Labs Have Six Months to Comply With Patient Access Rule

Clinical laboratories will have six months to comply with a new rule from the Department of Health and Human Services (HHS) requiring them to provide patients or their representative copies of completed test reports within 30 days of a request being filed. The final rule, announced Feb. 3 and published in the Feb. 6, 2014, Federal Register, amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to allow individuals to access test reports directly from laboratories. The rule finalizes a proposal issued Sept. 14, 2011. The rule becomes effective 60 days after publication, and labs must comply 180 days after that, so labs essentially have 240 days (eight months) from the publication date to come into compliance. Currently, nine states and territories already allow patients to access test results directly from labs: Delaware, the District of Columbia, Maryland, New Hampshire, New Jersey, Nevada, Oregon, Puerto Rico, and West Virginia. Other states either allow test reports only to providers, allow test results to patients with provider approval, or have no state law addressing access. The final rule pre-empts all state laws on this issue. The Centers for Medicare and Medicaid Services (CMS) estimates that almost 23,000 labs performing more than 7 billion tests will be affected by these new provisions. The final rule adopts many of the changes proposed in 2011 with some minor clarifications and conforming changes. According to CMS, these changes broaden individuals’ rights to access their protected health information directly from laboratories subject to HIPAA. In addition, the changes remove federal barriers to direct access for laboratories not subject to HIPAA. In releasing the rule, HHS Secretary Kathleen Sebelius says that it is part of ongoing efforts to empower patients to be informed partners with their health care providers. While individuals already have a right of access to their health information under the HIPAA privacy rule, there may be circumstances when an ordering or treating provider is not subject to the HIPAA privacy rule (i.e., because the provider does not bill health plans electronically) and thus is not required to provide an individual with access to his or her health information. According to CMS, some studies have found that physician practices failed to inform patients of abnormal test results about 7 percent of the time, resulting in a substantial number of patients not being informed by their providers of clinically significant test results. The rule does not alter the role of the ordering or treating provider in reporting and explaining test results to patients. CMS says it expects that patients will continue to obtain test results and advice about what those test results mean through their ordering or treating providers. In the final rule, CMS responds to comments raised in response to the proposed rule. Among some of the more significant:

• Reference Labs. Some commenters suggested that the rule apply only to the primary lab to which the specimen was submitted since reference laboratories have no relationship with the individual. CMS disagrees, saying that applying the access requirements as broadly and uniformly as possible best furthers the goal of increasing direct individual access rights to health information.

• Old Test Reports. Commenters expressed concern about labs having to retrieve copies of old test reports that have been archived and may exist offsite. CMS notes that the right to access health information extends to test reports created before the publication or effective date of the final rule. The rule does not impose any new record retention requirements for laboratory test reports.

• 30-Day Time Frame. CMS believes that 30 days should be sufficient for a lab to provide access to completed test reports. However, in those limited cases where 30 days may not be sufficient due to the nature of the test being performed, the lab should explain to the patient that the report will take longer than 30 days to obtain. The patient could then withdraw or hold the request until a later time. If an individual chooses not to withdraw the request, the individual will then only have a right to obtain the protected health information in the designated record set at the time the request is fulfilled, which may not include a particular test report because it is not yet complete. If a lab determines after it has accepted a request that the test will take more than 30 days to analyze and complete, it may notify the individual in writing within the initial 30-day period of the need and specific reason for the delay. The HIPAA privacy rule allows only one extension on an access request.

• Sensitive Tests. Some labs objected to individuals having direct access to lab test reports that that are “sensitive,” such as genetic, cancer, pregnancy, sexually transmitted diseases, and mental health test results. Under California law, for example, before the disclosure of HIV test results, the physician has a duty to discuss what the results may mean and offer the patient appropriate education and psychological counseling. CMS says that with a very limited exception, covered entities may not deny an individual access to health information based on the information’s sensitive nature or potential for causing distress. The limited exception is for cases where a licensed health care professional has determined that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person, and the individual is provided a right to have the denial of access reviewed by an unaffiliated health care professional.

• Food and Environmental Tests. The final rule applies to test reports maintained by labs subject to or exempt from CLIA. If the samples tested are not of the human body, the entity conducting the testing is not subject to CLIA for purposes of that testing or those test results. If the testing is not for the purpose of providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of human beings, that testing and those test results are also not subject to CLIA.

• Substance-Abuse Testing. CLIA regulations are not applicable to an employer or entity that performs substance abuse testing strictly for the purpose of employment screening, as opposed to some form of treatment. Substance abuse testing as part of a treatment program is covered by CLIA.

• Access by Personal Representatives. The only persons who have a right to access an individual’s test reports directly from a HIPAA-covered entity are those who qualify as a personal representative of the individual. Before providing access to a person other than the patient, a HIPAA-covered laboratory is required to verify both the identity and authority of the person to have access. This means a lab may need to have the person present a written health care power of attorney, general power of attorney, or durable power of attorney.

• Fees. HIPAA-covered laboratories must comply with the same fee limitations specified in the privacy rule. This means a covered lab may charge an individual a reasonable, cost-based fee that includes only the cost of (1) labor for copying the protected health information requested, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual has requested the copy be mailed; and (4) preparation of an explanation or summary of the protected health information.

• Cost. CMS estimates it will take labs two to nine hours to identify the applicable legal obligations and develop the process and procedures for handling patient requests, at a cost of about $100 to $450. It estimates a range of 10 to 30 minutes to handle a request from start to finish, at a cost of about $10 to $30 per request. Total cost on a national level across all labs is estimated at about $63 million.

Takeaway: Laboratories should begin now to establish policies and procedures for responding to patient requests for copies of test resports.