CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports
Federal Information & News Dispatch, Inc. |
Final rule.
CFR Part: "42 CFR Part 493"
RIN Number: "RIN 0938-AQ38"
Citation: "79 FR 7290"
Document Number: "CMS-2319-F"
"Rules and Regulations"
SUMMARY: This final rule amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to specify that, upon the request of a patient (or the patient's personal representative), laboratories subject to
EFFECTIVE DATE: Effective Date: These regulations are effective on
HIPAA covered entities must comply with the applicable requirements of this final rule by
FOR FURTHER INFORMATION CONTACT:
For CLIA regulations:
For HIPAA Privacy Rule:
SUPPLEMENTARY INFORMATION:
I. Background
A. CLIA Statute and Regulations
The Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the implementing regulations established nationwide quality standards to ensure the accuracy, reliability and timeliness of clinical laboratories' test results. The standards vary based on the complexity of the laboratory test method; that is, the more complicated the test method, the more stringent the requirements for the laboratory.
The CLIA regulations established three categories of testing based on complexity level. In increasing order of complexity, these categories are waived, moderate complexity (which includes the subcategory of provider-performed microscopy (PPM)), and high complexity. Laboratories must hold a
The CLIA regulations cover all phases of laboratory testing, including the reporting of test results. The
Under the current
Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (The Recovery Act), which was enacted on
We believe these concerns, as well as the advent of certain health reform concepts (for example, personalized medicine, an individual's active involvement in his or her own health care, and the Department's work toward the widespread adoption of EHRs), call for revisiting barriers or challenges to individuals' gaining access to their health information.
The
B. HIPAA Statute and Privacy Rule
The Health Insurance Portability and Accountability Act of 1996, Title II, subtitle F--Administrative Simplification, Public Law 104-191, 110
A laboratory, as a health care provider, is only a covered entity if it conducts one or more covered transactions electronically, such as transmitting health care claims or equivalent encounter information to a health plan, requesting prior authorization from a health plan for a health care item or service it wishes to provide to an individual with coverage under the plan, or sending an eligibility inquiry to a health plan to confirm an individual's coverage under that plan.
If a laboratory does not conduct any of these or the other HIPAA standard transactions electronically (either because it does not conduct the transactions at all or because it does so via paper), then the laboratory is not subject to the HIPAA Privacy Rule (45 CFR Part 160 and Part 164, subparts A and E). Any laboratory that conducts a single electronic transaction for which there is a HIPAA standard under the HIPAA Transactions and Code Sets Rule becomes a covered entity and is subject to the Privacy Rule with respect to all protected health information that it creates or maintains (that is, the application of the Privacy Rule is not limited to the individuals or records associated with an electronic transaction). This final rule does not alter the requirements for what makes a laboratory a HIPAA covered entity.
The Privacy Rule at
The term "record" means "any item, collection, or grouping of information that includes protected health information and is maintained, collected, used or disseminated by or for a covered entity." Laboratory test reports that are maintained by or for a laboratory that is a covered entity are part of a designated record set.
The HIPAA Privacy Rule requires a HIPAA covered entity to provide the individual with a copy of the information in his or her designated record set in the form and format requested by the individual, if a copy in that form and format is readily producible. Where the information in the designated record set is maintained electronically, and the individual requests an electronic copy of the information, the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in that form and format. When it is not readily producible in the electronic form and format requested, then the covered entity must provide the copy in an alternative readable electronic format as agreed to by the covered entity and the individual (see
The right of access under
However, while individuals (and personal representatives) generally have the right to inspect and obtain a copy of their protected health information in a designated record set, the current Privacy Rule includes a set of exceptions related to
These exceptions were included in the Privacy Rule because the Department wanted to avoid a conflict with the
II. Summary of the Proposed Changes to the CLIA Regulations (
On
III. Summary of the Proposed Changes to the HIPAA Privacy Rule (
The Department also proposed to amend the HIPAA Privacy Rule at 45 CFR 164.524(a)(1)(iii)(A) and (B) to remove the exceptions to an individual's right of access that relate to
Under the proposal, HIPAA covered entities that are laboratories subject to
Consistent with the proposed change to the
The proposed rule also explained that the changes to the HIPAA Privacy Rule would result in the preemption of a number of state laws that prohibit a laboratory from releasing a test report directly to the individual or that prohibit the release without the ordering provider's consent because the state laws now would be contrary to the access provision of the HIPAA Privacy Rule mandating direct access by the individual.
Finally, we explained that it was our intent that HIPAA-covered laboratories would be required to comply with the revised individual access requirements of the Privacy Rule by no later than 180 days after the effective date of any final rule. The effective date of the final rule would be 60 days after publication in the
IV. Provisions of the Final Regulations
This final rule adopts the proposed changes to both the
With respect to the Privacy Rule, the final rule removes the exceptions to an individual's right of access at
The Department's rationale for adopting the proposed provisions in this final rule, along with further clarifications and interpretations of the provisions, is explained below in the responses to the public comments.
V. Analysis of and Responses to Public Comments
In response to the
A. Right of Direct Access to Laboratory Test Reports
Comment: A number of providers and laboratories expressed concerns about giving individuals a way to receive laboratory test reports without the benefit of provider interpretation and without contextual knowledge that may be necessary to properly read and understand the reports. For example, commenters expressed concern that patients might receive and act upon results that appear to be abnormal (showing false positives or false negatives, or results that are out of the normal range for the general population) but may be normal for that particular patient due to his or her medical conditions. Commenters also requested that the Department clarify that the laboratories themselves would not be required to interpret test reports for individuals.
Other commenters stated that the proposed rule was redundant, and would add significant burden without a commensurate benefit to individuals, as existing HIPAA and HITECH Act (
FOOTNOTE 1 See https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.html. END FOOTNOTE
In contrast, other commenters, including certain laboratories, consumers, and consumer advocates, generally supported expanding an individual's right of access to include receiving test reports directly from laboratories. These commenters stated that providing individuals with the ability to access their laboratory test reports directly from laboratories would provide individuals with an increased ability to play a more active role in their health care and have more informed conversations with their health care providers, resulting in better health outcomes. Some commenters also thought that the proposals would remove barriers to the electronic exchange of individually identifiable health information.
Further, in response to concerns regarding instances in which patients might misunderstand or become distressed over the results of laboratory tests due to the lack of treating provider interpretation or counseling, some commenters stated that they would not anticipate that many patients will request direct access to any test reports that they do not feel prepared to review on their own. Rather, the commenters indicated that the proposals would encourage doctors to more proactively discuss the range of possible results and the consequences of each before tests are ordered. One laboratory noted that, in its experience, many patients do not request access to their test results until they have spoken to a physician about them. Some commenters challenged what they termed to be a "paternalistic" notion that patients are unable to understand their health data without physician explanation. These commenters stated that if patients want additional information from, or consultation with, their physicians, they will follow up with their physicians directly.
Response: We appreciate all of the comments that we received with regard to the right of individuals to access their laboratory test reports directly from laboratories. We agree with those commenters who stated that the rule is necessary to ensure patients have better and more complete access to their health information, which will enable patients to be more proactive and more informed with regard to their health care. However, we disagree with those commenters who argued that the rule would be redundant. While individuals do have a right of access to their health information under the HIPAA Privacy Rule, there may be circumstances when an ordering or treating provider is not subject to the HIPAA Privacy Rule (for example, because the provider does not bill health plans electronically) and, thus, is not required to provide an individual with access to his or her health information. Further, some studies have found that physician practices failed to inform patients of abnormal test results about seven percent of the time, resulting in a substantial number of patients not being informed by their providers of clinically significant tests results.
Finally comments regarding the provision of access through the mechanisms established by EHR Incentive Programs failed to recognize the voluntary nature of the programs or the fact that the programs' requirements do not pertain to laboratories.
Furthermore, the rule does not diminish the investment health care providers have made to provide individuals with access to their health information through patient portals, as those portals provide patients with access to a much broader range of health information than just test results. The rule provides an additional avenue for an individual to obtain test reports directly from laboratories, which we expect will reduce the chances of patients not being informed of laboratory test results and potentially reduce the numbers of patients who fail to seek appropriate care. We also agree with commenters that increased patient access to laboratory test reports, which can then be shared with the patient's other providers, will help reduce unnecessary and duplicative testing.
With respect to those comments concerned about patients receiving test reports without the benefit of provider interpretation, we emphasize that this rule does not alter the role of the ordering or treating provider in reporting and explaining test results to patients. We expect that patients will continue to obtain test results and advice about what those test results mean, through their ordering or treating providers. Further, as noted above, for those individuals who do or will request access to test reports from a laboratory, it was the experience of one large laboratory that many patients do not request access to their test reports from a laboratory until they have spoken with their physicians. We expect this trend to continue to generally be the case. We also agree with commenters that the rule will further encourage ordering and treating providers to more proactively discuss with patients the range of possible test results and what the results may mean for the particular patient before or at the time the test is ordered.
Further, under the HIPAA Privacy Rule, in most cases, laboratories will be required to provide individuals with access to their laboratory test reports within 30 days of the request (see
Finally, we clarify that this final rule does not require that laboratories interpret test results for patients. Patients merely have the right to inspect and receive a copy of their completed test reports and other individually identifiable health information maintained in a designated record set by a HIPAA-covered laboratory. Laboratories may continue to refer patients with questions about the test results back to their ordering or treating providers.
Comment: Some commenters indicated they would support changes to the regulations, which would permit, but not require, laboratories to provide individuals with access to their completed test reports. One commenter stated that the proposed rule was unclear as to whether laboratories will have the discretion to provide access, or whether they will be required to provide access, to individuals who request their test reports. Other commenters were concerned about the differential application of the rule to HIPAA-covered versus non-HIPAA-covered laboratories, stating that this construct will create confusion and frustration among patients who may expect to be able to access their test reports from any laboratory and who may not understand the distinction among laboratories based on HIPAA covered entity status.
Response: Laboratories that are HIPAA covered entities are required by this final rule to provide, upon request by an individual or the individual's personal representative, access to the protected health information about the individual maintained in a designated record set in accordance with the HIPAA Privacy Rule at
We do not believe it is appropriate to only permit rather than require HIPAA-covered laboratories to provide individuals with access to their test reports. This may not significantly expand individuals' ability to access their health information, as some laboratories not currently providing individuals with direct access to their test reports might choose not to begin providing direct access. Further, in a number of states, state law prohibits laboratories from providing individuals with direct access to their test reports. If the HIPAA Privacy Rule merely permitted access, it would not preempt those state laws that prohibit direct access, because a permissive federal requirement is not contrary to a prohibitive state law (see
Comment: A few commenters stated that the rule should only apply to the primary laboratory to which the specimen was submitted, as opposed to reference laboratories that may perform some or all of the testing. These commenters stated that reference laboratories have no relationship with the individual and have either limited or inadequate information about the individual to enable the laboratory to provide individuals with access. A few commenters indicated that, while applying the rule to hospital laboratories with respect to the test reports of the hospital's own patients may not be a significant challenge, applying the rule to hospital laboratories in their role as reference laboratories for other providers, such as community physicians and other laboratories, would raise significant operational challenges.
In contrast, one laboratory commenter recommended that no laboratories be exempt from the individual access requirements, stressing the importance of uniform application of the rule and a patient's ability to access his or her test report from whatever laboratory performed the test.
Response: We appreciate the commenters' concerns regarding laboratory contact with individuals; however, we do not agree that limited information about the individual who is the subject of a test report is a sufficient reason to exempt reference laboratories from the access requirements of the HIPAA Privacy Rule. We believe applying the access requirements as broadly and uniformly as possible best furthers the Department's goal of increasing direct individual access rights to health information. To the extent that reference laboratories are covered entities under HIPAA, they will be required, upon the compliance date of this rule, to provide individuals with access to test reports in compliance with
B. Scope of Information to Which an Individual Has Access
Comment: A number of commenters indicated that the rule should apply only to tests administered after the final rule is published or becomes effective. These commenters expressed concern with laboratories having to retrieve copies of old test reports that have been archived and may exist offsite. For example, commenters stated that many laboratories have archived test reports that exist on paper or on backup tapes, and that it would be costly and burdensome to retrieve and transfer the archived test reports to other suitable media to transmit to an individual.
A few commenters asked that the rule not require laboratories to provide test reports that have been kept beyond the retention date(s) required in the
Response: While we appreciate the commenters' concerns, as with any other HIPAA covered entity, under this final rule, an individual has a right to access information about the individual in one or more designated record sets maintained by a HIPAA-covered laboratory, for as long as the information is maintained by the laboratory (see
We also clarify that this final rule does not impose any new record retention requirements for laboratory test reports. These obligations are established under
Comment: Some commenters supported the language in the proposed rule at
Response: Under the HIPAA Privacy Rule at
While an individual may have a right to all of this information, we do not expect that many individuals will request access to all of the protected health information about the individual that the laboratory may hold in a designated record set. Rather, we expect that most individuals will request access to test reports of discrete laboratory tests that they know were ordered by their providers. In these cases, the Privacy Rule requires a HIPAA-covered laboratory to provide the individual with a copy of or access to only the specific information requested by the individual.
Further, a HIPAA-covered laboratory is required to provide an individual with access only to that information that it actually maintains about the individual in a designated record set at the time the request for access is fulfilled. For purposes of this final rule, we clarify that we do not consider test reports to be part of the designated record set until they are "complete." To maintain consistency with
If an individual requests access to a particular test report, we expect that the HIPAA Privacy Rule's time allowance of 30 days from the request to provide access will be sufficient in most cases to provide the individual with access to the completed test report as we expect many requests for access will be made days after the order has been placed by the physician or even after the patient has discussed a particular result with his or her physician. In those limited cases where 30 days may not be sufficient to complete the test report, due to the nature of the tests to be performed, and the laboratory knows this at the time the individual requests access, we expect a covered entity laboratory to explain this circumstance to the individual. Upon informing individuals when they request access that the test report they are seeking will take longer than 30 days to complete, the individuals are likely to be willing to withdraw or hold their request until a later time to ensure that they get access to what they want or need. If an individual chooses not to withdraw his or her request for access, the individual will then have a right only to obtain the protected health information in the designated record set at the time the request is fulfilled, which may not include a particular test report because it is not yet complete. If a laboratory determines, after it has accepted a request, that the requested test will take more than 30 days to analyze and complete, it may notify the individual in writing within the initial 30-day period of the need and specific reason for the delay in providing access to the completed test result and the date by which the laboratory will complete its action on the request, in accordance with
In general, we expect the initial 30-day period allowed by the Privacy Rule to provide sufficient time to provide individuals with access to completed test reports. However, we acknowledge there may be rare circumstances when it would not be, and we expect covered laboratories to communicate and work with individuals concerning these limitations.
Comment: Some providers and laboratories objected to individuals having direct access to laboratory test reports they characterize as "sensitive," including genetic, cancer, pregnancy, sexually-transmitted disease, and mental health test results. Commenters stated there are tests for which it is acceptable to release results to the patient without physician involvement (for example, cholesterol test results) and there are tests for which it is not (for example, cancer or HIV test results). One commenter stated, for example, that under
In contrast, some commenters stated that all test reports should be treated equally, providing several reasons, including: Patients today are much better informed and have access to interpretative information on laboratory results from many sources, including the internet; given the timeframes allowed for providing access under the HIPAA Privacy Rule, it is likely that the ordering or treating provider will receive results well before the patient and will have adequate time to discuss the result and what it means in terms of the patient's health care with the patient; and trying to identify which tests are sensitive is subjective and not necessarily in the best interest of the patient.
Response: Under the HIPAA Privacy Rule, an individual generally has a broad right of access to any or all of his or her health information maintained in a designated record set. In this final rule, we extend that broad right to the laboratory setting. With a very limited exception, covered entities may not deny an individual access to his or her health information based on the information's sensitive nature or potential for causing distress to the individual. The limited exception is for cases where a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person, and the individual is provided a right to have the denial of access reviewed by an unaffiliated health care professional (see
As we discuss elsewhere in this final rule, we do not believe that this rule will eliminate or interfere with the role or obligation of the treating or ordering provider to report and counsel patients on laboratory test results. The rule provides ample time to ensure providers receive sensitive test reports before the patient and to allow providers to counsel individuals on the test reports. In addition, as indicated above, we believe the rule will further encourage providers, at the time the test is ordered, to counsel patients on the potential outcomes of a test and what they may mean for the patient, given his or her medical history.
Finally, we agree with commenters who stated that categorizing laboratory testing into "sensitive" and "non-sensitive" categories would be a subjective endeavor that would not necessarily result in policies that are in the patient's best interest. This endeavor also would result in a lack of uniformity across states and laboratories with respect to the types of information to which an individual has access under the rule. This outcome would be too complex and burdensome for laboratories to administer and confusing for individuals attempting to exercise their rights.
Comment: A few commenters, while in general support of the proposed rule, raised specific concerns about providing laboratory test reports directly to certain mental health patients (for example, those who may be suffering from medical conditions such as paranoia). These commenters were concerned that direct access to laboratory test reports without any involvement of the treatment team could have a very negative impact on the mental health of these patients. Some commenters asked that the current provision in the HIPAA Privacy Rule allowing the denial of access to protected health information when the access is reasonably likely to endanger the life or physical safety of the individual or another person also apply to access made available under this final rule. They suggested that this would allow providers to determine when prior provider review and approval would be required before the release of given laboratory test reports to mentally ill patients.
Response: We believe the existing exceptions to access in the Privacy Rule appropriately balance an individual's right to access his or her health information with other considerations, such as the potential for harm. Therefore, we decline to provide a specific exception to the right of access for mental health patients. A laboratory is subject to the same requirements under the HIPAA Privacy Rule as other covered entities to generally provide all individuals with access to their health information. As previously discussed, we believe the 30 day time-frame (plus one 30 day extension) provides laboratories with sufficient time to ensure treating or ordering physicians receive test reports before the patient's receipt of the test report, which will allow them to counsel the patient with respect to the test result.
As noted above, the HIPAA Privacy Rule at
Comment: Two commenters requested clarification on whether the expanded right of individual access would apply to food or environmental test reports maintained by a laboratory, that are the result, for example, of testing done after an outbreak of disease, and that may be linked to particular patients. A public health laboratory requested clarification on how this rule applies to public health surveillance or outbreak test reports. One commenter requested clarification as to whether individuals would have a right to employment-related test results, such as testing for drug and alcohol use. Finally, another commenter asked that patient access to laboratory results be expanded to include the results of radiologic assessments.
Response: This final rule is intended to remove barriers in the HIPAA Privacy and
As for employment-related testing, the
Even if
Although the
C. Access by Personal Representatives and Designated Third Parties
Comment: Several commenters raised concerns regarding access to an individual's sensitive laboratory test reports, such as those concerning reproductive health, by the individual's parents, spouse, partner, or other persons, when the individual may not want these persons to see the test report.
Response: We understand commenters' concerns and provide the following guidance to HIPAA-covered laboratories regarding how the Privacy Rule ensures that only persons with appropriate authority are provided access. With respect to adult individuals, the only persons that have a right to access an individual's test reports directly from a HIPAA covered entity are those persons who qualify as a personal representative of the individual. A personal representative for purposes of the Privacy Rule generally is a person who has authority under applicable law to make health care decisions for the individual (see
With respect to an unemancipated minor, in most cases, a parent is the personal representative of the minor, because the parent usually has the authority under state law to make health care decisions about his or her minor child. However, there are limited exceptions in the HIPAA Privacy Rule to the parent being a personal representative of his or her minor child, which generally apply in circumstances where minors are able to obtain specified health care services without parental consent under state or other laws, or standards of professional practice. Additional information on these circumstances is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html.
Regardless, however, of whether a parent is the personal representative of a minor child, the Privacy Rule defers to state or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child. In doing so, the Privacy Rule permits a covered entity to provide the parent with access to a minor child's protected health information when and to the extent it is permitted or required by state or other laws (including relevant case law). Likewise, the Privacy Rule prohibits a covered entity from providing a parent with access to a minor child's protected health information, when and to the extent it is prohibited under state or other laws (including relevant case law). If state or other applicable law is silent concerning parental access to the minor's protected health information, and a parent is not the personal representative of a minor child based on one of the exceptional circumstances described above, a covered entity has discretion to provide or deny the parent access to the minor's health information, if doing so is consistent with state or other applicable law, and provided the decision is made by a licensed health care professional in the exercise of professional judgment. For example, where a minor is able under state law to consent and obtain treatment for a reproductive health care service that involves laboratory testing, and the state law is otherwise silent on parental access to a minor's protected health information, a testing laboratory that has received a parent's request for access to this test report of the minor child may wish to take into account any instructions of the treating medical professional in determining whether to grant or deny access to the parent of the minor.
In general, we expect personal representatives will continue to obtain access to individuals' health information through the individual's treating providers, with whom many personal representatives will already have established a relationship and be known to the provider. Therefore, we do not expect HIPAA-covered laboratories will receive many requests from persons requesting access as a personal representative of the individual.
With respect to laboratories that are not HIPAA covered entities, the changes to the
Comment: A few commenters asked how a laboratory should determine whether a person requesting access to another individual's completed test reports has the appropriate legal authority to act on behalf of the individual, and, by virtue of that authority, is a personal representative for the individual. Commenters indicated that the laboratory test order from the ordering provider does not include this information. These commenters also expressed concern about the costs to determine whether a particular person had authority to access an individual's laboratory test reports.
Response: As indicated above, a HIPAA-covered laboratory is required to verify the identity and authority of any person requesting access to laboratory test reports as a personal representative of an individual. Depending on the circumstances, a HIPAA-covered laboratory could verify a person's authority by asking for documentation of a health care power of attorney, or general power or durable power of attorney that includes the power to make health care decisions, proof of legal guardianship, or, in the case of a parent, information that establishes the relationship of the person to the minor individual. A HIPAA-covered laboratory may also contact the treating provider to inquire whether the treating provider can provide documentation of the person's status as a personal representative of the individual.
We address the costs that a HIPAA-covered laboratory may incur in the verification process, in section VII below. We note here as we did above, however, that we do not anticipate HIPAA-covered laboratories will receive many requests from persons requesting access as a personal representative of the individual. Thus, we do not expect HIPAA-covered laboratories will incur significant costs for verification of such persons. Several clinical laboratory commenters indicated that most patients or personal representatives do not know what laboratory conducted the laboratory tests. Based on these comments, we expect personal representatives, like individuals themselves, generally will continue to obtain access to the individuals' health information through the individuals' treating providers, with whom many personal representatives will already have established a relationship for the purposes of obtaining access.
Comment: One commenter requested that the same requirements for denying access to protected health information by a personal representative in cases where access may cause substantial harm to the individual (for example, in cases of spousal abuse) should also be available when personal representatives request direct access to an individual's test reports from laboratories.
Response: As described above, the Privacy Rule's access and personal representative provisions apply in the same manner to HIPAA-covered laboratories as to other types of covered entities. Section 164.524(a)(3)(iii) of the Privacy Rule permits a covered entity to deny a personal representative access to an individual's protected health information when a licensed health care professional has determined, in the exercise of professional judgment, that providing access to the personal representative is reasonably likely to cause substantial harm to the individual or another person. Thus, a HIPAA-covered laboratory may deny a personal representative access to an individual's protected health information under this provision when the laboratory has received and documented the requisite determination from a licensed health care professional that granting access to the personal representative is reasonably likely to cause substantial harm to the individual or another person. As was described above with respect to individuals denied access to their own records because of concerns of endangerment, the personal representative retains the right to have the denial reviewed by another licensed health care professional who is designated by the HIPAA-covered laboratory to act as a reviewing official and who did not participate in the original decision to deny. A laboratory denying access must inform the personal representative of this right and have the ability to have the denial reviewed in accordance with these requirements.
We also note that
Comment: One commenter stated that it was unclear from the proposed rule whether a patient's access right would include the right to have the test reports shared with others who do not have independent access rights. This commenter urged the Department to amend the
Response: We clarify that, in certain circumstances, an individual's access right includes the right to have test reports shared with others who do not have independent access rights. In addition to access by personal representatives, the HITECH Act strengthened an individual's right of electronic access, which included giving individuals the right to direct that a covered entity transmit an electronic copy of the individual's protected health information directly to another person or entity designated by the individual (see, section 13405(e) of the HITECH Act). The regulations that implemented these statutory provisions were published as part of the HIPAA Privacy Rule on
With respect to the changes to the
Comment: One commenter requested that organ procurement organization laboratories that perform tests on decedent tissue and blood be exempted from the rule altogether, since the outcome of these tests would not be of meaningful value to the personal representatives of decedents, and in the case of blood tests, could cause undue concern given the frequency of false positive results.
Response: We appreciate that
D. Requests for and Provision of Access
1. HIPAA Access Processes
Comment: Several commenters supported allowing flexibility in how requests for access may be submitted, processed, and responded to by laboratories. Commenters indicated a flexible approach was important since laboratories vary greatly in terms of how they interact with patients, if at all, and flexibility would allow laboratories to implement processes that would not disrupt operations. One commenter stated that some state laws may affect the processes that laboratories may put in place and urged that the Department clarify that the authority for specifying the processes for handling requests for access lies with the laboratories rather than the states. Another commenter expressed concern with the rule not spelling out the mechanisms by which patient requests for access would be submitted, processed, or responded to by laboratories. The commenter suggested that the final rule should require some type of written record, such as a signature on an office form, and verification of the identity of the person requesting the records.
Response: We agree with the commenters that flexibility in how laboratories receive and respond to access requests is important given the varied circumstances of each laboratory. This final rule provides laboratories with flexibility as to how to set up systems to receive, process, and respond to requests for access by individuals, so long as these processes comply with the timing and other requirements for access in
With regard to state laws, it is unclear from the comments how exactly these laws impact laboratory processes. The HIPAA Privacy Rule only preempts contrary provisions of state law. Thus, where a HIPAA-covered laboratory can continue to comply with both the HIPAA Privacy Rule and state law, it must frame its policies and procedures in a way that complies with both laws. Further, the HIPAA Privacy Rule does not preempt more stringent state laws, even if contrary to the Privacy Rule. In the context of individuals' rights to access their health information, "more stringent" means that the state law provides greater rights of access. Therefore, a HIPAA-covered laboratory must continue to abide by state laws that provide the individual with a greater right of access. For example, if a state law requires individual access to test reports within a shorter timeframe than the Privacy Rule requires, access must be provided within that shorter timeframe. Finally, as noted above and discussed more fully below, while the HIPAA Privacy Rule provides some flexibility to HIPAA-covered laboratories in how their access processes are developed, it does have specific requirements for verification of identity and authority of the individual requesting access, as well as timeliness and the form of access provided, among other requirements, that must be followed in providing access to individuals. With respect to the form of the individual's request, the Privacy Rule does permit covered entities to require that individuals make requests for access in writing (see
Comment: Some commenters asked for clarification as to whether hospital laboratories may continue to rely on existing hospital HIPAA access processes, which may have been implemented through their health information management departments, to provide individuals with access to their test reports, rather than having to create an additional process outside the normal customary practices followed by hospitals to comply with the access requirements of the HIPAA Privacy Rule. A few commenters specifically noted that some hospitals have patient portals in place to provide individuals with access to their protected health information, including laboratory results.
Response: Laboratories that operate as part of a larger legal entity that is a hospital or that are part of an affiliated covered entity or organized health care arrangement with a hospital (see the definition of "organized health care arrangement" in the HIPAA Rules at
Comment: One commenter asked whether a patient will be expected to make a request for access from the laboratory to test reports at the time the patient is in the treating provider's office, or whether patients have a right to contact the laboratory directly for access. Another commenter asked whether, with regard to the referral of specimens from one laboratory to another, a patient will need to request access to the test reports of both laboratories or just request access from one of the laboratories to obtain all of the test results.
Response: Under this final rule, individuals have a right to make requests for access to their protected health information directly to HIPAA-covered laboratories. Laboratories may not require individuals to make requests through their providers. While laboratories cannot require individuals to submit requests for access to protected health information maintained by the laboratories through their treating providers, individuals may do so if that is one avenue the laboratory uses to receive requests for access from individuals. Laboratories, however, may require that individuals make access requests directly to the laboratory.
With respect to laboratories that refer specimens to another laboratory, an individual has a right to access his or her protected health information maintained in a designated record set at either laboratory. However, where one laboratory refers only one part of a test to another laboratory, the individual may need to request access from the referring laboratory to obtain access to a complete set of test results. As explained above, a HIPAA-covered laboratory is required to provide an individual with access only to that protected health information maintained by the laboratory in its designated record sets.
2. Time Frame for Providing Access
Comment: Some commenters were concerned that the required 30-day timeframe in the HIPAA Privacy Rule for providing an individual with access to laboratory test reports may not be sufficient to ensure that a provider receives the report before the patient. The commenters believe this is particularly problematic in the case of "sensitive" test results. One commenter suggested that laboratories should have the option of using up to two 30-day extensions when a licensed health care professional has determined, in the exercise of professional judgment, that the ordering provider should have additional time to receive and review the test report before the patient is provided access. Another commenter stated that the rule should not require laboratories to release a test report to a patient before a treating provider, except in emergency circumstances. Other commenters suggested that there should be a defined delay or lag time, such as 48 or 72 hours, between when a laboratory provides a test report to a treating provider and when the laboratory provides the test report to the patient.
In contrast, other commenters were against providing a defined delay between when the provider and the patient could obtain the test report. Some commenters stated that the Privacy Rule's 30-day timeframe for providing access affords ample opportunity for a provider to receive a test report and consult with the patient before the patient receives the test report he or she requested directly from the laboratory. For example, one commenter suggested that the 30-day period provides laboratories with sufficient flexibility to release routine test results within a few days, while delaying the results of more sensitive tests to allow more time for consultation between the provider and the patient.
Response: We believe 30-days is generally sufficient time to allow a treating provider to receive a test report in advance of the patient's receipt of the report and to communicate the result to and counsel the patient as necessary with regard to the result. Specifically, requests to a laboratory for access may be made some time after the provider has ordered the test or even after the provider has received the completed test report. In cases where the end of the initial 30-day period after an individual's request for access is approaching and, due to the nature of the test, the laboratory is just completing the test report, the laboratory may delay providing access to the individual to ensure the completed test report is provided first to the individual's provider, so long as the delay is no more than 30 days and the individual is informed in writing of the reason for the delay and the date by which the laboratory will provide the individual with access. However, laboratories may have only one extension (see
Comment: A few commenters expressed concern that the 30-day period (and one 30-day extension) for providing access may not be sufficient for all laboratory test reports to be completed. One commenter suggested that the 30-day period to provide the individual with a copy of the test report should begin from the time of the individual's request for access, or test completion, whichever is later.
Response: We understand the commenters' concerns; however, we do not believe it is necessary to establish the completion of the test report as the trigger for the beginning of the 30-day period if the completion of the test report is later than the individual's request for access, or to otherwise create a timeliness requirement for laboratories that is different than the requirement for other types of covered entities. As discussed above in the section on "Scope of Information to Which an Individual Has Access," the Privacy Rule provides sufficient flexibility in most cases to enable laboratories to provide individuals with access to the completed test reports they request. In those rare cases where a test report is not completed, and therefore is not available, within the HIPAA timeframe for responding to requests and the individual is not willing to withdraw his or her request so that he or she will receive a completed test report, the Privacy Rule requires only that the laboratory provide access to the existing protected health information in its designated record set(s) about the individual, which would not include the completed test report requested. We believe that uniformity of the timeliness requirement in the Privacy Rule for all covered entities, including laboratories, is important to ensure consumer understanding and covered entity compliance.
E. Allowable Fees for Copying
Comment: Several commenters stated that laboratories should be permitted to charge individuals that request a copy of one or more test reports an additional fee along with the current fee permitted by the HIPAA Privacy Rule. A number of commenters were specifically concerned with the costs of retrieving archived test reports, which may only be available on paper or limited media, and transferring them to a suitable medium for distribution to the patient. A few commenters suggested that a laboratory should be able to recoup the full costs of providing reports to the individual, including costs associated with retrieval of the information, copying, verification, documentation, liability insurance, and other administrative costs.
In contrast, a number of commenters stated that individuals should not encounter any additional fee to receive copies of test reports from laboratories, other than the costs associated with completing the tests.
Response: We appreciate the comments on this issue. The fee provisions in the Privacy Rule are carefully balanced to reduce costs to covered entities while at the same time avoid being an impediment to individuals' ability to receive copies of their protected health information. Therefore, we decline to expand the fees that may be charged to individuals or to disallow any fees that are currently provided for under the HIPAA Privacy Rule. HIPAA-covered laboratories must comply with the same fee limitations at
Comment: One commenter asked for a more definitive framework of what is an appropriate fee.
Response: We are unable to provide a more definitive framework of what is an appropriate fee, given that costs will vary depending on a number of circumstances, such as the form of the copy requested (paper versus electronic), the amount of information to be included in the copy, and whether the individual has requested the copy to be placed on electronic media or mailed. Covered entities may take into account all of these factors in determining what is a reasonable, cost-based fee. However, we consider fees expressly permitted under state law for copying and postage to be reasonable (as long as they do not include amounts associated with fees not provided for under the HIPAA Privacy Rule, such as the fees for the cost of search and retrieval or other costs).
F. Form and Format of Access
Comment: Some commenters stated that HIPAA-covered laboratories should be able to limit the types of electronic formats in which patients could receive copies of their completed test reports, and that the format provided should not be controlled solely by patient preference. These commenters were concerned with requiring laboratories to have the capability to convert test reports to all types of universal formats (for example,
Other commenters advocated for the use of patient portals and personal health records (PHRs) to deliver test reports to patients in a readable and secure manner. One commenter stated that the rule should ensure laboratories are not allowed to provide test reports exclusively through proprietary formats that require expensive proprietary software to view, interpret, or process the results. Finally, one commenter asked who makes the determination about which format is acceptable.
Response: The Privacy Rule does not require that a HIPAA-covered laboratory have the capability to produce a copy of a completed test report in whatever electronic format or manner the individual requests. Rather, the Privacy Rule requires a covered entity to provide the individual with a copy of the requested information in the form and format requested by the individual, if a copy in that form or format is readily producible. With respect to protected health information maintained by the covered entity only in paper form, the Privacy Rule requires the covered entity to provide the individual with a copy of the protected health information in the form and format requested by the individual, if it is readily producible. If not, the copy must be either a readable hard copy or in another form or format as agreed to by the covered entity and the individual (see
However, when the protected health information to which the individual seeks access is maintained electronically by the covered entity and the individual requests an electronic copy of the information, the Privacy Rule requires the covered entity to provide the individual with access to the information in the requested electronic form and format if it is readily producible in that form and format. When it is not readily producible in the electronic form and format requested, then the covered entity must provide the copy in an alternative readable electronic format as agreed to by the covered entity and the individual (see
We agree with the commenters that individuals should not have an unlimited choice in the form of electronic copy they will receive. The Privacy Rule allows a covered laboratory to make some other agreement with individuals as an alternative means to provide a readable electronic copy to the individual where the covered laboratory is not able to readily provide the form of electronic copy requested. If an individual requests a form of electronic copy that the HIPAA-covered laboratory is unable to produce, the laboratory must offer the individual other electronic formats that are available on its systems. If the individual declines to accept any of the electronic formats that are readily producible by the HIPAA-covered laboratory, the laboratory must provide a hard copy as an option to fulfill the access request. We remain neutral on the type of technology that covered entities may adopt. We note that a PDF is a widely recognized format that would satisfy the electronic access requirement if it is the individual's requested format or if the individual agrees to accept a PDF instead of the individual's requested format. Alternatively, there may be circumstances where an individual prefers a simple text or rich text file and the laboratory is able to accommodate this preference. In this case, a hard copy of the individual's protected health information would not satisfy the electronic access requirement. However, a hard copy may be provided if the individual decides not to accept any of the electronic formats offered by the covered entity.
For example, if a HIPAA-covered laboratory receives a request from an individual to have access to test reports through a web-based portal, but the only readily producible version of the protected health information by the laboratory is in PDF, the Privacy Rule requires the laboratory to provide the individual with the PDF copy of the protected health information, if the individual agrees to receive it in that form. If the individual declines to receive the PDF copy, the laboratory may provide the individual with a hard copy of the information.
Further, while we encourage laboratories to offer patients the ability to access their test reports through patient portals maintained by the laboratories, the HIPAA Privacy Rule does not require covered entities to have this capability. We recognize that what is available in a readable electronic form and format will vary by system and technological capabilities will improve over time. Therefore, the Privacy Rule allows covered entities the flexibility to provide individuals with electronic copies of protected health information that are currently readily producible and available on their various systems. A HIPAA-covered laboratory is not required to purchase new software or systems in order to accommodate an electronic copy request for a specific form that is not readily producible by the laboratory at the time of the request, provided the laboratory is able to provide some form of electronic copy. We note that providing the individual with an electronic copy of a test report in a proprietary format that will require the purchase or acquisition by the individual of proprietary software to view the report would not satisfy these access requirements.
Comment: A few commenters suggested that any electronic copies provided to individuals should include a digital signature to provide assurance that test results had not been modified.
Response: HIPAA-covered laboratories may include digital signatures on electronic copies of test reports given to individuals, provided the electronic copy is still in a format that has either been requested by the individual or is an alternative that has been agreed to by the individual and the laboratory.
Comment: Some commenters were concerned about the ability of laboratories to transmit electronic copies of test reports to individuals in a secure manner, and asked for guidance on how test reports should be transmitted to patients. A few commenters were concerned with transmitting test reports to patients via unencrypted email. One commenter expressed concern about being found responsible for a breach if a HIPAA-covered laboratory sent test reports in an unsecure manner after a specific request by the individual to send them in that manner. Other commenters suggested that any method of transmitting test reports to individuals should be acceptable, whether it be by mail, email, transmission to a PHR or patient portal, or other method.
Response: How a test report is transmitted to an individual will vary depending on the circumstances and the request of the individual. In cases where an individual is in close proximity of the laboratory, the individual may wish to come and pick up the test report from the laboratory directly; however, the individual is not required to do so. Individuals also have a right under the Privacy Rule to have either the paper or electronic (for example, on compact disk) copies of their protected health information mailed to them, and HIPAA-covered laboratories may charge an individual for postage in cases where the individual has asked that the copy be mailed. In sending the copy to an individual, covered laboratories are required to reasonably safeguard the information (see
Individuals also may request that a laboratory email an electronic copy of a test report. In emailing copies of test reports to individuals, HIPAA-covered laboratories are required to comply with the HIPAA Security Rule, which, among other requirements, requires implementation of technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network (see
Finally, as mentioned above, we encourage laboratories to offer individuals access to their test reports and other health information through secure patient portals or PHRs. However, use of this method is not required.
Comment: One commenter asked if CMS has the regulatory authority to establish minimum requirements for the provision of electronic test results to patients in a structured format or at least to suggest guidance to laboratories if the test results are to be provided in an electronic format.
Response: CMS does not have current plans to establish regulations that would impose minimum requirements for the provision of electronic results in a structured format, but could examine these options going forward. Furthermore,
FOOTNOTE 2 http://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/downloads/SCLetter10-12.pdf. END FOOTNOTE
G. Content of Test Report, Educational Materials, and Standard Statements
Comment: A few commenters requested further guidance on what the test report that is provided to an individual should look like. Commenters noted that the laboratory coding schema on the official test report sent to the provider may need further interpretation and context before it would be useful to the patient. These commenters expressed concern with the resources and information system development that would be needed to provide a more understandable test report to the individual. Other commenters stated that the report furnished to the individual should be the "official" report furnished to the ordering provider rather than one that is reworded and redesigned in an effort to meet the needs of the individual. Otherwise, they noted, there could be inadvertent inconsistencies or inaccuracies when one compared the "official" report to the patient-centric report.
In addition, some commenters suggested that laboratories should provide brief explanations or patient-specific educational materials on the tests reported, including reference ranges, so that the individual can interpret the information (for example, similar to a pharmacy's provision of the package insert for prescription drugs).
Response: As discussed above, the final rule does not require laboratories to interpret test reports for individuals. An individual has a right to receive a copy of the information about the individual maintained by or on behalf of a HIPAA-covered laboratory in a designated record set, which may include the official test report that is also provided to the individual's provider. However, while not required, a laboratory may also provide additional educational or explanatory materials regarding the test results to individuals if it chooses to do so.
Comment: A number of commenters suggested that the information provided to individuals should include a standard statement explaining the limitations of the laboratory data alone in confirming or ruling out a diagnosis, explaining that the laboratory results are subject to a physician's interpretation and encouraging the individual to discuss the results with his or her physician, and providing the contact information of the physician who ordered the tests.
Response: As we explain above, this final rule does not supplant the treatment conversation a health care provider has with a patient about the patient's test results. We expect that individuals will continue to obtain test results through their treating or ordering providers, and even when individuals request access to test reports directly from laboratories, we believe that, in most cases, these individuals will have had conversations with their treating providers about their test results before receiving access. Therefore, we do not believe a regulatory requirement for a standard statement is warranted. However, laboratories that wish to include one with test reports are free to do so.
H. Verification of Identity and Authentication
Comment: Some commenters stated that many laboratories would have challenges with verifying an individual's identity because they often have no direct interaction with the individual and any contact information they receive from a health care provider can be incomplete or incorrect. One commenter indicated that these limitations would necessitate that an individual make a request for a test report in person. These commenters requested guidance or sample authentication practices for verifying an individual's identity upon receiving a request, whether in person, by phone, fax, or other means. One commenter suggested that the Department should provide guidance on the appropriate assurance levels for identity proofing and authentication, as defined by the
Response: Under SEC 164.514(h) of the Privacy Rule, a covered entity is required to take reasonable steps to verify the identity of the individual making a request for access. The rule does not mandate any particular form of verification (such as obtaining a copy of a driver's license), but rather leaves the type and manner of the verification to the discretion and professional judgment of the covered entity. Further, covered entities may rely on industry standards in developing reasonable verification processes. The type of verification may also vary depending on how the individual is to receive access, the form of the request, and whether the covered entity is requiring that all requests for access be made in writing, as permitted by
We understand that, in many cases, a laboratory may not have extensive contact or other information about an individual. However, the rule makes clear that a laboratory is only required to provide an individual with access to test reports that can be identified as belonging to the individual who has requested access, based on the laboratory's authentication processes. Thus, when a laboratory is able to authenticate a test report as belonging to a particular patient, that laboratory will have at least some basic information about the patient, such as name, date of birth, date specimen was collected, etc., that can also be used to verify the identity of a person requesting access to that test report. When a laboratory believes a provider may have supplied incorrect information for a patient, which prevents the laboratory from properly verifying the individual, the laboratory may contact the provider to see if correct information is available.
While the Privacy Rule requires verification of the identity of the person requesting access, a HIPAA-covered laboratory may not impose unreasonable verification measures on an individual as a means to avoid having to provide the individual with access. For example, a HIPAA-covered laboratory may not require an individual who wants a copy of his or her test reports mailed to his or her home address to physically come to the laboratory to request access and provide proof of identity in person.
I. Informing Individuals of Their New Right of Access
Comment: A few commenters stated that providers should be required to inform or notify individuals of their right to receive test reports directly from laboratories, and to provide the information necessary for individuals to request test reports from the appropriate clinical laboratories. One commenter suggested this information could be included in the provider's notice of privacy practices. Another commenter asked if this final rule would require HIPAA-covered laboratories to revise their notices of privacy practices to include a statement regarding an individual's right to receive test results directly from the laboratory.
Response: We encourage, but do not require, treating health care providers to inform individuals of their right to receive test reports directly from HIPAA-covered laboratories. We believe requiring providers to do so would create an unwarranted burden on providers. However, whenever providers send a specimen(s) to the laboratory, as opposed to the individual going to the laboratory himself or herself to provide the testing sample, we encourage providers to supply the individual with the name of the laboratory to which the specimen is being or has been sent and the other information necessary for the individual to request access from the laboratory.
With respect to HIPAA notices of privacy practices, a covered entity is required to promptly revise its notice whenever there is a material change to any of its privacy practices, including those pertaining to individuals' rights to access their protected health information (see
The Department recognizes that HIPAA-covered laboratories are already required by the modifications to the HIPAA Rules that were published on
J. Preemption
Comment: A number of commenters supported the rule's general preemption of contrary state laws, stating that it would bring further harmonization of federal and state laws and ensure, regardless of where an individual lives, that he or she has access to laboratory test reports. Other commenters requested clarification with respect to preemption, asking whether state laws that require more timely access to test reports than the Privacy Rule or that would limit the types of identification a laboratory could ask an individual to present to verify identity would continue to stand. One commenter stated that the final rule should preempt state laws that restrict laboratory-initiated contact with patients for purposes of communicating laboratory results. This commenter stated that there can be compelling medical reasons for laboratories to initiate contact. Another commenter stated that the rule should not preempt state laws that require the provider to discuss the results and provide psychological counseling along with disclosure of HIV test results.
Response: We agree with commenters that preemption of certain contrary state law is necessary to ensure that individuals' access rights under the Privacy Rule are strengthened. A number of states have laws that prohibit a laboratory from releasing a test report directly to the individual or that prohibit the release without the ordering provider's consent. Upon the effective date of this final rule, the Privacy Rule preempts these laws and HIPAA-covered laboratories should begin to come into compliance.
With respect to those commenters requesting clarification on HIPAA preemption, we note that HIPAA preempts only state laws that are contrary to the Privacy Rule. "Contrary" generally means a covered entity would find it impossible to comply with both the state and HIPAA requirements. In certain cases, a contrary state law is not preempted, such as where a state law is more stringent than the Privacy Rule. "More stringent" means, with respect to individuals' access rights, that the state law provides greater rights of access to individuals (see, 45 CFR Part 160, Subpart B). A state law that requires a laboratory to provide an individual with more timely access to test reports is not contrary to the Privacy Rule and thus, is not preempted. Similarly, a state law that limits the types of identification a laboratory can ask an individual to produce is not contrary to the Privacy Rule, provided the laboratory is still able to verify the identity of the person requesting access as required by
K. Compliance Date
Comment: A number of commenters advocated for a longer time period for HIPAA-covered laboratories to come into compliance than the proposed 180-day compliance period. Commenters suggested a variety of different compliance dates, including one year and beyond. Some commenters raised specific concerns with respect to laboratories that do not currently provide individuals with access to test reports, since the laboratories would need to develop all new policies, protocols, and mechanisms for receiving and responding to requests for access to test reports.
Other commenters asked that the Department wait to finalize the rule until after the HITECH Act changes to the Privacy Rule become final so that HIPAA-covered laboratories would need to develop only one set of policies, protocols, and procedures one time, to comply with the Privacy Rule's access provisions. A few commenters requested that the Department implement reasonable, sequenced compliance deadlines for all related regulations under the HITECH Act and HIPAA, such as changes to the Privacy Rule, EHR Incentive Programs' requirements, and the implementation of HIPAA Version 5010 and ICD-10. Commenters stated that sequenced deadlines would better take into account the significant amount of financial, operational, and technological resources needed to fully comply with all of these new requirements.
Response: While we appreciate the commenters' concerns regarding the compliance date, we decline to extend the 180-day compliance period for this final rule. We believe 180 days will provide HIPAA-covered laboratories with sufficient time to become prepared to provide individuals who request them with copies of test reports and will also ensure that individuals are afforded and able to benefit from this new right in a timely manner after the rule's issuance. Thus, HIPAA-covered laboratories are required to comply with the individual access provisions of the Privacy Rule by no later than 180 days after the effective date of the final rule. The effective date of the final rule is 60 days after publication in the
L. Other Comments
Comment: Commenters asked whether a laboratory could be subject to penalties for charging more than the reasonable cost-based fee allowed by the Privacy Rule, for failing to comply with an individual's request for completed test reports within the appropriate time period, or for failing to comply with an individual's request altogether.
Response: HIPAA-covered laboratories that fail to comply with the Privacy Rule's access provisions are subject to an enforcement action for noncompliance by the Department, which may include the imposition of civil money penalties. More information about HIPAA enforcement is available on the OCR Web site at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html.
Comment: A few commenters suggested that the rule increases burden on individuals, by making them first call their provider's office to learn the name of the laboratory producing the test report and then making them call the laboratory for a copy of the test report, instead of just having them contact the provider's office for the test results.
Response: We do not agree that this final rule increases the burden on individuals. As previously discussed in detail above, the rule does not supplant the role of the treating provider in discussing test results with a patient or an individual's right under the HIPAA Privacy Rule to access protected health information about the individual maintained by the provider, including laboratory test results. The rule merely provides an additional avenue for individuals to obtain copies of their test reports by allowing individuals to obtain their test reports directly from the laboratories.
Comment: One commenter stated that certain third-party payers and insurers do not allow laboratories to bill a patient any amount in addition to what is paid to the laboratory for testing services by that third-party payer or insurer. The commenter contended that this prohibition would prevent a laboratory from charging an individual a cost-based fee for providing a copy of the test report.
Response: First, we note that charging an individual a fee for access is optional and not required under the Privacy Rule. Second, the billing restriction described by the commenter is likely tied to the costs associated with the provision of health care services, and not to a laboratory's ability to charge an individual for reasonable costs associated with providing the individual access to his or her protected health information. It has not been our experience that covered health care providers subject to similar billing restrictions have been unable to charge individuals reasonable cost-based fees for access to their records.
Comment: One commenter asked, when a patient fails to compensate the laboratory for services provided, whether a laboratory may withhold future test results from the patient until payment is made.
Response: A covered entity may not withhold or suspend an individual's right under the HIPAA Privacy Rule to access his or her protected health information because the individual has not paid the covered entity for the health care services provided.
Comment: One commenter stated that laboratories should not be required to provide test reports in a patient's preferred language.
Response: A covered entity's obligations under civil rights or other laws to ensure equal access to health care for individuals, including requirements for when certain documents must be translated, are not diminished or disturbed by this rule.
Comment: A few commenters suggested that laboratories should be required to notify the ordering provider when a patient has received, or will receive, copies of test reports directly from the laboratory.
Response: We do not believe this requirement is warranted. As discussed above, this rule does not change the ability of an ordering provider to receive test reports and discuss them with the patient. However, a laboratory that wishes to provide notification to a provider that an individual will receive a copy of a test report directly may do so.
Comment: One commenter stated that, by deferring to state law, the
Response: The
VI. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995 (PRA), we are required to provide 30-day notice in the
* The need for the information collection and its usefulness in carrying out the proper functions of our agency.
* The accuracy of our estimate of the information collection burden.
* The quality, utility, and clarity of the information to be collected.
* Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.
In our
Except as provided in
We have prepared the Paperwork Reduction Act and the Regulatory Impact Analysis (RIA) that represents the costs and benefits of the final rule based on an analysis of identified variables and data sources needed for this change. We identified known data elements (Table 1) and made assumptions on elements where a source could not be identified (Table 2). Our assumptions are based on internal discussions and consultation with laboratories representative of the industry.
Table 1--Summary of Known Data Elements Variable Data element Source States/territories where 39 Determination of this laboratories, as listed finding is based on two in Table 3, are impacted reports as listed here: by the new individual 1. Privacy and Security access provisions Solutions for Interoperable Health Information Exchange, Releasing Clinical Laboratory Test Results; Report on Survey of State Laws prepared by Joy Pritts, JD, for the Agency for Health care Research and Quality and Office of the National Coordinator August 2009; RIT Project Number 0209825.000.015.100 (Accessed July 15, 2010). 2. Electronic Release of Clinical Laboratory Results: A Review of State and Federal Policy, prepared by Kitty Purington, JD, for the California Health care Foundations January 2010 (Accessed July 15, 2010). Laboratories, as listed 22,816 Data from CLIA Online in Table 6, impacted by Survey Certification and the new individual access Reporting database provisions (OSCAR) database accessed August 27, 2012. Includes Certificate of Compliance and Certificate of Accreditation in the 39 states impacted by the patient access provisions. Test results in 7,025,841,649 Data from OSCAR database laboratories, as listed accessed August 27, 2012 in Table 6, impacted by Includes Certificate of the new individual access Compliance and provisions Certificate of Accreditation in the 39 states impacted by the patient access provisions. States/territories, as 46 Determination of this noted in Table 7, where finding is based on two the HIPAA Privacy Rule reports as listed here: will pre-empt State Law 1. Privacy and Security *1 Solutions for Interoperable Health Information Exchange, Releasing Clinical Laboratory Test Results; Report on Survey of State Laws prepared by Joy Pritts, JD, for the Agency for Health care Research and Quality and Office of the National Coordinator August 2009; RIT Project Number 0209825.000.015.100 (accessed July 15, 2010). 2. Electronic Release of Clinical Laboratory Results: A Review of State and Federal Policy prepared by Kitty Purington, JD, for the California Health care Foundations January 2010 (Accessed July 15, 2010). Laboratories, as 33,807 Data from OSCAR database indicated in Table 7, accessed August 27, 2012 required to update their Includes Certificate of HIPAA notices of privacy Compliance and practices Certificate of Accreditation in the 27 states impacted by the HIPAA provisions to update the notices of privacy practice. Hourly salary of clerical$30.09 2013 salary/wages and level employee to process benefits--use 2012 requests for test reports salary/wages and benefits obtained from the U.S. Bureau of Labor Statistics, Economic News Release, March 2012 U.S.--Total employer costs per hour worked for employee compensation: Civilian workers; Occupational Group: Service-providing at http://www.bls.gov/news.r elease/ecec.t01.htm) and adjusts annually by 2.78 percent to reflect an average increase in total compensation costs from 2007-2011. Hourly salary of$50.06 2013 salary/wages and management level employee benefits--use 2012 to determine policy salary/wages and benefits obtained from the U.S. Bureau of Labor Statistics, Economic News Release, March 2012 U.S.--Total employer costs per hour worked for employee compensation: Civilian workers; Occupational Group: Service-providing at http://www.bls.gov/news.r elease/ecec.t01.htm) and adjusts annually by 2.78 percent to reflect an l average increase in total compensation costs from 2007-2011. 1. Note that there may be circumstances where a laboratory is able to comply with both HIPAA and the state law.
Table 2--Summary of Assumptions Variable Low High Number of test 10 test results 20 test results. results per test report Percentage of 0.05% 0.50%. patients requesting test report Time required to 10 minutes 30 minutes. process request for test report
We determined that the impacted
Table 3--Impact onLaboratories of New Individual Access Provisions Impacts laboratories Does not impact laboratories No State law Allows test Allows test Allows test reports only to reports to patient reports to patient provider with provider approval Alabama Arkansas Delaware California Alaska Georgia District of Connecticut Columbia Arizona Hawaii Maryland Florida Colorado Illinois New Hampshire Massachusetts Guam Kansas New Jersey Michigan Idaho Maine Nevada New York Indiana Missouri Oregon Virginia Iowa Pennsylvania Puerto Rico Kentucky Rhode Island West Virginia Louisiana Tennessee Minnesota Washington Mississippi Wisconsin Montana Wyoming Nebraska New Mexico North Carolina North Dakota Northern Mariana Islands Ohio Oklahoma South Carolina South Dakota Texas Utah Vermont Virgin Islands
In addition to the impact from the access provisions, laboratories both in the 39 states and territories where there is either no law regarding receipt of test reports or where reports can only go to the provider, as well as in the 7 states and territories that currently allow test reports to go to the patient only with provider approval, will be affected by the requirement to update HIPAA notices of privacy practices as a result of this final rule (see Table 4 for a list of states and territories by category). Even if laboratories in the 7 states and territories that currently allow test reports to go to the patient with provider approval have processes in place to provide test reports to patients, their notices of privacy practices may now contain inaccurate statements about how individuals can obtain copies of their test reports, given that this final rule preempts these state laws. Therefore, by the compliance date of this rule, the laboratories in the 46 states and territories identified in Table 4 will need to revise their notices to inform individuals of their right to obtain reports directly from the laboratory, provide a brief description of how to exercise this right, and must remove any statements to the contrary (see
Table 4--Impact on Laboratories of HIPAA Privacy Rule Requirement To Revise Their Notices of Privacy Practices Impacts laboratories Does not impact laboratories No State law Allows test Allows test Allows test reports only to reports to patient reports to patient provider with provider approval Alabama Arkansas California Delaware Alaska Georgia Connecticut District of Columbia Arizona Hawaii Florida Maryland Colorado Illinois Massachusetts New Hampshire Guam Kansas Michigan New Jersey Idaho Maine New York Nevada Indiana Missouri Virginia Oregon Iowa Pennsylvania Puerto Rico Kentucky Rhode Island West Virginia Louisiana Tennessee Minnesota Washington Mississippi Wisconsin Montana Wyoming Nebraska New Mexico North Carolina North Dakota Northern Mariana Islands Ohio Oklahoma South Carolina South Dakota Texas Utah Vermont Virgin Islands
The CMS Online Survey, Certification, and Reporting (OSCAR) database indicates that there are a total of 234,756 laboratories which provide approximately 12.8 billion tests annually (see Table 5) in
However, we recognize that some laboratories included in these estimates may not be covered entities under HIPAA (because they do not conduct covered health care transactions electronically, for example, filing electronic claims for payment) and, therefore, would not be required to provide direct individual access.
Table 5--All U.S. Laboratory Testing Subject toCLIA CLIA certificate type Number of Number of tests laboratories Certificate of Compliance 20,470 3,122,772,023 Certificate of 16,829 8,998,058,524 Accreditation Certificate of Waiver 158,996 477,094,700 Certificate of Provider 38,461 207,777,472 Performed Microscopy (PPM) Totals 234,756 12,805,702,719
Table 6--Number of Laboratories Impacted by New Individual Access Provisions State or territory Number of Number of tests laboratories Alaska 103 10,688,466 Alabama 868 252,267,262 Arkansas 540 74,686,910 Arizona 581 195,731,588 Colorado 499 138,847,079 Georgia 1,190 217,997,888 Guam 13 2,500,654 Hawaii 117 36,918,267 Idaho 230 33,092,465 Illinois 1,053 1,852,543,312 Indiana 621 190,732,493 Iowa 548 82,389,916 Kansas 438 240,744,893 Kentucky 710 133,586,267 Louisiana 677 135,050,184 Maine 140 36,150,552 Minnesota 832 165,066,668 Mississippi 523 45,808,928 Missouri 683 192,145,580 Montana 961 300,480,983 Nebraska 317 33,103,996 New Mexico 189 44,642,110 North Carolina 673 48,771,993 North Dakota 177 49,833,112 Northern Mariana Islands 181 56,185,878 Ohio 634 163,151,403 Oklahoma 485 111,005,884 Pennsylvania 747 87,776,132 Rhode Island 477 91,657,444 South Carolina 453 38,185,190 South Dakota 469 171,638,497 Tennessee 2,626 949,935,182 Texas 1,594 155,118,958 Utah 705 256,856,757 Vermont 245 174,974,043 Virgin Islands 45 11,413,475 Washington 936 167,818,742 Wisconsin 482 73,457,876 Wyoming 54 2,884,622 Total 22,816 7,025,841,649
In addition to complying with the individual access requirements, a total of 33,087 laboratories in the states and territories that are affected by the HIPAA notice provisions will need to revise their notices of privacy practices to reflect the right of individuals to obtain test reports directly from laboratories (see Table 7). However, as stated above, we recognize that some laboratories included in these estimates may not be covered entities under HIPAA and, therefore, would not be required to provide direct individual access and would not be required to revise any notices.
Table 7--Number of Laboratories Impacted by the HIPAA Privacy Rule Requirement to Revise Their Notices of Privacy Practices State Number of laboratoriesAlaska 103Alabama 868Arkansas 540Arizona 581California 2,919Colorado 499Connecticut 379Florida 2,462Georgia 1,190Guam 13Hawaii 117Idaho 230Illinois 1,053Indiana 621Iowa 548Kansas 438Kentucky 710Louisiana 677Massachusetts 693Maine 140Michigan 926Minnesota 832Mississippi 523Missouri 683Montana 961Nebraska 317New Mexico 189New York 2,425North Carolina 673North Dakota 177Northern Mariana Islands 181Ohio 634Oklahoma 485Pennsylvania 747Rhode Island 477South Carolina 453South Dakota 469Tennessee 2,626Texas 1,594Utah 705Vermont 245Virgin Islands 45Virginia 467Washington 936Wisconsin 482Wyoming 54 Totals 33,087
A. Information Collection Requests (ICRs) Regarding the Development of Process To Provide Patient Access to Test Reports (
Under SEC 493.1291(l), we assume that the development of the mechanisms to provide patient access to laboratory test reports will be a one-time burden and that each laboratory will develop its own unique policies and procedures to address patient access or adopt mechanisms/procedures developed by consultants or associations representing laboratories. We assume a one-time burden of 2 to 9 hours to identify the applicable legal obligations and to develop the processes and procedures for handling patient requests for access to test reports. While we provide a range of burden estimates in this final rule, for purposes of OMB review and approval we will submit burden estimates based on 9 hours. We also assume an hourly rate for a management-level employee to be
The range of costs for laboratories to develop the necessary processes and procedures for handling patient requests is:
(2 hours x
(9 hours x
Since this is a one-time burden, the average annual cost over the 3-year OMB approval period, which is the period between approval and renewal of the information collection by OMB, will range between
The ongoing burden associated with responding to test report requests is dependent upon the total number of test reports that exist in affected laboratories, the percent of the results that would be requested, and the cost of producing these reports for those individuals who ask for direct access.
Laboratory test reports are commonly understood to contain multiple test results with many laboratory tests being ordered as panels of tests. Each laboratory may have its own unique test report panels which may contain anywhere from 1 to 20 individual test results.
Using a range of 10 to 20 test results in a test report, we estimated the annual number of test reports that may be requested to be:
(7,025,841,649 tests per year/20 tests per report) = 351,292,082 test reports/year
(7,025,841,649 tests per year/10 tests per report) = 702,584,165 test reports/year
We are unaware of any data that would provide a reasonable estimate for the number of patients who would request test reports from laboratories if they are available. We solicited public comments on this issue but did not receive any to inform our estimates. Therefore, we assume a range of 1 in 2,000 patients (0.05 percent) to 1 in 200 patients (0.50 percent) will request direct access to his or her test report.
Using these figures, the range of the number of patient requests per year will be:
(351,292,082 test reports per year x .0005) = 175,646 patient requests per year
(702,584,165 test reports per year x .005) = 3,512,921 patient requests per year
The processing of a patient request for a test report generally covers steps from actual receipt of the patient's request to the delivery of the report and documentation of the delivery. Requests for laboratory results are usually handled by non-managerial or clerical staff. Due to the lack of data that indicates the amount of time it takes for staff to process a test report request, we assume a range of 10 minutes (0.17 hours) to 30 minutes (0.5 hours) to handle a request from start to finish.
We then multiplied this range by the range of the anticipated number of patient requests to obtain the total annual burden hours:
(175,646 patient requests per year x 0.17 hours) = 29,860
(3,512,921 patient request per year x 0.5 hours) = 1,756,461
We then multiplied this range by the hourly rate of
29,860 (total annual burden hours) x
1,756,461 (total annual burden hours) x
Table 8--Summary of Annual Requirements and Burden Estimates Regulation OMB Respondents Responses Burden per Total annual section(s) Control No. response burden (hours) (hours) 42 CFR 0938--New 22,816 22,816 9 205,344 493.1291 42 CFR 0938--New 3,512,921 3,512,921 .5 1,756,461 493.1291 Total 3,535,737 3,535,737 1,961,804
Table 8--Summary of Annual Requirements and Burden Estimates Regulation Hourly labor Total labor Total Total cost section(s) cost of cost of capital/ ( ] reporting reporting maintenance ( ] ( ] costs ( ] 42 CFR 50.06 10,279,521 0 10,279,521 493.1291 42 CFR 30.09 52,851,911 0 52,851,911 493.1291 Total 63,131,432 63,131,432
We will exercise our enforcement discretion to allow HIPAA-covered laboratories to revise their notices only once to reflect the changes to privacy practices of these entities both resulting from this rule, as well as the final rule published on
If you comment on these information collection and recordkeeping requirements, please submit your comments to the
VII. Regulatory Impact Analysis
A. Overall Impact
We have examined the impacts of this final rule as required by Executive Order 12866 on Regulatory Planning and Review (
Executive Orders 13563 and 12866 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This final rule has been designated a "significant regulatory action" although not economically significant, under section 3(f) of Executive Order 12866. Accordingly, the rule has been reviewed by the
Laboratories regulated under
We expect that 22,816 laboratories located in the 39 states and territories identified in Table 3 as having no state law or a state law that provides test reports only to the provider will be impacted by the individual access provisions in this final rule. In addition, we expect that 33,087 laboratories located in the 46 states and territories identified in Table 4 as having no state law, a state law that provides test reports only to the provider, or a state law that permits test reports to go to patients only with provider approval, will be affected by the HIPAA requirement to update their notices of privacy practices. We believe that this final rule does not constitute an economically significant rule because we estimate the range of overall annual costs that would be expended by the affected laboratories would be less than
The RFA requires agencies to analyze options for regulatory relief of small entities, if a rule has a significant impact on a substantial number of small entities. For purposes of the RFA, we assume that the great majority of medical laboratories are small entities, either by virtue of being nonprofit organizations or by meeting the SBA definition of a small business by having revenues of less than
Other options for regulatory relief of small businesses, as discussed in section E of this final rule, were determined not to be feasible and therefore these options were not analyzed for this final rule. We believe any alternative to allowing the laboratory to provide patient access to test reports would be counterproductive to the Department's efforts to provide patient-centered health care. We are unaware of any instances in which the changes included in this final rule would affect health care entities operated by small government jurisdictions.
Section 1102(b) of the Social Security Act also requires us to prepare a regulatory impact analysis if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. This analysis must conform to the provisions of section 604 of the RFA. For purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a metropolitan statistical area and has fewer than 100 beds. We do not expect this final rule would have a significant impact on small rural hospitals. The final rule applies only to laboratories. If a small rural hospital operates a laboratory, we anticipate compliance with this final rule will require minimal effort as we expect that the hospital already has procedures in place for responding to individual access requests for hospital records under the HIPAA Privacy Rule. We believe that these existing policies and procedures should be easy to translate for use in direct access requests to hospital-operated laboratories. Therefore, the Secretary has determined that this final rule does not have a significant impact on the operations of a substantial number of small rural hospitals.
Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending in any 1 year of
The changes to the
The Federalism implications of the Privacy Rule were assessed as required by Executive Order 13132 and published as part of the preamble to the final rule on
We do not believe that this rule will impose substantial direct compliance costs on state and local governments. We do not believe that a significant number of laboratories affected by these proposals are operated by state or local governments. Therefore, the modifications in these areas will not cause additional costs to state and local governments.
In considering the principles in and requirements of Executive Order 13132, the Department has determined that the modifications to the Privacy Rule will not significantly affect the rights, roles and responsibilities of the states.
B. Anticipated Effects
The current
The changes providing for individual access will impact laboratories in 39 states and territories (Table 3) where state law does not permit the laboratory to provide test reports directly to the patient. These changes do not impact the laboratories in the remaining 16 states and territories where the laboratory is allowed to provide the test report to the patient either directly or after provider approval. However, laboratories in 46 states and territories (Table 4) where state law does not permit the laboratory to provide test reports directly to the patient or permits direct access only after provider approval, will be impacted by the requirement to update their HIPAA notice of privacy practices to reflect individuals' new access rights under this final rule.
C. Costs
Although data are not available to calculate the estimated costs and benefits that will result from these changes, we are providing an analysis of the potential impact based upon available information and certain assumptions. These regulatory changes are anticipated to have the following associated costs and benefits:
* The impacted laboratories may require additional resources to ensure patients receive test reports when requested.
* Patients will benefit from having direct access to their laboratory test results. (See section D below).
1. Quantifiable Impacts
Laboratories that are issued a CLIA Certificate of Compliance or Certificate of Accreditation in the 39 states and territories identified in Table 3 will be required to provide patients with a copy of their test report upon request. The OSCAR database includes 22,816 laboratories in the 39 states and territories that will be impacted and the corresponding number of annual tests in these laboratories is approximately 7 billion as shown in Table 6. Data are not available for estimating the number of test results reported per test report. However, the majority of test reports contain multiple test results. Tests are frequently ordered as panels of individual tests. For example, according to 2008 CMS reimbursement data, three of the four most frequently ordered tests in the
For the purposes of this analysis, we assume that many patients will still prefer to obtain their laboratory result information from their health care provider, who will also be able to provide interpretation of the test results, and thus an assumed range of from 1 in 2,000 (0.05 percent) to 1 in 200 (0.50 percent) is used to represent the proportion of test reports requested. Applying this range to the number of estimated annual test reports (351,292,082 to 702,584,165) yields an estimated annual number patient requests ranging from 175,646 to 3,512,921.
Processing a request for a test report, either manually or electronically, will require completion of the following steps: (1) Receipt of the request from the individual; (2) authentication of the identification of the individual; (3) retrieval of test reports; (4) verification of how and where the individual wants the test report to be delivered and provision of the report by mail, fax, email or other electronic means; and (5) documentation of test report issuance. We estimate the total time to process each test report request to be in the range of 10 minutes (0.17 hours) to 30 minutes (0.5 hours). This estimate for a range of total time includes estimates for a range of time for each of the five steps listed above. The time needed to complete each step is dependent on the capabilities of the laboratory, such as whether manual or automated processes are available, and the desired method of communication of test reports to the individual patient as listed in step four. We multiplied the range for the number of patient requests, 175,646 to 3,512,921 by 0.17 hours and 0.5 hours to determine the total number of hours for processing the test reports to be in the range of 29,860 and 1,756,461. The estimated annual cost to process all test report requests in 2013 ranges from $$898,487 to
The analysis also assumed each of the estimated 22,816 laboratories to be impacted by individual access provisions of this rule (Table 6) will need to develop and implement a policy and process to receive and respond to patient requests as discussed above. To estimate the initial, one-time development cost, it is assumed to require laboratory management staff time ranging from a low of 2 hours to a high of 9 hours per laboratory. To convert the number of hours to an estimated cost per laboratory, we applied the rate of
Table 9 shows the total estimated range of annual costs for the change in undiscounted 2013 dollars and discounted at 3 percent and 7 percent to translate expected benefits or costs in any given future year into present value terms. To calculate the total estimated costs in 2013, we added the cost to develop the necessary policies and processes (which would only be applicable in the first year) and the cost of responding to test report requests. These costs total between
Table 9--Total Estimated Annual Costs of Patient Test Report Requests [Policy development and processing for the patient access] Undiscounted Discounted at 3% Discounted at 7% (Base year: 2013 ] Low High Low High Low High 2013$3,182,819 $63,131,432 $3,090,115 $61,292,652 $2,974,597 $59,001,338 2014 932,243 55,934,563 878,728 52,723,690 814,257 48,855,414 2015 959,045 57,542,682 877,662 52,659,705 782,866 46,971,969 2016 986,617 59,197,034 876,597 52,595,798 752,686 45,161,134 2017 1,014,982 60,898,949 875,533 52,531,968 723,668 43,420,109
Laboratories will be able to offset some of these costs pursuant to
As we explain above, with respect to notices of privacy practices, we are exercising our enforcement discretion to allow HIPAA-covered laboratories to revise their notices only once to reflect the changes to privacy practices of these entities both resulting from this rule, as well as the final rule published on
Therefore, we estimate the cost to provide patients with access to their laboratory test reports is estimated to be between
2. Non-Quantifiable Impacts
The burden in this final rule would be primarily on laboratories to provide the laboratory test reports when requested by the patient; however, there may be some non-quantifiable impacts on the health care provider's office. If the patient does not know where the provider sent the test request, the provider may need to provide laboratory contact information to the patient so he or she may request the test report. We assume that notification of the laboratory name and contact information could be provided in as little as 30 seconds; however there are no data to confirm this, and we did not receive comments on the issue. We also note that since the provider may need to provide an interpretation of the test results, the provider may give the patient a copy of the test report rather than referring the patient to the laboratory for the information. The time cost to patients of new interactions with laboratories is a further impact of the rule that has not been quantified.
D. Benefits
Although we cannot quantify the impact on patients, we believe that it will be positive in light of findings from studies that focused on patient receipt of test results from the provider. We found several studies where greater than 90 percent of patients stated they preferred being notified of all test results, both normal and abnormal (1. Baldwin DM, Quintela J, Duclos C, et al. Patient Preferences for Notification of Normal Laboratory Test Results: A Report from the ASIPS Collaborative. BMC Fam Practice 2005; 6:11; 2. Boohaver EA, Ward RE, Uman JE et al. Patient Notification and Follow-up of Abnormal Test Results. Arch Intern Med 1996; 327-331; 3. Grimes GC, Reis MD, Gokul B, et al. Patient Preferences and Physician Practices for Laboratory Test Result Notification. JABFM 2009:22:6:670-676; and 4. Meza JP and Webster DS. Patient Preferences for Laboratory Test Result Notification. Am J Manag Care 2000; 6:1297-300). These same studies reported, for both the health care provider and patient, the preferred method for receiving normal test results was the U.S. mail, and direct phone contact from the provider was the preferred method for abnormal test results. These preferences may have changed in the last 5 years given the increase in the use of electronic communications. Advantages reported in these studies for the patient having direct access to the test report include reduced workload for the health care provider's office, reduced chance of a patient not being informed of a laboratory test result, and reduced numbers of patients who fail to seek appropriate medical care. Additionally, we expect significant benefits to flow to patients as a result of increased access to their laboratory test results. Commenters to this final rule describe these benefits as including increased patient participation in treatment programs, such as those that involve monitoring of chronic diseases, and the ability of patients to identify and treat health risks sooner and more effectively.
E. Alternatives Considered
The changes to the
F. Accounting Statement and Table
We have prepared the following accounting statement showing the classification of the expenditures associated with the provisions of this final rule.
Category Primary Minimum Maximum Source estimate estimate estimate citation (RIA, preamble, etc.) BENEFITS: Monetized benefits n/a n/a n/a RIA Section C2 Annualized qualified, but n/a n/a n/a RIA Section unmonetized, benefits C2 (Unqualified benefits) n/a n/a n/a RIA Section C2 COSTS: Monetized costs (2012 ]: Patient access provisions n/a$3,182,819 $63,131,432 RIA Sec C1 2013 (Table 7) Patient access provisions n/a$932,243 $55,934,563 RIA Sec C1 2014 (Table 7) Patient access provisions n/a$959,045 $57,542,682 RIA Sec C1 2015 (Table 7) Patient access provisions n/a$986,617 $59,197,034 RIA Sec C1 2016 (Table 7) Patient access provisions n/a$1,014,982 $60,898,949 RIA Sec C1 2017 (Table 7) Annualized quantified, but n/a n/a n/a unmonetized, benefits Qualitative (unquantified) n/a n/a n/a RIA Section costs C2 TRANSFERS: Annualized monetized n/a n/a n/a transfers: "on budget" From whom to whom? n/a n/a n/a Annualized monetized n/a n/a n/a transfers: "off-budget" From whom to whom? n/a n/a n/a Category Effects Source Citation (RIA, preamble, etc.) Effects on State, local, n/a n/a n/a RIA Sec A and/or tribal governments (Table 4) Effects on small businesses n/a n/a n/a RIA Section A Effects on wages n/a n/a n/a Effects on growth n/a n/a n/a
G. Conclusion
We estimated the cost to laboratories to provide patients with a copy of their test reports upon request and determined it would cost between
In accordance with the provisions of Executive Order 12866, this regulation was reviewed by the
VIII. Analysis of and Responses to Public Comments on the Paperwork Reduction and Regulatory Impact Analysis
We have provided an analysis of the potential impact of this final rule, based upon available information and certain assumptions. We have prepared the Paperwork Reduction Act and the Regulatory Impact Analysis representing the costs and benefits of the final rule based on analysis of identified variables and data sources needed for this change. We requested that commenters provide any additional data that would assist us in the analysis of the potential impact of this regulation on
Therefore, based on our analysis and assessment of the overall annual costs to the laboratories affected by this final rule, we are finalizing the provisions as set forth in the proposed rule. The comments we received on this provision and our responses are set forth below.
Comment: We received several comments from organizations and individuals suggesting the implementation and operations cost estimate provided in the regulatory impact analysis (that is, for the laboratory to receive the request, authenticate the requestor is allowed to have access to the test report, process the request and provide the test report) was too low. Some suggested there were other factors that were not considered in the proposed rule's RIA, such as costs for training staff to provide the reports in a compliant manner, verification that the information was received, and for providing an explanation or summary of results, which may require higher level staff than those at a clerical level. Some recommended we review the anticipated cost structure and contact several laboratories to request best estimates. One organization recommended that we permit laboratories to charge a standard fee between
Response: Our cost estimate was based on assumptions from internal discussions and consultation with two laboratories that provide test reports directly to patients. Although the proposed rule solicited comments and additional data from laboratories that already provide test reports directly to the patient, we did not receive any data to support adjusting the estimates provided in the proposed rule; therefore, we are not adjusting those estimates in this final rule and acknowledge that they may not reflect costs for every laboratory setting. We appreciate the commenter's suggestion about staff training costs; however we believe that there is no need to include additional costs for training staff to provide the reports in a HIPAA Privacy Rule compliant manner since training cost was part of our original estimate for developing and implementing a policy and process.
In addition, the HIPAA Privacy Rule permits covered entities to charge a reasonable cost-based fee to provide individuals with copies of their protected health information. The fee may include only the cost of copying (including supplies and labor) and postage, if the individual requests that the copy be mailed. If the individual (or individual's personal representative) has agreed to receive a summary or explanation of his or her protected health information, the covered entity may also charge a reasonable, cost-based fee for preparation of the summary or explanation. The fee may not include costs associated with searching for and retrieving the requested information, nor does the HIPAA Privacy Rule permit charging a standard fee; therefore, this final rule does not permit laboratories to charge these fees. The fees permitted to be charged to individuals under the HIPAA Privacy Rule are discussed more fully above in section VII.
Comment: We received a few comments that smaller, rural hospitals, particularly Critical Access Hospitals (CAHs), may face financial constraints that would make compliance with this requirement challenging.
Response: The impacts discussed in the preamble affect only those laboratories that currently do not provide patients with access to their health information. Since most hospitals are HIPAA covered entities, they are required already to provide individuals with access to the protected health information in their designated record sets, including laboratory test results, in accordance with
Comment: Several commenters asked why we used test volume data that was self-reported rather than validated Part B claims or actual claims. Other commenters asked why we did not analyze the cost of providing access to completed test reports to
Response: We used data from the CMS OSCAR database for our estimates. The OSCAR database is not limited to
Comment: We received several comments disagreeing with the time estimate of 2 to 9 hours for laboratories to identify the applicable legal obligations and develop processes or procedures to handle the patient requests for access to test reports. One commenter stated that his institution had reported spending several hours in meetings between administration, laboratory management, and legal counsel examining procedural options and the risks of each procedure. Other commenters stated that it would not be possible for the information technology/data privacy teams to meet this requirement in the allotted timeframe for implementation. Several commenters suggested some laboratories may need to develop policies related to sensitive issues, such as minors and parent/guardian access or release of the results of drug testing that might have an impact on the laboratory's liability insurance costs. Other comments stated that the policy development would not be a one-time charge since laboratories would need to monitor all new state and federal regulations related to the disclosure of protected health information.
Response: Our cost estimate was based on assumptions from internal discussions and consultation with two laboratories that provide test reports directly to patients. Although the proposed rule solicited comments and additional data from laboratories that already provide test reports directly to the patient, we did not receive any data to support adjusting the estimates provided in the proposed rule. We acknowledge that these estimates may not reflect costs for every laboratory setting. However, in the absence of data to support changing our estimate, we are not adjusting those estimates in this final rule. Laboratories may be able to learn from those in the 16 states that allow the laboratory to provide a copy of the test results to the patient and from larger reference laboratories that have already developed policies to accommodate requests received from patients that receive testing in these 16 states.
Comment: We received comments from organizations that supported the proposed change, but noted it would be impossible to know how many individuals would request their test reports. Other comments suggested the laboratory could receive a barrage of requests. One comment said our estimates of 0.05 percent to 0.5 percent of patients requesting their test report from the laboratory falls short of what is needed to meet the Department's goal of patient engagement to ensure the provider receives and acts on the test results. The commenters suggested that under the health care transformation that is taking place, the patient could be provided a digitally signed copy of the laboratory report in his or her electronic patient health record (EHR) at the same time and in the same format as the laboratory report provided electronically to the requesting health care provider's electronic health record. Patients would only need to give the requesting provider the repository identifier for their personally controlled health record for inclusion with the laboratory test order.
Response: We agree that it is difficult to know how many individuals will request their test report from covered entity laboratories. However, we received several comments indicating that the preferred method for a patient to receive laboratory test results is the same procedure as currently practiced; that is, the health care provider's office notifies the patient of the results on the same day the results are received from the laboratory. This procedure allows the patient to ask the health care provider's office for interpretation of the laboratory test report in concert with results of other procedures, as well as provides an opportunity to discuss any needed treatment or follow-up. Allowing patients to request and receive laboratory test reports directly from the laboratory will provide an additional route for them to receive the test report. However, this will not replace the current procedure. If the ordering physician does not contact the patient with critical or significant laboratory test results, patients may prompt the physician's office to find and act on the test results. The rate of apparent failures to inform or document informing the patient of abnormal test results ranges from 0 percent to 26.2 percent [
List of Subjects
42 CFR Part 493
Administrative practice and procedure, Grant programs-health, Health facilities, Laboratories,
45 CFR Part 164
Administrative practice and procedure, Computer technology, Electronic information system, Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health records, Hospitals,
For the reasons set forth in the preamble, the
PART 493--LABORATORY REQUIREMENTS
1. The authority citation for part 493 continues to read as follows:
Authority: Section 353 of the Public Health Service Act, secs. 1102, 1861(e), the sentence following sections 1861(s)(11) through 1861(16) of the Social Security Act (42 U.S.C. 263a, 1302, 1395x(e), the sentence following 1395x(s)(11) through 1395x(s)(16)).
Subpart K--Quality System for Nonwaived Testing
2. Section 493.1291 is amended by--
A. Revising paragraph (f).
B. Adding a new paragraph (l).
The revision and addition read as follows:
* * * * *
(f) Except as provided in
* * * * *
(l) Upon request by a patient (or the patient's personal representative), the laboratory may provide patients, their personal representatives, and those persons specified under 45 CFR 164.524(c)(3)(ii), as applicable, with access to completed test reports that, using the laboratory's authentication process, can be identified as belonging to that patient.
For the reasons set forth in the preamble, the
PART 164--SECURITY AND PRIVACY
1. The authority citation for part 164 continues to read as follows:
Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, Pub. L. 104-191, 110
2. Section 164.524 is amended by revising paragraphs (a)(1)(i) and (ii) and removing paragraph (a)(1)(iii) to read as follows:
(a) * * *
(1) * * *
(i) Psychotherapy notes; and
(ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
* * * * *
Dated:
Director,
Dated:
Administrator,
Dated:
Director,
Dated:
Secretary,
Editorial Note: This document was received at the
[FR Doc. 2014-02280 Filed 2-3-14;
BILLING CODE 4120-01-P
Copyright: | (c) 2014 Federal Information & News Dispatch, Inc. |
Wordcount: | 27551 |
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News