing and approval of any protocols of this nature, as well as in approval of the patient cover letter. What Should Laboratories Do to Prepare for the CLIA/HIPAA Final Rule? Watch for Publication of Final Rule and HHS’s Announcement: Laboratories should watch for the publication of the final CLIA/HIPAA rule regarding access to laboratory results, as well as for HHS’s announcement of the end of the NPP enforcement delay for laboratories. Compliance Timeline: Laboratories should be mindful of the timing requirements. Once finalized, HIPAA-covered laboratories would be required to comply with the final rule by no later than 180 days after effective date (effective date is 60 days after publication in the Federal Register). Thus, laboratories will have a total of 240 days (approximately eight months) to comply from the date the final rule is published. Prepare Changes to Notice of Privacy Practices: Laboratories should identify and make ready the changes to the NPPs necessitated by the HIPAA omnibus rule in order to promptly update NPPs once HHS issues the final rule on access to laboratory results. Authentication Process: As discussed above, each laboratory should review and update its authentication processes. Professional Liability: Laboratories should consider preparing a “cover letter” to patients regarding sensitive information (e.g., HIV information, genetic testing, STDs, cancer screening), provide informational and general materials about the test or disease or condition being tested, and establish and implement a policy for handling “alert values.” Training: Laboratories should start preparing and scheduling training sessions for staff members so they will be prepared to handle patient requests for test results. If you have additional questions or would like assistance on any compliance issues stated above, please contact David Gee, Esq., at DavidGee@dwt.com, 206-757-8059; Adam Greene, Esq., at AdamGreene@dwt.com, 202-973-4213; or Kristen Blanchette, Esq., at mailto:KristenBlanchette@dwt.com, 213-633-6875. ^1. For impact by state, see, Proposed Rule, CLIA Program and HIPAA Privacy Program; Patients’ Access to Test Reports; 76 Fed. Reg. at 76717, Table 3, Impact of Proposed Rule Changes on Laboratories, at http://www.gpo.gov/fdsys/pkg/FR-2011-09-14/pdf/2011-23525.pdf, ^2. See 45 C.F.R. 164.514(h)(1). ^3. See, Electronic Release of Clinical Laboratory Results: A Review of State and Federal Policy, the National Academy for State Health Policy (January 2010), page 10.