CLIA Program and HIPAA Privacy Rule; Patients' Access to Test Reports, 7289-7316 [2014-02280]
Download as PDF
<![CDATA[
Vol. 79
Thursday,
No. 25
February 6, 2014
Part II
Department of Health and Human Services
Centers for Medicare & Medicaid Services
42 CFR Part 493
Office of the Secretary
emcdonald on DSK67QTVN1PROD with RULES2
45 CFR Part 164
CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports;
Final Rule
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
PO 00000
Frm 00001
Fmt 4717
Sfmt 4717
E:\FR\FM\06FER2.SGM
06FER2
7290
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
HIPAA covered entities must comply
with the applicable requirements of this
final rule by October 6, 2014.
FOR FURTHER INFORMATION CONTACT:
For CLIA regulations: Nancy
Anderson, CDC, (404) 498–2280. Judith
Yost, CMS, (410) 786–3531.
For HIPAA Privacy Rule: Andra
Wicks, OCR, (202) 205–2292.
SUPPLEMENTARY INFORMATION:
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Medicare & Medicaid
Services
42 CFR Part 493
Office of the Secretary
45 CFR Part 164
I. Background
[CMS–2319–F]
RIN 0938–AQ38
CLIA Program and HIPAA Privacy
Rule; Patients’ Access to Test Reports
Centers for Medicare &
Medicaid Services (CMS), HHS; Centers
for Disease Control and Prevention
(CDC), HHS; Office for Civil Rights
(OCR), HHS.
ACTION: Final rule.
AGENCY:
This final rule amends the
Clinical Laboratory Improvement
Amendments of 1988 (CLIA) regulations
to specify that, upon the request of a
patient (or the patient’s personal
representative), laboratories subject to
CLIA may provide the patient, the
patient’s personal representative, or a
person designated by the patient, as
applicable, with copies of completed
test reports that, using the laboratory’s
authentication process, can be identified
as belonging to that patient. Subject to
conforming amendments, the final rule
retains the existing provisions that
require release of test reports only to
authorized persons and, if applicable, to
the persons responsible for using the
test reports and to the laboratory that
initially requested the test. In addition,
this final rule amends the Health
Insurance Portability and
Accountability Act of 1996 (HIPAA)
Privacy Rule to provide individuals (or
their personal representatives) with the
right to access test reports directly from
laboratories subject to HIPAA (and to
direct that copies of those test reports be
transmitted to persons or entities
designated by the individual) by
removing the exceptions for CLIAcertified laboratories and CLIA-exempt
laboratories from the provision that
provides individuals with the right of
access to their protected health
information. These changes to the CLIA
regulations and the HIPAA Privacy Rule
provide individuals with a greater
ability to access their health
information, empowering them to take a
more active role in managing their
health and health care.
DATES: Effective Date: These regulations
are effective on April 7, 2014.
emcdonald on DSK67QTVN1PROD with RULES2
SUMMARY:
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
A. CLIA Statute and Regulations
The Clinical Laboratory Improvement
Amendments of 1988 (CLIA) and the
implementing regulations established
nationwide quality standards to ensure
the accuracy, reliability and timeliness
of clinical laboratories’ test results. The
standards vary based on the complexity
of the laboratory test method; that is, the
more complicated the test method, the
more stringent the requirements for the
laboratory.
The CLIA regulations established
three categories of testing based on
complexity level. In increasing order of
complexity, these categories are waived,
moderate complexity (which includes
the subcategory of provider-performed
microscopy (PPM)), and high
complexity. Laboratories must hold a
CLIA certificate for the most complex
form of CLIA-regulated testing that they
perform.
The CLIA regulations cover all phases
of laboratory testing, including the
reporting of test results. The CLIA
regulatory limitations that govern to
whom a laboratory may issue a test
report have become a point of concern.
The requirements for a laboratory test
report are set forth in 42 CFR 493.1291.
Under the current CLIA regulations at
§ 493.1291(f), a CLIA laboratory may
only disclose laboratory test results to
three categories of individuals or
entities: The ‘‘authorized person,’’ the
person responsible for using the test
results in the treatment context, and the
laboratory that initially requested the
test. ‘‘Authorized person’’ is defined in
§ 493.2 as the individual authorized
under state law to order or receive test
results, or both. In states that do not
allow individuals to access their own
test results, the individuals must receive
their test results through their health
care providers.
Title XIII of Division A and Title IV
of Division B of the American Recovery
and Reinvestment Act of 2009 (The
Recovery Act), which was enacted on
February 17, 2009, incorporated the
Health Information Technology for
Economic and Clinical Health (HITECH)
Act. The HITECH Act created a Federal
advisory committee known as the
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
Health Information Technology (HIT)
Policy Committee. The HIT Policy
Committee has broad representation
from major health care constituencies
and provides recommendations to the
Department’s Office of the National
Coordinator for Health Information
Technology (ONC) on issues relating to
the implementation of an interoperable,
nationwide health information
infrastructure. The HIT Policy
Committee has sought to identify
barriers to the adoption and use of
health information technology.
According to the HIT Policy Committee,
some stakeholders perceive the CLIA
regulations as imposing barriers to the
exchange of health information. These
stakeholders include large and medium
sized laboratories, public health
laboratories, electronic health record
(EHR) system vendors, health policy
experts, health information exchange
organizations (HIOs), and health care
providers who believe that the
individual’s access to his or her own
records is impeded, preventing patients
from having a more active role in their
personal health care decisions.
We believe these concerns, as well as
the advent of certain health reform
concepts (for example, personalized
medicine, an individual’s active
involvement in his or her own health
care, and the Department’s work toward
the widespread adoption of EHRs), call
for revisiting barriers or challenges to
individuals’ gaining access to their
health information.
The Centers for Medicare & Medicaid
Services (CMS) worked with ONC, the
Centers for Disease Control and
Prevention (CDC), and the Office for
Civil Rights (OCR) to propose changes to
the CLIA regulations and to the Health
Insurance Portability and
Accountability Act of 1996 (HIPAA)
Privacy Rule to remove barriers to an
individual’s direct access to his or her
own test reports from laboratories. See
CLIA Program and HIPAA Privacy Rule;
Patients’ Access to Test Reports, 76 Fed.
Reg. 56712, September 14, 2011. The
Department believes that this right is
crucial to provide individuals with vital
information to empower them to better
manage their health and take action to
prevent and control disease. In addition,
removing barriers in this area supports
the commitments and goals of the
Secretary of the Department of Health
and Human Services (the Department)
and the Administrator of CMS regarding
personalized medicine, an individual’s
active involvement in his or her own
health care, and the widespread
adoption of EHRs by 2014.
E:\FR\FM\06FER2.SGM
06FER2
emcdonald on DSK67QTVN1PROD with RULES2
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
B. HIPAA Statute and Privacy Rule
The Health Insurance Portability and
Accountability Act of 1996, Title II,
subtitle F—Administrative
Simplification, Public Law 104–191,
110 Stat., 2021, provided for the
establishment of national standards to
protect the privacy and security of
certain individually identifiable health
information. The Administrative
Simplification provisions of HIPAA and
their implementing regulations apply to
three types of entities, which are known
as ‘‘covered entities’’: Health care
providers who conduct covered health
care transactions electronically, health
plans, and health care clearinghouses.
A laboratory, as a health care
provider, is only a covered entity if it
conducts one or more covered
transactions electronically, such as
transmitting health care claims or
equivalent encounter information to a
health plan, requesting prior
authorization from a health plan for a
health care item or service it wishes to
provide to an individual with coverage
under the plan, or sending an eligibility
inquiry to a health plan to confirm an
individual’s coverage under that plan.
If a laboratory does not conduct any
of these or the other HIPAA standard
transactions electronically (either
because it does not conduct the
transactions at all or because it does so
via paper), then the laboratory is not
subject to the HIPAA Privacy Rule (45
CFR Part 160 and Part 164, subparts A
and E). Any laboratory that conducts a
single electronic transaction for which
there is a HIPAA standard under the
HIPAA Transactions and Code Sets Rule
becomes a covered entity and is subject
to the Privacy Rule with respect to all
protected health information that it
creates or maintains (that is, the
application of the Privacy Rule is not
limited to the individuals or records
associated with an electronic
transaction). This final rule does not
alter the requirements for what makes a
laboratory a HIPAA covered entity.
The Privacy Rule at § 164.524
provides individuals with a general
right of access to inspect and obtain a
copy of protected health information
about the individual in a designated
record set maintained by or for a
covered entity. A ‘‘designated record
set’’ is defined at 45 CFR § 164.501 as
a group of records maintained by or for
a covered entity that is comprised of:
The medical records and billing records
about individuals maintained by or for
a covered health care provider; the
enrollment, payment, claims
adjudication, and case or medical
management record systems maintained
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
by or for a health plan; or other records
that are used, in whole or in part, by or
for the covered entity to make decisions
about individuals.
The term ‘‘record’’ means ‘‘any item,
collection, or grouping of information
that includes protected health
information and is maintained,
collected, used or disseminated by or for
a covered entity.’’ Laboratory test
reports that are maintained by or for a
laboratory that is a covered entity are
part of a designated record set.
The HIPAA Privacy Rule requires a
HIPAA covered entity to provide the
individual with a copy of the
information in his or her designated
record set in the form and format
requested by the individual, if a copy in
that form and format is readily
producible. Where the information in
the designated record set is maintained
electronically, and the individual
requests an electronic copy of the
information, the covered entity must
provide the individual with access to
the information in the requested
electronic form and format, if it is
readily producible in that form and
format. When it is not readily
producible in the electronic form and
format requested, then the covered
entity must provide the copy in an
alternative readable electronic format as
agreed to by the covered entity and the
individual (see § 164.524(c)(2)(ii)).
The right of access under § 164.524
extends not only to individuals, but also
to individuals’ personal representatives,
who generally are persons authorized
under applicable law to make health
care decisions for the individual. The
rules governing who may act as a
personal representative under the
Privacy Rule are set forth at
§ 164.502(g). Additionally, under
§ 164.524(c)(3)(ii), if requested by an
individual who is exercising his or her
right of access, a covered entity must
transmit the copy of protected health
information directly to another person
or entity designated by the individual.
However, while individuals (and
personal representatives) generally have
the right to inspect and obtain a copy of
their protected health information in a
designated record set, the current
Privacy Rule includes a set of
exceptions related to CLIA. Specifically,
the right of access under § 164.524 of
the Privacy Rule does not apply to:
Protected health information
maintained by a covered entity that is—
(1) subject to CLIA to the extent the
provision of access to the individual
would be prohibited by law; or (2)
exempt from CLIA. These exceptions,
found at § 164.524(a)(1)(iii)(A) and (B)
of the Privacy Rule, cover test reports
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
7291
and other protected health information
only at CLIA and CLIA-exempt
laboratories. The individual has a right
to access this information when held by
any other type of covered entity (for
example, a hospital or treating
physician).
These exceptions were included in
the Privacy Rule because the
Department wanted to avoid a conflict
with the CLIA regulatory requirements
that limited patient access to test reports
(65 FR 82485, December 28, 2000).
However, because CMS proposed to
amend the CLIA regulations to allow
CLIA-certified laboratories to provide
patients with direct access to their test
reports, the Department simultaneously
proposed to remove the exceptions for
CLIA and CLIA-exempt laboratories
from the right of access at § 164.524 so
that HIPAA-covered laboratories would
be required by HIPAA to provide
individuals, upon request, with access
to their completed test reports.
II. Summary of the Proposed Changes
to the CLIA Regulations (§ 493.1291)
On September 14, 2011, we published
a proposed rule in the Federal Register
entitled, ‘‘Patients’ Access to Test
Reports’’ (76 FR 56712) that, if finalized,
would amend § 493.1291 of the CLIA
regulations. Specifically, we proposed
to add at 42 CFR 493.1291(l) to specify
that, upon a patient’s request (or upon
the request of the patient’s personal
representative), the laboratory may
provide a patient with access to his or
her completed test reports that, using
the laboratory’s authentication
processes, can be identified as belonging
to that patient. While we proposed to
use the word ‘‘may,’’ we highlighted the
importance of reading the proposed
amendments to the CLIA regulations in
concert with the proposed changes to
the HIPAA Privacy Rule (discussed
below), which would require covered
entity laboratories to provide patients
with access to test reports. We did not
propose to specify in the CLIA
regulations the mechanism by which
patient requests for access would be
submitted, processed, or responded to
by the laboratories. In providing this
latitude, we intended to allow patients
and their personal representatives
access to patient test reports in
accordance with the requirements of the
HIPAA Privacy Rule. Subject to
conforming amendments, we proposed
to retain the existing requirements at
§ 493.1291(f) that otherwise limit the
release of test reports to authorized
persons and, if applicable, the
individuals (or their personal
representatives) responsible for using
E:\FR\FM\06FER2.SGM
06FER2
7292
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
emcdonald on DSK67QTVN1PROD with RULES2
the test reports and the laboratory that
initially requested the test.
III. Summary of the Proposed Changes
to the HIPAA Privacy Rule (§ 164.524)
The Department also proposed to
amend the HIPAA Privacy Rule at 45
CFR 164.524(a)(1)(iii)(A) and (B) to
remove the exceptions to an
individual’s right of access that relate to
CLIA and CLIA-exempt laboratories to
align the Privacy Rule with CMS’
proposed changes to the CLIA
regulations and the Department’s goal of
improving individuals’ access to their
health information.
Under the proposal, HIPAA covered
entities that are laboratories subject to
CLIA, as well as those that are exempt
from CLIA, would have the same
obligations as other types of covered
health care providers with respect to
providing individuals (or their personal
representatives) with access to their
protected health information in
accordance with § 164.524.
Consistent with the proposed change
to the CLIA regulatory requirements,
which would allow a laboratory to
provide patients and their personal
representatives with direct access to
completed test reports when the
laboratory can authenticate that the test
report pertains to the patient, we also
clarified that CLIA and CLIA-exempt
laboratories that are HIPAA covered
entities would have to satisfy the
verification requirement of § 164.514(h)
of the Privacy Rule before providing an
individual with access. We recognized
that a laboratory could receive a test
order with only an anonymous
identifier and be unable to identify the
individual who is the subject of the test
report. We noted that it was not our
intent to discourage anonymous testing.
As we discussed in the proposed rule,
a laboratory that received a request for
access from an individual where the
laboratory could not authenticate that
the requesting individual is the subject
of a test report would be under no
obligation to provide access.
The proposed rule also explained that
the changes to the HIPAA Privacy Rule
would result in the preemption of a
number of state laws that prohibit a
laboratory from releasing a test report
directly to the individual or that
prohibit the release without the ordering
provider’s consent because the state
laws now would be contrary to the
access provision of the HIPAA Privacy
Rule mandating direct access by the
individual.
Finally, we explained that it was our
intent that HIPAA-covered laboratories
would be required to comply with the
revised individual access requirements
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
of the Privacy Rule by no later than 180
days after the effective date of any final
rule. The effective date of the final rule
would be 60 days after publication in
the Federal Register, so laboratories
subject to HIPAA would have a total of
240 days after publication of the final
rule to come into compliance.
IV. Provisions of the Final Regulations
This final rule adopts the proposed
changes to both the CLIA regulations
and the HIPAA Privacy Rule, with
minor clarifications and conforming
changes, which are explained below in
the relevant responses to comments.
These modifications broaden
individuals’ rights to access their
protected health information directly
from laboratories subject to HIPAA. In
addition, the changes remove federal
barriers to direct access for laboratories
not subject to HIPAA. With respect to
the CLIA regulations, this final rule
allows laboratories subject to CLIA,
upon the request of a patient (or the
patient’s personal representative) to
provide access to completed test reports
that, using the laboratory’s
authentication process, can be identified
as belonging to that patient. The final
rule also clarifies that laboratories
subject to CLIA may provide a copy of
the patient’s test reports to a person or
entity designated by the patient to
receive such reports in accordance with
the HIPAA Privacy Rule at
§ 164.524(c)(3)(ii). Subject to certain
conforming amendments, this final rule
retains the CLIA regulatory provision
that requires the release of test reports
only to authorized persons, to the
persons responsible for using the test
reports, and to the laboratory that
initially requested the test. These CLIA
regulatory modifications take effect 60
days after publication of this final rule
in the Federal Register.
With respect to the Privacy Rule, the
final rule removes the exceptions to an
individual’s right of access at
§ 164.524(a)(1)(iii) related to CLIA and
CLIA-exempt laboratories. Thus, as of
the compliance date of this final rule,
HIPAA-covered laboratories will be
required to provide an individual (or the
individual’s personal representative)
with access, upon request, to the
individual’s completed test reports (and
other information maintained in a
designated record set) in accordance
with the provisions of § 164.524 of the
Privacy Rule. The compliance date of
this rule is October 6, 2014.
The Department’s rationale for
adopting the proposed provisions in this
final rule, along with further
clarifications and interpretations of the
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
provisions, is explained below in the
responses to the public comments.
V. Analysis of and Responses to Public
Comments
In response to the September 2011
proposed rule, we received over 160
timely public comments on various
issues related to the rule. Interested
parties that submitted comments
included health care consumers and
patient advocacy organizations;
laboratories, hospitals, and other health
care providers and their associations;
information technology organizations;
governmental organizations, and others.
We have analyzed these comments and
determined that it is appropriate to
finalize the provisions as set forth in the
proposed rule. The comments we
received on these provisions and our
responses are set forth below.
A. Right of Direct Access to Laboratory
Test Reports
Comment: A number of providers and
laboratories expressed concerns about
giving individuals a way to receive
laboratory test reports without the
benefit of provider interpretation and
without contextual knowledge that may
be necessary to properly read and
understand the reports. For example,
commenters expressed concern that
patients might receive and act upon
results that appear to be abnormal
(showing false positives or false
negatives, or results that are out of the
normal range for the general population)
but may be normal for that particular
patient due to his or her medical
conditions. Commenters also requested
that the Department clarify that the
laboratories themselves would not be
required to interpret test reports for
individuals.
Other commenters stated that the
proposed rule was redundant, and
would add significant burden without a
commensurate benefit to individuals, as
existing HIPAA and HITECH Act
(§ 13405(e)) laws already provide
individuals with a comprehensive right
to access their protected health
information, including test reports,
through their physicians. Further, some
commenters stated that the Medicare
and Medicaid Electronic Health Record
(EHR) Incentive Programs,1 which
include criteria to ensure that certain
laboratory test reports become
standardized elements in a certified
EHR, are a better mechanism than the
proposed rule to ensure more timely
access to all health information. The
1 See https://www.cms.gov/Regulations-andGuidance/Legislation/EHRIncentivePrograms/
index.html.
E:\FR\FM\06FER2.SGM
06FER2
emcdonald on DSK67QTVN1PROD with RULES2
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
commenters also stated that the
information provided to individuals
through the Medicare and Medicaid
EHR Incentive Programs’ requirements
will be in a more consistent, more userfriendly, and more interoperable format
than that obtained directly from a
laboratory. Furthermore, commenters
stated that many providers have already
invested significant dollars and
resources in secure patient portals to
provide for individual access to health
information directly from these
providers.
In contrast, other commenters,
including certain laboratories,
consumers, and consumer advocates,
generally supported expanding an
individual’s right of access to include
receiving test reports directly from
laboratories. These commenters stated
that providing individuals with the
ability to access their laboratory test
reports directly from laboratories would
provide individuals with an increased
ability to play a more active role in their
health care and have more informed
conversations with their health care
providers, resulting in better health
outcomes. Some commenters also
thought that the proposals would
remove barriers to the electronic
exchange of individually identifiable
health information.
Further, in response to concerns
regarding instances in which patients
might misunderstand or become
distressed over the results of laboratory
tests due to the lack of treating provider
interpretation or counseling, some
commenters stated that they would not
anticipate that many patients will
request direct access to any test reports
that they do not feel prepared to review
on their own. Rather, the commenters
indicated that the proposals would
encourage doctors to more proactively
discuss the range of possible results and
the consequences of each before tests
are ordered. One laboratory noted that,
in its experience, many patients do not
request access to their test results until
they have spoken to a physician about
them. Some commenters challenged
what they termed to be a ‘‘paternalistic’’
notion that patients are unable to
understand their health data without
physician explanation. These
commenters stated that if patients want
additional information from, or
consultation with, their physicians, they
will follow up with their physicians
directly.
Response: We appreciate all of the
comments that we received with regard
to the right of individuals to access their
laboratory test reports directly from
laboratories. We agree with those
commenters who stated that the rule is
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
necessary to ensure patients have better
and more complete access to their
health information, which will enable
patients to be more proactive and more
informed with regard to their health
care. However, we disagree with those
commenters who argued that the rule
would be redundant. While individuals
do have a right of access to their health
information under the HIPAA Privacy
Rule, there may be circumstances when
an ordering or treating provider is not
subject to the HIPAA Privacy Rule (for
example, because the provider does not
bill health plans electronically) and,
thus, is not required to provide an
individual with access to his or her
health information. Further, some
studies have found that physician
practices failed to inform patients of
abnormal test results about seven
percent of the time, resulting in a
substantial number of patients not being
informed by their providers of clinically
significant tests results. See Casalino LP,
Dunham D, Chin MH, et al. Frequency
of Failure To Inform Patients of
Clinically Significant Outpatient Test
Results, Arch Intern Med., June 22,
2009, 169 (12): 1123–1129. The rule
strengthens individuals’ current ability
to have access to completed test reports
by ensuring they are able to access them
directly from HIPAA-covered
laboratories.
Finally comments regarding the
provision of access through the
mechanisms established by EHR
Incentive Programs failed to recognize
the voluntary nature of the programs or
the fact that the programs’ requirements
do not pertain to laboratories.
Furthermore, the rule does not
diminish the investment health care
providers have made to provide
individuals with access to their health
information through patient portals, as
those portals provide patients with
access to a much broader range of health
information than just test results. The
rule provides an additional avenue for
an individual to obtain test reports
directly from laboratories, which we
expect will reduce the chances of
patients not being informed of
laboratory test results and potentially
reduce the numbers of patients who fail
to seek appropriate care. We also agree
with commenters that increased patient
access to laboratory test reports, which
can then be shared with the patient’s
other providers, will help reduce
unnecessary and duplicative testing.
With respect to those comments
concerned about patients receiving test
reports without the benefit of provider
interpretation, we emphasize that this
rule does not alter the role of the
ordering or treating provider in
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
7293
reporting and explaining test results to
patients. We expect that patients will
continue to obtain test results and
advice about what those test results
mean, through their ordering or treating
providers. Further, as noted above, for
those individuals who do or will request
access to test reports from a laboratory,
it was the experience of one large
laboratory that many patients do not
request access to their test reports from
a laboratory until they have spoken with
their physicians. We expect this trend to
continue to generally be the case. We
also agree with commenters that the rule
will further encourage ordering and
treating providers to more proactively
discuss with patients the range of
possible test results and what the results
may mean for the particular patient
before or at the time the test is ordered.
Further, under the HIPAA Privacy
Rule, in most cases, laboratories will be
required to provide individuals with
access to their laboratory test reports
within 30 days of the request (see
§ 164.524(b)(2)(i)). As discussed more
fully below, in cases where an
individual requests access to completed
test reports, we believe 30 days will
generally be sufficient to allow the
ordering or treating provider to receive
the test report in advance of the
patient’s receipt of the report, and to
communicate the result to the patient,
and counsel the patient as necessary
with regard to the result.
Finally, we clarify that this final rule
does not require that laboratories
interpret test results for patients.
Patients merely have the right to inspect
and receive a copy of their completed
test reports and other individually
identifiable health information
maintained in a designated record set by
a HIPAA-covered laboratory.
Laboratories may continue to refer
patients with questions about the test
results back to their ordering or treating
providers.
Comment: Some commenters
indicated they would support changes
to the regulations, which would permit,
but not require, laboratories to provide
individuals with access to their
completed test reports. One commenter
stated that the proposed rule was
unclear as to whether laboratories will
have the discretion to provide access, or
whether they will be required to provide
access, to individuals who request their
test reports. Other commenters were
concerned about the differential
application of the rule to HIPAAcovered versus non-HIPAA-covered
laboratories, stating that this construct
will create confusion and frustration
among patients who may expect to be
able to access their test reports from any
E:\FR\FM\06FER2.SGM
06FER2
emcdonald on DSK67QTVN1PROD with RULES2
7294
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
laboratory and who may not understand
the distinction among laboratories based
on HIPAA covered entity status.
Response: Laboratories that are
HIPAA covered entities are required by
this final rule to provide, upon request
by an individual or the individual’s
personal representative, access to the
protected health information about the
individual maintained in a designated
record set in accordance with the
HIPAA Privacy Rule at § 164.524. CLIA
laboratories that are not subject to
HIPAA will have discretion to provide
patients with direct access to their
laboratory test reports, subject to any
applicable state laws that may constrain
access.
We do not believe it is appropriate to
only permit rather than require HIPAAcovered laboratories to provide
individuals with access to their test
reports. This may not significantly
expand individuals’ ability to access
their health information, as some
laboratories not currently providing
individuals with direct access to their
test reports might choose not to begin
providing direct access. Further, in a
number of states, state law prohibits
laboratories from providing individuals
with direct access to their test reports.
If the HIPAA Privacy Rule merely
permitted access, it would not preempt
those state laws that prohibit direct
access, because a permissive federal
requirement is not contrary to a
prohibitive state law (see § 160.202). As
of the effective date of this final rule, the
CLIA regulations will expressly permit
the disclosure of test reports to the
individual. The combination of the
change in the HIPAA Privacy Rule,
combined with the change to the CLIA
regulations, will result in HIPAAcovered laboratories being required to
disclose test reports to patients, in most
cases, within 30 days of a request.
Comment: A few commenters stated
that the rule should only apply to the
primary laboratory to which the
specimen was submitted, as opposed to
reference laboratories that may perform
some or all of the testing. These
commenters stated that reference
laboratories have no relationship with
the individual and have either limited
or inadequate information about the
individual to enable the laboratory to
provide individuals with access. A few
commenters indicated that, while
applying the rule to hospital
laboratories with respect to the test
reports of the hospital’s own patients
may not be a significant challenge,
applying the rule to hospital
laboratories in their role as reference
laboratories for other providers, such as
community physicians and other
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
laboratories, would raise significant
operational challenges.
In contrast, one laboratory commenter
recommended that no laboratories be
exempt from the individual access
requirements, stressing the importance
of uniform application of the rule and
a patient’s ability to access his or her
test report from whatever laboratory
performed the test.
Response: We appreciate the
commenters’ concerns regarding
laboratory contact with individuals;
however, we do not agree that limited
information about the individual who is
the subject of a test report is a sufficient
reason to exempt reference laboratories
from the access requirements of the
HIPAA Privacy Rule. We believe
applying the access requirements as
broadly and uniformly as possible best
furthers the Department’s goal of
increasing direct individual access
rights to health information. To the
extent that reference laboratories are
covered entities under HIPAA, they will
be required, upon the compliance date
of this rule, to provide individuals with
access to test reports in compliance with
§ 164.524 of the Privacy Rule. Reference
laboratories that are not subject to
HIPAA will not be under any federal
obligation to provide access, but they
will be permitted to do so under Federal
law. However, we expect that, in most
cases, individuals will continue to
request access to their health
information either from their treating
provider, or from the referring
laboratories. This expectation is based
on our understanding that many, if not
most, individuals will not be aware of
the identity of the reference laboratory,
or may not know that a reference
laboratory is conducting all or part of
the ordered tests. Therefore, we do not
expect reference laboratories to
encounter many individual requests for
access. Furthermore, in the limited
circumstances where a patient may
request access to test reports from a
laboratory acting as a reference
laboratory with respect to that patient,
the reference laboratory need only
provide the individual with the
requested access to the extent the
laboratory can authenticate the test
report as belonging to that patient. The
same applies for hospital laboratories
that also act as reference laboratories.
Finally, we do not believe that there
will be significant operational issues for
hospital laboratories as hospitals
already have policies and procedures in
place to comply with the existing
HIPAA Privacy Rule access provisions
and the hospital laboratories can use
these policies and procedures for
purposes of this rule.
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
B. Scope of Information to Which an
Individual Has Access
Comment: A number of commenters
indicated that the rule should apply
only to tests administered after the final
rule is published or becomes effective.
These commenters expressed concern
with laboratories having to retrieve
copies of old test reports that have been
archived and may exist offsite. For
example, commenters stated that many
laboratories have archived test reports
that exist on paper or on backup tapes,
and that it would be costly and
burdensome to retrieve and transfer the
archived test reports to other suitable
media to transmit to an individual.
A few commenters asked that the rule
not require laboratories to provide test
reports that have been kept beyond the
retention date(s) required in the CLIA
regulations. One commenter indicated
that the rule should specify a timeframe
after a test report is first generated
beyond which an individual would not
have a right to access the test report
directly from the laboratory.
Response: While we appreciate the
commenters’ concerns, as with any
other HIPAA covered entity, under this
final rule, an individual has a right to
access information about the individual
in one or more designated record sets
maintained by a HIPAA-covered
laboratory, for as long as the information
is maintained by the laboratory (see
§ 164.524(a)(1)). This right extends to
test reports and other information about
the individual in a designated record set
maintained offsite, archived, or created
before the publication or effective date
of this final rule. We do not agree that
information created before the effective
date of this final rule should be exempt
from the access requirement. The
reasons for granting individuals access
to health information pertaining to them
do not vary with the date the
information was created. In cases where
retrieving records that have been
archived may take longer than 30 days
from the individual’s request, a covered
laboratory may request one 30-day
extension, if it provides the reason for
the delay in writing to the requesting
individual. See the Privacy Rule
requirements for timely action on access
requests at § 164.524(b)(2).
We also clarify that this final rule
does not impose any new record
retention requirements for laboratory
test reports. These obligations are
established under CLIA and other
applicable Federal and state laws. See,
for example, 42 CFR § 493.1105. Rather,
it provides an individual with a right to
access protected health information in
the designated record set of a HIPAA-
E:\FR\FM\06FER2.SGM
06FER2
emcdonald on DSK67QTVN1PROD with RULES2
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
covered laboratory for as long as the
laboratory maintains the information
(even in those cases where the
information is maintained beyond
applicable record retention
requirements).
Comment: Some commenters
supported the language in the proposed
rule at § 493.1291(l) that limited
patients’ access to ‘‘completed’’ test
reports. Other commenters felt that
additional guidance was needed as to
what information qualified as a
‘‘completed’’ test report. For example,
one commenter asked whether a test
report is considered ‘‘completed’’ (and
subject to the right of access) each time
a component of a multi-step test is
completed or only when all aspects of
the ordered test are completed and
recorded in a finalized report that is
ready for issuance. The commenter also
asked, in circumstances where a single
order involves a test to be performed
multiple times over a period of time,
whether the report is considered
complete each time the test is performed
or only after the entire series of tests is
performed. This commenter suggested
that the test report should be considered
‘‘complete,’’ and subject to the right of
access, only when all of the test results
are final.
Response: Under the HIPAA Privacy
Rule at § 164.524(a)(1), an individual
has a general right to access the
protected health information about the
individual in a designated record set
maintained by a covered entity or its
business associate. As described above,
laboratory test reports maintained by or
for a laboratory that is a HIPAA covered
entity fall within the definition of
‘‘designated record set.’’ However, test
reports may be only part of a designated
record set that a HIPAA-covered
laboratory holds. To the extent an
individual requests access to all of his
or her protected health information, a
HIPAA-covered laboratory is required to
provide access to all of the protected
health information in the entire
designated record set. This could
include, for example, completed test
reports, test orders, ordering provider
information, billing information, and
insurance information.
While an individual may have a right
to all of this information, we do not
expect that many individuals will
request access to all of the protected
health information about the individual
that the laboratory may hold in a
designated record set. Rather, we expect
that most individuals will request
access to test reports of discrete
laboratory tests that they know were
ordered by their providers. In these
cases, the Privacy Rule requires a
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
HIPAA-covered laboratory to provide
the individual with a copy of or access
to only the specific information
requested by the individual.
Further, a HIPAA-covered laboratory
is required to provide an individual
with access only to that information that
it actually maintains about the
individual in a designated record set at
the time the request for access is
fulfilled. For purposes of this final rule,
we clarify that we do not consider test
reports to be part of the designated
record set until they are ‘‘complete.’’ To
maintain consistency with CLIA, we
consider a test report to be complete
when all results associated with an
ordered test are finalized and ready for
release.
If an individual requests access to a
particular test report, we expect that the
HIPAA Privacy Rule’s time allowance of
30 days from the request to provide
access will be sufficient in most cases to
provide the individual with access to
the completed test report as we expect
many requests for access will be made
days after the order has been placed by
the physician or even after the patient
has discussed a particular result with
his or her physician. In those limited
cases where 30 days may not be
sufficient to complete the test report,
due to the nature of the tests to be
performed, and the laboratory knows
this at the time the individual requests
access, we expect a covered entity
laboratory to explain this circumstance
to the individual. Upon informing
individuals when they request access
that the test report they are seeking will
take longer than 30 days to complete,
the individuals are likely to be willing
to withdraw or hold their request until
a later time to ensure that they get
access to what they want or need. If an
individual chooses not to withdraw his
or her request for access, the individual
will then have a right only to obtain the
protected health information in the
designated record set at the time the
request is fulfilled, which may not
include a particular test report because
it is not yet complete. If a laboratory
determines, after it has accepted a
request, that the requested test will take
more than 30 days to analyze and
complete, it may notify the individual
in writing within the initial 30-day
period of the need and specific reason
for the delay in providing access to the
completed test result and the date by
which the laboratory will complete its
action on the request, in accordance
with § 164.524(b)(2)(iii) of the HIPAA
Privacy Rule. We note, however, that
the HIPAA Privacy Rule allows only one
extension on an access request. In the
rare circumstance where 60 days is not
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
7295
sufficient to provide the individual with
access to a completed test report, the
covered laboratory must provide the
individual with only the existing
protected health information that is part
of the designated record set within that
time (for example, other completed test
reports or test requisitions), which
would then not include the test report
requested by the individual, because the
test report is not yet complete.
In general, we expect the initial 30day period allowed by the Privacy Rule
to provide sufficient time to provide
individuals with access to completed
test reports. However, we acknowledge
there may be rare circumstances when
it would not be, and we expect covered
laboratories to communicate and work
with individuals concerning these
limitations.
Comment: Some providers and
laboratories objected to individuals
having direct access to laboratory test
reports they characterize as ‘‘sensitive,’’
including genetic, cancer, pregnancy,
sexually-transmitted disease, and
mental health test results. Commenters
stated there are tests for which it is
acceptable to release results to the
patient without physician involvement
(for example, cholesterol test results)
and there are tests for which it is not (for
example, cancer or HIV test results).
One commenter stated, for example, that
under California law, before the
disclosure of HIV test results, the
physician has a duty to discuss what the
results may mean and offer the patient
appropriate education and
psychological counseling. Some
commenters recommended giving
ordering and treating providers ample
discretion to determine when it is in the
patient’s best interest to receive test
reports without the benefit of a
physician’s interpretation. Others
recommended that laboratories be
permitted to identify tests or categories
of tests that may only be released to the
physician and to limit an individual’s
direct access to the reports.
In contrast, some commenters stated
that all test reports should be treated
equally, providing several reasons,
including: Patients today are much
better informed and have access to
interpretative information on laboratory
results from many sources, including
the internet; given the timeframes
allowed for providing access under the
HIPAA Privacy Rule, it is likely that the
ordering or treating provider will
receive results well before the patient
and will have adequate time to discuss
the result and what it means in terms of
the patient’s health care with the
patient; and trying to identify which
tests are sensitive is subjective and not
E:\FR\FM\06FER2.SGM
06FER2
emcdonald on DSK67QTVN1PROD with RULES2
7296
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
necessarily in the best interest of the
patient.
Response: Under the HIPAA Privacy
Rule, an individual generally has a
broad right of access to any or all of his
or her health information maintained in
a designated record set. In this final
rule, we extend that broad right to the
laboratory setting. With a very limited
exception, covered entities may not
deny an individual access to his or her
health information based on the
information’s sensitive nature or
potential for causing distress to the
individual. The limited exception is for
cases where a licensed health care
professional has determined, in the
exercise of professional judgment, that
the access requested is reasonably likely
to endanger the life or physical safety of
the individual or another person, and
the individual is provided a right to
have the denial of access reviewed by an
unaffiliated health care professional (see
§ 164.524(a)(3)(i)).
As we discuss elsewhere in this final
rule, we do not believe that this rule
will eliminate or interfere with the role
or obligation of the treating or ordering
provider to report and counsel patients
on laboratory test results. The rule
provides ample time to ensure providers
receive sensitive test reports before the
patient and to allow providers to
counsel individuals on the test reports.
In addition, as indicated above, we
believe the rule will further encourage
providers, at the time the test is ordered,
to counsel patients on the potential
outcomes of a test and what they may
mean for the patient, given his or her
medical history.
Finally, we agree with commenters
who stated that categorizing laboratory
testing into ‘‘sensitive’’ and ‘‘nonsensitive’’ categories would be a
subjective endeavor that would not
necessarily result in policies that are in
the patient’s best interest. This endeavor
also would result in a lack of uniformity
across states and laboratories with
respect to the types of information to
which an individual has access under
the rule. This outcome would be too
complex and burdensome for
laboratories to administer and confusing
for individuals attempting to exercise
their rights.
Comment: A few commenters, while
in general support of the proposed rule,
raised specific concerns about providing
laboratory test reports directly to certain
mental health patients (for example,
those who may be suffering from
medical conditions such as paranoia).
These commenters were concerned that
direct access to laboratory test reports
without any involvement of the
treatment team could have a very
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
negative impact on the mental health of
these patients. Some commenters asked
that the current provision in the HIPAA
Privacy Rule allowing the denial of
access to protected health information
when the access is reasonably likely to
endanger the life or physical safety of
the individual or another person also
apply to access made available under
this final rule. They suggested that this
would allow providers to determine
when prior provider review and
approval would be required before the
release of given laboratory test reports to
mentally ill patients.
Response: We believe the existing
exceptions to access in the Privacy Rule
appropriately balance an individual’s
right to access his or her health
information with other considerations,
such as the potential for harm.
Therefore, we decline to provide a
specific exception to the right of access
for mental health patients. A laboratory
is subject to the same requirements
under the HIPAA Privacy Rule as other
covered entities to generally provide all
individuals with access to their health
information. As previously discussed,
we believe the 30 day time-frame (plus
one 30 day extension) provides
laboratories with sufficient time to
ensure treating or ordering physicians
receive test reports before the patient’s
receipt of the test report, which will
allow them to counsel the patient with
respect to the test result.
As noted above, the HIPAA Privacy
Rule at § 164.524(a)(3)(i) provides that a
covered entity may deny access to an
individual if a ‘‘licensed health care
professional’’ has determined, in the
exercise of professional judgment, that
the access requested by the individual is
reasonably likely to endanger the life or
physical safety of the individual or
another person. However, this is a
limited exception to an individual’s
right of access and applies only with
respect to endangerment of the life or
physical safety of the individual or
another person; thus, concerns about
psychological or emotional harm are not
sufficient to justify denial of access.
Furthermore, a HIPAA-covered
laboratory that wishes to deny access to
the individual based on a determination
by a licensed health care professional
must provide the individual with an
opportunity to have the denial reviewed
by a licensed health care professional
who is designated by the laboratory to
act as a reviewing official and who did
not participate in the original decision
to deny. The HIPAA-covered laboratory
must promptly refer a request for review
to the reviewing official, who must
determine, within a reasonable amount
of time, whether or not to deny the
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
access requested. See § 164.524(d). The
laboratory would then be required to
provide or deny access in accordance
with the determination of the reviewing
official (see § 164.524(a)(4)).
Comment: Two commenters requested
clarification on whether the expanded
right of individual access would apply
to food or environmental test reports
maintained by a laboratory, that are the
result, for example, of testing done after
an outbreak of disease, and that may be
linked to particular patients. A public
health laboratory requested clarification
on how this rule applies to public
health surveillance or outbreak test
reports. One commenter requested
clarification as to whether individuals
would have a right to employmentrelated test results, such as testing for
drug and alcohol use. Finally, another
commenter asked that patient access to
laboratory results be expanded to
include the results of radiologic
assessments.
Response: This final rule is intended
to remove barriers in the HIPAA Privacy
and CLIA regulations to individual
access to test reports maintained by
laboratories subject to or exempt from
CLIA. If the samples tested are not of the
human body, the entity conducting the
testing is not subject to CLIA for
purposes of that testing or those test
results. Furthermore, if the testing is not
for the purpose of providing information
for the diagnosis, prevention, or
treatment of any disease or impairment
of, or the assessment of the health of
human beings, that testing and those
test results are also not subject to CLIA.
Some outbreak and surveillance
activities may involve testing samples
from humans and thus be subject to
CLIA if individual patient-specific test
results are reported to ordering
providers. However, CLIA does not
apply to test results that are only used
for epidemiological studies or reported
in the aggregate without patient
identifiers.
As for employment-related testing, the
CLIA regulations are not applicable to
an employer or entity that performs
substance abuse testing strictly for the
purpose of employment screening
where test results are merely used to
determine compliance with conditions
of employment, as opposed to
counseling or some other form of
treatment. Substance abuse testing as
part of a treatment program is covered
by CLIA.
Even if CLIA does not apply to the
conduct of certain types of laboratory
tests, HIPAA may still apply to require
access to certain test reports to the
extent the laboratory is a HIPAA
covered entity and the information to
E:\FR\FM\06FER2.SGM
06FER2
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
emcdonald on DSK67QTVN1PROD with RULES2
which an individual is requesting access
is protected health information under
HIPAA. Individuals have a right to
access test reports in designated record
sets held by or for HIPAA-covered
laboratories that constitute protected
health information under the HIPAA
Privacy Rule—that is, those reports that
relate to the past, present, or future
physical or mental health or condition
of an individual or the provision of
health care to an individual (which
would include testing for the presence
of alcohol or drugs) and that identify the
individual, or with respect to which
there is a reasonable basis to believe that
information in the test report can be
used to identify the individual. See the
definitions of ‘‘individually identifiable
health information’’ and ‘‘protected
health information’’ at § 160.103. Food,
environmental, or other test reports that
do not identify or relate to an individual
are not protected health information for
purposes of the HIPAA Privacy Rule.
Although the CLIA regulations do not
cover radiologic testing or assessments,
these tests and assessments have always
been subject to an individual’s right of
access under the HIPAA Privacy Rule to
the extent they are maintained by a
hospital or other HIPAA covered entity.
C. Access by Personal Representatives
and Designated Third Parties
Comment: Several commenters raised
concerns regarding access to an
individual’s sensitive laboratory test
reports, such as those concerning
reproductive health, by the individual’s
parents, spouse, partner, or other
persons, when the individual may not
want these persons to see the test report.
Response: We understand
commenters’ concerns and provide the
following guidance to HIPAA-covered
laboratories regarding how the Privacy
Rule ensures that only persons with
appropriate authority are provided
access. With respect to adult
individuals, the only persons that have
a right to access an individual’s test
reports directly from a HIPAA covered
entity are those persons who qualify as
a personal representative of the
individual. A personal representative
for purposes of the Privacy Rule
generally is a person who has authority
under applicable law to make health
care decisions for the individual (see
§ 164.502(g)). Before providing access to
a person other than the individual who
is requesting access, a HIPAA-covered
laboratory is required under
§ 164.514(h) of the Privacy Rule to
verify both the identity and authority of
the person to have access to the
individual’s protected health
information. In order to conduct the
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
required verification, a covered
laboratory may need to obtain
documentation that the person
requesting access to the individual’s
protected health information qualifies as
the individual’s personal representative,
for example, by having the person
present a written health care power of
attorney or, general power of attorney or
durable power of attorney that includes
the power to make health care
decisions, or other evidence of the
person’s authority to act as a personal
representative.
With respect to an unemancipated
minor, in most cases, a parent is the
personal representative of the minor,
because the parent usually has the
authority under state law to make health
care decisions about his or her minor
child. However, there are limited
exceptions in the HIPAA Privacy Rule
to the parent being a personal
representative of his or her minor child,
which generally apply in circumstances
where minors are able to obtain
specified health care services without
parental consent under state or other
laws, or standards of professional
practice. Additional information on
these circumstances is available at
https://www.hhs.gov/ocr/privacy/hipaa/
understanding/coveredentities/
personalreps.html.
Regardless, however, of whether a
parent is the personal representative of
a minor child, the Privacy Rule defers
to state or other applicable laws that
expressly address the ability of the
parent to obtain health information
about the minor child. In doing so, the
Privacy Rule permits a covered entity to
provide the parent with access to a
minor child’s protected health
information when and to the extent it is
permitted or required by state or other
laws (including relevant case law).
Likewise, the Privacy Rule prohibits a
covered entity from providing a parent
with access to a minor child’s protected
health information, when and to the
extent it is prohibited under state or
other laws (including relevant case law).
If state or other applicable law is silent
concerning parental access to the
minor’s protected health information,
and a parent is not the personal
representative of a minor child based on
one of the exceptional circumstances
described above, a covered entity has
discretion to provide or deny the parent
access to the minor’s health
information, if doing so is consistent
with state or other applicable law, and
provided the decision is made by a
licensed health care professional in the
exercise of professional judgment. For
example, where a minor is able under
state law to consent and obtain
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
7297
treatment for a reproductive health care
service that involves laboratory testing,
and the state law is otherwise silent on
parental access to a minor’s protected
health information, a testing laboratory
that has received a parent’s request for
access to this test report of the minor
child may wish to take into account any
instructions of the treating medical
professional in determining whether to
grant or deny access to the parent of the
minor.
In general, we expect personal
representatives will continue to obtain
access to individuals’ health
information through the individual’s
treating providers, with whom many
personal representatives will already
have established a relationship and be
known to the provider. Therefore, we do
not expect HIPAA-covered laboratories
will receive many requests from persons
requesting access as a personal
representative of the individual.
With respect to laboratories that are
not HIPAA covered entities, the changes
to the CLIA regulations in this final rule
merely permit, not require, the
disclosure of completed test reports to
an individual’s personal representative.
Thus, laboratories not subject to HIPAA
should exercise their judgment in
providing access to personal
representatives, while taking into
account any other applicable federal or
state laws.
Comment: A few commenters asked
how a laboratory should determine
whether a person requesting access to
another individual’s completed test
reports has the appropriate legal
authority to act on behalf of the
individual, and, by virtue of that
authority, is a personal representative
for the individual. Commenters
indicated that the laboratory test order
from the ordering provider does not
include this information. These
commenters also expressed concern
about the costs to determine whether a
particular person had authority to
access an individual’s laboratory test
reports.
Response: As indicated above, a
HIPAA-covered laboratory is required to
verify the identity and authority of any
person requesting access to laboratory
test reports as a personal representative
of an individual. Depending on the
circumstances, a HIPAA-covered
laboratory could verify a person’s
authority by asking for documentation
of a health care power of attorney, or
general power or durable power of
attorney that includes the power to
make health care decisions, proof of
legal guardianship, or, in the case of a
parent, information that establishes the
relationship of the person to the minor
E:\FR\FM\06FER2.SGM
06FER2
emcdonald on DSK67QTVN1PROD with RULES2
7298
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
individual. A HIPAA-covered laboratory
may also contact the treating provider to
inquire whether the treating provider
can provide documentation of the
person’s status as a personal
representative of the individual.
We address the costs that a HIPAAcovered laboratory may incur in the
verification process, in section VII
below. We note here as we did above,
however, that we do not anticipate
HIPAA-covered laboratories will receive
many requests from persons requesting
access as a personal representative of
the individual. Thus, we do not expect
HIPAA-covered laboratories will incur
significant costs for verification of such
persons. Several clinical laboratory
commenters indicated that most
patients or personal representatives do
not know what laboratory conducted the
laboratory tests. Based on these
comments, we expect personal
representatives, like individuals
themselves, generally will continue to
obtain access to the individuals’ health
information through the individuals’
treating providers, with whom many
personal representatives will already
have established a relationship for the
purposes of obtaining access.
Comment: One commenter requested
that the same requirements for denying
access to protected health information
by a personal representative in cases
where access may cause substantial
harm to the individual (for example, in
cases of spousal abuse) should also be
available when personal representatives
request direct access to an individual’s
test reports from laboratories.
Response: As described above, the
Privacy Rule’s access and personal
representative provisions apply in the
same manner to HIPAA-covered
laboratories as to other types of covered
entities. Section 164.524(a)(3)(iii) of the
Privacy Rule permits a covered entity to
deny a personal representative access to
an individual’s protected health
information when a licensed health care
professional has determined, in the
exercise of professional judgment, that
providing access to the personal
representative is reasonably likely to
cause substantial harm to the individual
or another person. Thus, a HIPAAcovered laboratory may deny a personal
representative access to an individual’s
protected health information under this
provision when the laboratory has
received and documented the requisite
determination from a licensed health
care professional that granting access to
the personal representative is
reasonably likely to cause substantial
harm to the individual or another
person. As was described above with
respect to individuals denied access to
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
their own records because of concerns
of endangerment, the personal
representative retains the right to have
the denial reviewed by another licensed
health care professional who is
designated by the HIPAA-covered
laboratory to act as a reviewing official
and who did not participate in the
original decision to deny. A laboratory
denying access must inform the
personal representative of this right and
have the ability to have the denial
reviewed in accordance with these
requirements.
We also note that § 164.502(g)(5) of
the Privacy Rule allows a covered entity
to elect not to treat a person as the
personal representative of an individual
if the covered entity has a reasonable
belief that the individual has been or
may be subjected to domestic violence,
abuse, or neglect by the person, and the
covered entity, in the exercise of
professional judgment, decides that it is
not in the best interests of the
individual to treat the person as the
individual’s personal representative. We
do not anticipate that this provision will
frequently apply in the circumstances
where a personal representative is
requesting direct access to an
individual’s test report maintained by a
HIPAA-covered laboratory, as most
laboratories will not have the requisite
relationship with the individual that
will enable them to make this type of
assessment. However, there may be
situations where a HIPAA-covered
laboratory is made aware of the dangers
by a treating provider or the individual.
The HIPAA-covered laboratory should
consider this information in the exercise
of its own professional judgment.
Comment: One commenter stated that
it was unclear from the proposed rule
whether a patient’s access right would
include the right to have the test reports
shared with others who do not have
independent access rights. This
commenter urged the Department to
amend the CLIA regulations to clarify
that the laboratory may provide access
to the patient, his or her personal
representative, or any other party
designated by the patient or his or her
personal representative.
Response: We clarify that, in certain
circumstances, an individual’s access
right includes the right to have test
reports shared with others who do not
have independent access rights. In
addition to access by personal
representatives, the HITECH Act
strengthened an individual’s right of
electronic access, which included giving
individuals the right to direct that a
covered entity transmit an electronic
copy of the individual’s protected
health information directly to another
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
person or entity designated by the
individual (see, section 13405(e) of the
HITECH Act). The regulations that
implemented these statutory provisions
were published as part of the HIPAA
Privacy Rule on January 25, 2013, and
became effective on March 26, 2013.
While Section 13405(e) of the HITECH
Act is applicable to electronic copies,
the Department also used its general
authority under sections 262 and 264 of
HIPAA to implement this right
uniformly regardless of whether the
access requested is for an electronic or
a paper copy of the individual’s
protected health information. Thus,
upon the compliance date of this final
rule, HIPAA-covered laboratories will
be required to abide by an individual’s
request to have the laboratory transmit
the copy of the individual’s protected
health information to another person or
entity designated by the individual. The
Privacy Rule requires that such requests
must be made in writing, signed by the
individual, clearly identify the
designated person or entity, and provide
information regarding where to send the
copy of the protected health
information. See § 164.524(c)(3)(ii) and
the preamble to the final HITECH rule
(78 FR 5566) for more information.
With respect to the changes to the
CLIA regulations, the CLIA regulatory
text as written in this rule will be
sufficient to allow a laboratory to, upon
the request of a patient (or their
personal representative, if applicable),
provide a copy of the patient’s test
report to a person or entity designated
by the individual in accordance with
the HIPAA Privacy Rule.
Comment: One commenter requested
that organ procurement organization
laboratories that perform tests on
decedent tissue and blood be exempted
from the rule altogether, since the
outcome of these tests would not be of
meaningful value to the personal
representatives of decedents, and in the
case of blood tests, could cause undue
concern given the frequency of false
positive results.
Response: We appreciate that Organ
Procurement Organization laboratories
operate under different circumstances
than clinical laboratories. However, we
do not believe there should be an
exemption for these laboratories.
Laboratories that are covered entities
under HIPAA are required to provide
individuals (or their personal
representatives) with access to protected
health information, including that of
decedents (see § 164.524). We do not
believe the concerns raised by the
commenter justify removing a personal
representative’s right to access the
protected health information of a
E:\FR\FM\06FER2.SGM
06FER2
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
decedent at an Organ Procurement
Organization laboratory that is a covered
entity. However, we do not expect many
Organ Procurement Organization
laboratories will be HIPAA covered
entities unless they also provide clinical
or other laboratory services that involve
reimbursement by health plans. Further,
we emphasize that a HIPAA-covered
laboratory is only required to provide an
individual (or personal representative)
with access when they receive a request
for access, which we do not expect to
be a very frequent occurrence in the
context of testing for organ procurement
purposes.
D. Requests for and Provision of Access
emcdonald on DSK67QTVN1PROD with RULES2
1. HIPAA Access Processes
Comment: Several commenters
supported allowing flexibility in how
requests for access may be submitted,
processed, and responded to by
laboratories. Commenters indicated a
flexible approach was important since
laboratories vary greatly in terms of how
they interact with patients, if at all, and
flexibility would allow laboratories to
implement processes that would not
disrupt operations. One commenter
stated that some state laws may affect
the processes that laboratories may put
in place and urged that the Department
clarify that the authority for specifying
the processes for handling requests for
access lies with the laboratories rather
than the states. Another commenter
expressed concern with the rule not
spelling out the mechanisms by which
patient requests for access would be
submitted, processed, or responded to
by laboratories. The commenter
suggested that the final rule should
require some type of written record,
such as a signature on an office form,
and verification of the identity of the
person requesting the records.
Response: We agree with the
commenters that flexibility in how
laboratories receive and respond to
access requests is important given the
varied circumstances of each laboratory.
This final rule provides laboratories
with flexibility as to how to set up
systems to receive, process, and respond
to requests for access by individuals, so
long as these processes comply with the
timing and other requirements for
access in § 164.524 of the HIPAA
Privacy Rule where HIPAA-covered
laboratories are concerned. For example,
some laboratories that interact directly
with individuals may give individuals
the option to request a copy of their
completed test reports when the
individuals are physically present at the
laboratory for specimen collection.
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
With regard to state laws, it is unclear
from the comments how exactly these
laws impact laboratory processes. The
HIPAA Privacy Rule only preempts
contrary provisions of state law. Thus,
where a HIPAA-covered laboratory can
continue to comply with both the
HIPAA Privacy Rule and state law, it
must frame its policies and procedures
in a way that complies with both laws.
Further, the HIPAA Privacy Rule does
not preempt more stringent state laws,
even if contrary to the Privacy Rule. In
the context of individuals’ rights to
access their health information, ‘‘more
stringent’’ means that the state law
provides greater rights of access.
Therefore, a HIPAA-covered laboratory
must continue to abide by state laws
that provide the individual with a
greater right of access. For example, if
a state law requires individual access to
test reports within a shorter timeframe
than the Privacy Rule requires, access
must be provided within that shorter
timeframe. Finally, as noted above and
discussed more fully below, while the
HIPAA Privacy Rule provides some
flexibility to HIPAA-covered
laboratories in how their access
processes are developed, it does have
specific requirements for verification of
identity and authority of the individual
requesting access, as well as timeliness
and the form of access provided, among
other requirements, that must be
followed in providing access to
individuals. With respect to the form of
the individual’s request, the Privacy
Rule does permit covered entities to
require that individuals make requests
for access in writing (see
§ 164.524(b)(1)).
Comment: Some commenters asked
for clarification as to whether hospital
laboratories may continue to rely on
existing hospital HIPAA access
processes, which may have been
implemented through their health
information management departments,
to provide individuals with access to
their test reports, rather than having to
create an additional process outside the
normal customary practices followed by
hospitals to comply with the access
requirements of the HIPAA Privacy
Rule. A few commenters specifically
noted that some hospitals have patient
portals in place to provide individuals
with access to their protected health
information, including laboratory
results.
Response: Laboratories that operate as
part of a larger legal entity that is a
hospital or that are part of an affiliated
covered entity or organized health care
arrangement with a hospital (see the
definition of ‘‘organized health care
arrangement’’ in the HIPAA Rules at
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
7299
§ 160.103, and the provisions for
affiliated covered entities at
§ 164.105(b)), may continue to utilize
the hospital’s already established
mechanisms for providing access to
individuals requesting their test reports
from the hospital laboratories, provided
that the established mechanisms are
compliant with the access provisions of
the HIPAA Privacy Rule. This includes
providing individuals with access to
their test reports through a patient
portal to the extent the individuals have
agreed to receive access in this manner.
However, laboratories that are not part
of a hospital need to establish their own
process for providing individuals with
direct access to their protected health
information in accordance with the
Privacy Rule, even if the laboratories’
test reports are otherwise available to an
individual through an unaffiliated
treating hospital or provider’s patient
portal or other access mechanism.
Comment: One commenter asked
whether a patient will be expected to
make a request for access from the
laboratory to test reports at the time the
patient is in the treating provider’s
office, or whether patients have a right
to contact the laboratory directly for
access. Another commenter asked
whether, with regard to the referral of
specimens from one laboratory to
another, a patient will need to request
access to the test reports of both
laboratories or just request access from
one of the laboratories to obtain all of
the test results.
Response: Under this final rule,
individuals have a right to make
requests for access to their protected
health information directly to HIPAAcovered laboratories. Laboratories may
not require individuals to make requests
through their providers. While
laboratories cannot require individuals
to submit requests for access to
protected health information
maintained by the laboratories through
their treating providers, individuals may
do so if that is one avenue the laboratory
uses to receive requests for access from
individuals. Laboratories, however, may
require that individuals make access
requests directly to the laboratory.
With respect to laboratories that refer
specimens to another laboratory, an
individual has a right to access his or
her protected health information
maintained in a designated record set at
either laboratory. However, where one
laboratory refers only one part of a test
to another laboratory, the individual
may need to request access from the
referring laboratory to obtain access to a
complete set of test results. As
explained above, a HIPAA-covered
laboratory is required to provide an
E:\FR\FM\06FER2.SGM
06FER2
7300
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
emcdonald on DSK67QTVN1PROD with RULES2
individual with access only to that
protected health information
maintained by the laboratory in its
designated record sets.
2. Time Frame for Providing Access
Comment: Some commenters were
concerned that the required 30-day
timeframe in the HIPAA Privacy Rule
for providing an individual with access
to laboratory test reports may not be
sufficient to ensure that a provider
receives the report before the patient.
The commenters believe this is
particularly problematic in the case of
‘‘sensitive’’ test results. One commenter
suggested that laboratories should have
the option of using up to two 30-day
extensions when a licensed health care
professional has determined, in the
exercise of professional judgment, that
the ordering provider should have
additional time to receive and review
the test report before the patient is
provided access. Another commenter
stated that the rule should not require
laboratories to release a test report to a
patient before a treating provider, except
in emergency circumstances. Other
commenters suggested that there should
be a defined delay or lag time, such as
48 or 72 hours, between when a
laboratory provides a test report to a
treating provider and when the
laboratory provides the test report to the
patient.
In contrast, other commenters were
against providing a defined delay
between when the provider and the
patient could obtain the test report.
Some commenters stated that the
Privacy Rule’s 30-day timeframe for
providing access affords ample
opportunity for a provider to receive a
test report and consult with the patient
before the patient receives the test
report he or she requested directly from
the laboratory. For example, one
commenter suggested that the 30-day
period provides laboratories with
sufficient flexibility to release routine
test results within a few days, while
delaying the results of more sensitive
tests to allow more time for consultation
between the provider and the patient.
Response: We believe 30-days is
generally sufficient time to allow a
treating provider to receive a test report
in advance of the patient’s receipt of the
report and to communicate the result to
and counsel the patient as necessary
with regard to the result. Specifically,
requests to a laboratory for access may
be made some time after the provider
has ordered the test or even after the
provider has received the completed test
report. In cases where the end of the
initial 30-day period after an
individual’s request for access is
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
approaching and, due to the nature of
the test, the laboratory is just
completing the test report, the
laboratory may delay providing access
to the individual to ensure the
completed test report is provided first to
the individual’s provider, so long as the
delay is no more than 30 days and the
individual is informed in writing of the
reason for the delay and the date by
which the laboratory will provide the
individual with access. However,
laboratories may have only one
extension (see § 164.524(b)(2)(iii)). Since
we believe the timeframes provided in
the HIPAA Privacy Rule generally are
sufficient to enable laboratories to
provide test reports to ordering
providers before patients, we decline to
specify a specific lag time or to allow an
additional 30-day extension beyond the
one 30-day extension currently
permitted.
Comment: A few commenters
expressed concern that the 30-day
period (and one 30-day extension) for
providing access may not be sufficient
for all laboratory test reports to be
completed. One commenter suggested
that the 30-day period to provide the
individual with a copy of the test report
should begin from the time of the
individual’s request for access, or test
completion, whichever is later.
Response: We understand the
commenters’ concerns; however, we do
not believe it is necessary to establish
the completion of the test report as the
trigger for the beginning of the 30-day
period if the completion of the test
report is later than the individual’s
request for access, or to otherwise create
a timeliness requirement for laboratories
that is different than the requirement for
other types of covered entities. As
discussed above in the section on
‘‘Scope of Information to Which an
Individual Has Access,’’ the Privacy
Rule provides sufficient flexibility in
most cases to enable laboratories to
provide individuals with access to the
completed test reports they request. In
those rare cases where a test report is
not completed, and therefore is not
available, within the HIPAA timeframe
for responding to requests and the
individual is not willing to withdraw
his or her request so that he or she will
receive a completed test report, the
Privacy Rule requires only that the
laboratory provide access to the existing
protected health information in its
designated record set(s) about the
individual, which would not include
the completed test report requested. We
believe that uniformity of the timeliness
requirement in the Privacy Rule for all
covered entities, including laboratories,
is important to ensure consumer
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
understanding and covered entity
compliance.
E. Allowable Fees for Copying
Comment: Several commenters stated
that laboratories should be permitted to
charge individuals that request a copy of
one or more test reports an additional
fee along with the current fee permitted
by the HIPAA Privacy Rule. A number
of commenters were specifically
concerned with the costs of retrieving
archived test reports, which may only
be available on paper or limited media,
and transferring them to a suitable
medium for distribution to the patient.
A few commenters suggested that a
laboratory should be able to recoup the
full costs of providing reports to the
individual, including costs associated
with retrieval of the information,
copying, verification, documentation,
liability insurance, and other
administrative costs.
In contrast, a number of commenters
stated that individuals should not
encounter any additional fee to receive
copies of test reports from laboratories,
other than the costs associated with
completing the tests.
Response: We appreciate the
comments on this issue. The fee
provisions in the Privacy Rule are
carefully balanced to reduce costs to
covered entities while at the same time
avoid being an impediment to
individuals’ ability to receive copies of
their protected health information.
Therefore, we decline to expand the fees
that may be charged to individuals or to
disallow any fees that are currently
provided for under the HIPAA Privacy
Rule. HIPAA-covered laboratories must
comply with the same fee limitations at
§ 164.524(c)(4) of the Privacy Rule as
other HIPAA covered entities in
providing individuals with copies of
their health information. This means a
HIPAA-covered laboratory may charge
an individual a reasonable, cost-based
fee that includes only the cost of: (1)
Labor for copying the protected health
information requested by the individual,
whether in paper or electronic form; (2)
supplies for creating the paper copy or
electronic media if the individual
requests that the electronic copy be
provided on portable media; (3) postage,
when the individual has requested the
copy be mailed; and (4) preparation of
an explanation or summary of the
protected health information, if agreed
to by the individual. HIPAA-covered
laboratories may not charge fees to
reflect the costs they incur in searching
for and retrieving the information that is
the subject of the individual’s request.
Further, fees for costs associated with
verification, documentation, liability
E:\FR\FM\06FER2.SGM
06FER2
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
insurance, maintaining systems, and
other similar activities are not
permissible fees under this provision.
Comment: One commenter asked for a
more definitive framework of what is an
appropriate fee.
Response: We are unable to provide a
more definitive framework of what is an
appropriate fee, given that costs will
vary depending on a number of
circumstances, such as the form of the
copy requested (paper versus
electronic), the amount of information
to be included in the copy, and whether
the individual has requested the copy to
be placed on electronic media or
mailed. Covered entities may take into
account all of these factors in
determining what is a reasonable, costbased fee. However, we consider fees
expressly permitted under state law for
copying and postage to be reasonable (as
long as they do not include amounts
associated with fees not provided for
under the HIPAA Privacy Rule, such as
the fees for the cost of search and
retrieval or other costs).
emcdonald on DSK67QTVN1PROD with RULES2
F. Form and Format of Access
Comment: Some commenters stated
that HIPAA-covered laboratories should
be able to limit the types of electronic
formats in which patients could receive
copies of their completed test reports,
and that the format provided should not
be controlled solely by patient
preference. These commenters were
concerned with requiring laboratories to
have the capability to convert test
reports to all types of universal formats
(for example, Microsoft (MS) Word, MS
Excel, or Portable Document Format
(PDF)). One commenter stated it is not
practicable to reproduce all of the data
of the official report into some formats,
such as MS Excel. A few commenters
expressed concern that HIPAA-covered
laboratories will be required to invest in
new technology to allow for patient
portals into laboratory systems so that
patients can view their test reports
online. Certain commenters were
specifically concerned about the
resources involved with having to
convert final laboratory reports that
exist only on paper to PDF or other
electronic format.
Other commenters advocated for the
use of patient portals and personal
health records (PHRs) to deliver test
reports to patients in a readable and
secure manner. One commenter stated
that the rule should ensure laboratories
are not allowed to provide test reports
exclusively through proprietary formats
that require expensive proprietary
software to view, interpret, or process
the results. Finally, one commenter
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
asked who makes the determination
about which format is acceptable.
Response: The Privacy Rule does not
require that a HIPAA-covered laboratory
have the capability to produce a copy of
a completed test report in whatever
electronic format or manner the
individual requests. Rather, the Privacy
Rule requires a covered entity to
provide the individual with a copy of
the requested information in the form
and format requested by the individual,
if a copy in that form or format is
readily producible. With respect to
protected health information
maintained by the covered entity only
in paper form, the Privacy Rule requires
the covered entity to provide the
individual with a copy of the protected
health information in the form and
format requested by the individual, if it
is readily producible. If not, the copy
must be either a readable hard copy or
in another form or format as agreed to
by the covered entity and the individual
(see § 164.524(c)(2)(i)). Thus, where an
individual requests an electronic copy
of test reports that a HIPAA-covered
laboratory maintains only on paper, the
laboratory is required to provide the
individual with the type of electronic
copy requested if it is readily producible
electronically and in the format
requested. For example, a HIPAAcovered laboratory maintaining the
requested test reports on paper may be
able to readily produce a scanned PDF
version of the report but not the
requested Word version. In this case, the
laboratory may provide the individual
with the PDF version if the individual
agrees to accept the PDF version. If the
individual declines to accept the PDF
version, or if the laboratory is not able
to readily produce a PDF version of the
test reports, the laboratory may provide
the individual with hard copies of the
reports such as photocopies of the
original reports.
However, when the protected health
information to which the individual
seeks access is maintained
electronically by the covered entity and
the individual requests an electronic
copy of the information, the Privacy
Rule requires the covered entity to
provide the individual with access to
the information in the requested
electronic form and format if it is
readily producible in that form and
format. When it is not readily
producible in the electronic form and
format requested, then the covered
entity must provide the copy in an
alternative readable electronic format as
agreed to by the covered entity and the
individual (see § 164.524(c)(2)(ii)). In
short, this means that any HIPAAcovered laboratory that maintains
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
7301
protected health information about an
individual in one or more designated
record sets electronically must have the
capability to provide the individual
with some form of electronic copy of the
individual’s protected health
information. For example, this would
include providing the individual with
an electronic copy of the protected
health information in the format of MS
Word or Excel, text, HTML, or textbased PDF. In addition, we encourage
laboratories to make available to
individuals, upon request, an electronic
copy of their protected health
information in machine-readable
formats (such as in HL7), which will
enable individuals to use their protected
health information in electronic health
information tools, such as PHRs, if they
choose.
We agree with the commenters that
individuals should not have an
unlimited choice in the form of
electronic copy they will receive. The
Privacy Rule allows a covered
laboratory to make some other
agreement with individuals as an
alternative means to provide a readable
electronic copy to the individual where
the covered laboratory is not able to
readily provide the form of electronic
copy requested. If an individual
requests a form of electronic copy that
the HIPAA-covered laboratory is unable
to produce, the laboratory must offer the
individual other electronic formats that
are available on its systems. If the
individual declines to accept any of the
electronic formats that are readily
producible by the HIPAA-covered
laboratory, the laboratory must provide
a hard copy as an option to fulfill the
access request. We remain neutral on
the type of technology that covered
entities may adopt. We note that a PDF
is a widely recognized format that
would satisfy the electronic access
requirement if it is the individual’s
requested format or if the individual
agrees to accept a PDF instead of the
individual’s requested format.
Alternatively, there may be
circumstances where an individual
prefers a simple text or rich text file and
the laboratory is able to accommodate
this preference. In this case, a hard copy
of the individual’s protected health
information would not satisfy the
electronic access requirement. However,
a hard copy may be provided if the
individual decides not to accept any of
the electronic formats offered by the
covered entity.
For example, if a HIPAA-covered
laboratory receives a request from an
individual to have access to test reports
through a web-based portal, but the only
readily producible version of the
E:\FR\FM\06FER2.SGM
06FER2
emcdonald on DSK67QTVN1PROD with RULES2
7302
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
protected health information by the
laboratory is in PDF, the Privacy Rule
requires the laboratory to provide the
individual with the PDF copy of the
protected health information, if the
individual agrees to receive it in that
form. If the individual declines to
receive the PDF copy, the laboratory
may provide the individual with a hard
copy of the information.
Further, while we encourage
laboratories to offer patients the ability
to access their test reports through
patient portals maintained by the
laboratories, the HIPAA Privacy Rule
does not require covered entities to have
this capability. We recognize that what
is available in a readable electronic form
and format will vary by system and
technological capabilities will improve
over time. Therefore, the Privacy Rule
allows covered entities the flexibility to
provide individuals with electronic
copies of protected health information
that are currently readily producible
and available on their various systems.
A HIPAA-covered laboratory is not
required to purchase new software or
systems in order to accommodate an
electronic copy request for a specific
form that is not readily producible by
the laboratory at the time of the request,
provided the laboratory is able to
provide some form of electronic copy.
We note that providing the individual
with an electronic copy of a test report
in a proprietary format that will require
the purchase or acquisition by the
individual of proprietary software to
view the report would not satisfy these
access requirements.
Comment: A few commenters
suggested that any electronic copies
provided to individuals should include
a digital signature to provide assurance
that test results had not been modified.
Response: HIPAA-covered
laboratories may include digital
signatures on electronic copies of test
reports given to individuals, provided
the electronic copy is still in a format
that has either been requested by the
individual or is an alternative that has
been agreed to by the individual and the
laboratory.
Comment: Some commenters were
concerned about the ability of
laboratories to transmit electronic
copies of test reports to individuals in
a secure manner, and asked for guidance
on how test reports should be
transmitted to patients. A few
commenters were concerned with
transmitting test reports to patients via
unencrypted email. One commenter
expressed concern about being found
responsible for a breach if a HIPAAcovered laboratory sent test reports in
an unsecure manner after a specific
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
request by the individual to send them
in that manner. Other commenters
suggested that any method of
transmitting test reports to individuals
should be acceptable, whether it be by
mail, email, transmission to a PHR or
patient portal, or other method.
Response: How a test report is
transmitted to an individual will vary
depending on the circumstances and the
request of the individual. In cases where
an individual is in close proximity of
the laboratory, the individual may wish
to come and pick up the test report from
the laboratory directly; however, the
individual is not required to do so.
Individuals also have a right under the
Privacy Rule to have either the paper or
electronic (for example, on compact
disk) copies of their protected health
information mailed to them, and
HIPAA-covered laboratories may charge
an individual for postage in cases where
the individual has asked that the copy
be mailed. In sending the copy to an
individual, covered laboratories are
required to reasonably safeguard the
information (see § 164.530(c)). This may
include ensuring the packaging is
securely sealed and that none of the
information from the test reports is
visible from the outside of the package.
Individuals also may request that a
laboratory email an electronic copy of a
test report. In emailing copies of test
reports to individuals, HIPAA-covered
laboratories are required to comply with
the HIPAA Security Rule, which, among
other requirements, requires
implementation of technical security
measures to guard against unauthorized
access to electronic protected health
information that is being transmitted
over an electronic communications
network (see § 164.312(e)). As a security
measure, the Security Rule requires
encryption when transmitting electronic
protected health information where it is
reasonable and appropriate to encrypt
the information. In general, encryption
is a reasonable and appropriate measure
to safeguard email transmissions.
However, we have found that there may
be instances when an individual may
not want to receive his or her protected
health information in an encrypted
format or may be unable to access the
information when encrypted. In these
cases, a HIPAA-covered laboratory is
permitted to send the individual copies
of the test reports via unencrypted
email, if it advises the individual of the
risks associated with unencrypted
email, and, after doing so, the
individual still wishes to receive his or
her protected health information via
unencrypted email. A HIPAA-covered
laboratory is not responsible for any
unauthorized access that may occur
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
while protected health information is in
transit using the means requested by the
individual. Further, a HIPAA-covered
laboratory is not responsible for
safeguarding protected health
information once it is delivered to the
individual.
Finally, as mentioned above, we
encourage laboratories to offer
individuals access to their test reports
and other health information through
secure patient portals or PHRs.
However, use of this method is not
required.
Comment: One commenter asked if
CMS has the regulatory authority to
establish minimum requirements for the
provision of electronic test results to
patients in a structured format or at least
to suggest guidance to laboratories if the
test results are to be provided in an
electronic format.
Response: CMS does not have current
plans to establish regulations that would
impose minimum requirements for the
provision of electronic results in a
structured format, but could examine
these options going forward.
Furthermore, CLIA guidance on
electronic formats was provided as part
of the March 2010 revision to the CLIA
State Operations Manual Appendix C—
Survey Procedures and Interpretive
Guidelines for Laboratories and
Laboratory Services (see, CMS Ref:
S&C–10–12–CLIA).2
G. Content of Test Report, Educational
Materials, and Standard Statements
Comment: A few commenters
requested further guidance on what the
test report that is provided to an
individual should look like.
Commenters noted that the laboratory
coding schema on the official test report
sent to the provider may need further
interpretation and context before it
would be useful to the patient. These
commenters expressed concern with the
resources and information system
development that would be needed to
provide a more understandable test
report to the individual. Other
commenters stated that the report
furnished to the individual should be
the ‘‘official’’ report furnished to the
ordering provider rather than one that is
reworded and redesigned in an effort to
meet the needs of the individual.
Otherwise, they noted, there could be
inadvertent inconsistencies or
inaccuracies when one compared the
‘‘official’’ report to the patient-centric
report.
2 https://www.cms.gov/Medicare/ProviderEnrollment-and-Certification/
SurveyCertificationGenInfo/downloads/SCLetter1012.pdf.
E:\FR\FM\06FER2.SGM
06FER2
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
emcdonald on DSK67QTVN1PROD with RULES2
In addition, some commenters
suggested that laboratories should
provide brief explanations or patientspecific educational materials on the
tests reported, including reference
ranges, so that the individual can
interpret the information (for example,
similar to a pharmacy’s provision of the
package insert for prescription drugs).
Response: As discussed above, the
final rule does not require laboratories
to interpret test reports for individuals.
An individual has a right to receive a
copy of the information about the
individual maintained by or on behalf of
a HIPAA-covered laboratory in a
designated record set, which may
include the official test report that is
also provided to the individual’s
provider. However, while not required,
a laboratory may also provide additional
educational or explanatory materials
regarding the test results to individuals
if it chooses to do so.
Comment: A number of commenters
suggested that the information provided
to individuals should include a
standard statement explaining the
limitations of the laboratory data alone
in confirming or ruling out a diagnosis,
explaining that the laboratory results are
subject to a physician’s interpretation
and encouraging the individual to
discuss the results with his or her
physician, and providing the contact
information of the physician who
ordered the tests.
Response: As we explain above, this
final rule does not supplant the
treatment conversation a health care
provider has with a patient about the
patient’s test results. We expect that
individuals will continue to obtain test
results through their treating or ordering
providers, and even when individuals
request access to test reports directly
from laboratories, we believe that, in
most cases, these individuals will have
had conversations with their treating
providers about their test results before
receiving access. Therefore, we do not
believe a regulatory requirement for a
standard statement is warranted.
However, laboratories that wish to
include one with test reports are free to
do so.
H. Verification of Identity and
Authentication
Comment: Some commenters stated
that many laboratories would have
challenges with verifying an
individual’s identity because they often
have no direct interaction with the
individual and any contact information
they receive from a health care provider
can be incomplete or incorrect. One
commenter indicated that these
limitations would necessitate that an
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
individual make a request for a test
report in person. These commenters
requested guidance or sample
authentication practices for verifying an
individual’s identity upon receiving a
request, whether in person, by phone,
fax, or other means. One commenter
suggested that the Department should
provide guidance on the appropriate
assurance levels for identity proofing
and authentication, as defined by the
National Institute of Standards and
Technology (NIST) (Publication 800–
63).
Response: Under § 164.514(h) of the
Privacy Rule, a covered entity is
required to take reasonable steps to
verify the identity of the individual
making a request for access. The rule
does not mandate any particular form of
verification (such as obtaining a copy of
a driver’s license), but rather leaves the
type and manner of the verification to
the discretion and professional
judgment of the covered entity. Further,
covered entities may rely on industry
standards in developing reasonable
verification processes. The type of
verification may also vary depending on
how the individual is to receive access,
the form of the request, and whether the
covered entity is requiring that all
requests for access be made in writing,
as permitted by § 164.524(b)(1), or
permitting oral requests for access. For
example, in those cases where an
individual requests to pick up a copy of
a test report directly from a laboratory,
the laboratory may require that some
form of photo identification be provided
before the individual receives a copy.
When a HIPAA-covered laboratory
requires that a request for a copy of the
test report be made on its own supplied
form (whether by fax, email, or
otherwise), the laboratory could request
basic information on the form (date of
birth, provider’s name, date specimen
was collected, etc.) to verify that the
person requesting access is the
individual who is the subject of the test
report. Similarly, if a laboratory allows
an individual to verbally request access
over the phone, the laboratory can, at
that time, request the information
needed to verify the person is the
subject individual. For those
laboratories using patient portals to
provide access, those portals should
already be set up with appropriate
authentication controls, as required by
§ 164.312(d) of the HIPAA Security
Rule, to ensure that the person seeking
access is the one claimed. However, we
do not prescribe specific levels of
authentication.
We understand that, in many cases, a
laboratory may not have extensive
contact or other information about an
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
7303
individual. However, the rule makes
clear that a laboratory is only required
to provide an individual with access to
test reports that can be identified as
belonging to the individual who has
requested access, based on the
laboratory’s authentication processes.
Thus, when a laboratory is able to
authenticate a test report as belonging to
a particular patient, that laboratory will
have at least some basic information
about the patient, such as name, date of
birth, date specimen was collected, etc.,
that can also be used to verify the
identity of a person requesting access to
that test report. When a laboratory
believes a provider may have supplied
incorrect information for a patient,
which prevents the laboratory from
properly verifying the individual, the
laboratory may contact the provider to
see if correct information is available.
While the Privacy Rule requires
verification of the identity of the person
requesting access, a HIPAA-covered
laboratory may not impose unreasonable
verification measures on an individual
as a means to avoid having to provide
the individual with access. For example,
a HIPAA-covered laboratory may not
require an individual who wants a copy
of his or her test reports mailed to his
or her home address to physically come
to the laboratory to request access and
provide proof of identity in person.
I. Informing Individuals of Their New
Right of Access
Comment: A few commenters stated
that providers should be required to
inform or notify individuals of their
right to receive test reports directly from
laboratories, and to provide the
information necessary for individuals to
request test reports from the appropriate
clinical laboratories. One commenter
suggested this information could be
included in the provider’s notice of
privacy practices. Another commenter
asked if this final rule would require
HIPAA-covered laboratories to revise
their notices of privacy practices to
include a statement regarding an
individual’s right to receive test results
directly from the laboratory.
Response: We encourage, but do not
require, treating health care providers to
inform individuals of their right to
receive test reports directly from
HIPAA-covered laboratories. We believe
requiring providers to do so would
create an unwarranted burden on
providers. However, whenever
providers send a specimen(s) to the
laboratory, as opposed to the individual
going to the laboratory himself or herself
to provide the testing sample, we
encourage providers to supply the
individual with the name of the
E:\FR\FM\06FER2.SGM
06FER2
emcdonald on DSK67QTVN1PROD with RULES2
7304
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
laboratory to which the specimen is
being or has been sent and the other
information necessary for the individual
to request access from the laboratory.
With respect to HIPAA notices of
privacy practices, a covered entity is
required to promptly revise its notice
whenever there is a material change to
any of its privacy practices, including
those pertaining to individuals’ rights to
access their protected health
information (see § 164.520(b)(3) of the
Privacy Rule). This final rule provides
individuals with a right to access their
protected health information directly
from HIPAA-covered laboratories. A
change in an individual’s access rights
constitutes a material change to the
privacy practices of HIPAA-covered
laboratories. Thus, by the compliance
date of this final rule, HIPAA-covered
laboratories must revise their notices to
inform individuals of this right and to
include a brief description of how to
exercise this right, and must remove any
statements to the contrary (see
§ 164.520(b)(1)(iv)(C)). Further, HIPAAcovered laboratories must make the
revised notice available as required by
§ 164.520(c). We do not require that
other covered health care providers,
such as ordering providers, revise their
notices of privacy practices to inform
individuals of their right to access
protected health information directly
from laboratories.
The Department recognizes that
HIPAA-covered laboratories are already
required by the modifications to the
HIPAA Rules that were published on
January 25, 2013 (78 FR 5566) to revise
their notices by September 23, 2013. To
avoid HIPAA-covered laboratories
having to modify their notices twice
within the same year to comply with
both the January 25, 2013, final rule and
this rule, the Department announced on
September 19, 2013, that it was
exercising its enforcement discretion to
allow CLIA laboratories (including
CLIA-exempt laboratories) that are
HIPAA covered entities to take until the
compliance date of this final rule,
October 6, 2014, to revise their notices
to reflect both sets of modifications. See
https://www.hhs.gov/ocr/privacy/hipaa/
enforcement/clia-labs.html. Thus, CLIA
and CLIA-exempt laboratories that are
HIPAA covered entities need only
update their notices once to comply
with both rules.
J. Preemption
Comment: A number of commenters
supported the rule’s general preemption
of contrary state laws, stating that it
would bring further harmonization of
federal and state laws and ensure,
regardless of where an individual lives,
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
that he or she has access to laboratory
test reports. Other commenters
requested clarification with respect to
preemption, asking whether state laws
that require more timely access to test
reports than the Privacy Rule or that
would limit the types of identification a
laboratory could ask an individual to
present to verify identity would
continue to stand. One commenter
stated that the final rule should preempt
state laws that restrict laboratoryinitiated contact with patients for
purposes of communicating laboratory
results. This commenter stated that
there can be compelling medical reasons
for laboratories to initiate contact.
Another commenter stated that the rule
should not preempt state laws that
require the provider to discuss the
results and provide psychological
counseling along with disclosure of HIV
test results.
Response: We agree with commenters
that preemption of certain contrary state
law is necessary to ensure that
individuals’ access rights under the
Privacy Rule are strengthened. A
number of states have laws that prohibit
a laboratory from releasing a test report
directly to the individual or that
prohibit the release without the ordering
provider’s consent. Upon the effective
date of this final rule, the Privacy Rule
preempts these laws and HIPAAcovered laboratories should begin to
come into compliance.
With respect to those commenters
requesting clarification on HIPAA
preemption, we note that HIPAA
preempts only state laws that are
contrary to the Privacy Rule. ‘‘Contrary’’
generally means a covered entity would
find it impossible to comply with both
the state and HIPAA requirements. In
certain cases, a contrary state law is not
preempted, such as where a state law is
more stringent than the Privacy Rule.
‘‘More stringent’’ means, with respect to
individuals’ access rights, that the state
law provides greater rights of access to
individuals (see, 45 CFR Part 160,
Subpart B). A state law that requires a
laboratory to provide an individual with
more timely access to test reports is not
contrary to the Privacy Rule and thus,
is not preempted. Similarly, a state law
that limits the types of identification a
laboratory can ask an individual to
produce is not contrary to the Privacy
Rule, provided the laboratory is still
able to verify the identity of the person
requesting access as required by
§ 164.514(h). HIPAA-covered
laboratories should be able to comply
with both sets of requirements in
providing individuals with access to
their test reports. Further, we clarify
that this final rule applies only to
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
laboratories. State laws that place
requirements on other types of health
care providers, such as those requiring
a provider to discuss with and counsel
a patient on HIV test results are not
preempted by this final rule. Finally, the
trigger for the access obligations under
the Privacy Rule is a request from an
individual or the individual’s personal
representative. This final rule does not
impose any requirement or establish any
permission in regard to a laboratory
initiating contact with an individual for
purposes of communicating test results.
K. Compliance Date
Comment: A number of commenters
advocated for a longer time period for
HIPAA-covered laboratories to come
into compliance than the proposed 180day compliance period. Commenters
suggested a variety of different
compliance dates, including one year
and beyond. Some commenters raised
specific concerns with respect to
laboratories that do not currently
provide individuals with access to test
reports, since the laboratories would
need to develop all new policies,
protocols, and mechanisms for receiving
and responding to requests for access to
test reports.
Other commenters asked that the
Department wait to finalize the rule
until after the HITECH Act changes to
the Privacy Rule become final so that
HIPAA-covered laboratories would need
to develop only one set of policies,
protocols, and procedures one time, to
comply with the Privacy Rule’s access
provisions. A few commenters
requested that the Department
implement reasonable, sequenced
compliance deadlines for all related
regulations under the HITECH Act and
HIPAA, such as changes to the Privacy
Rule, EHR Incentive Programs’
requirements, and the implementation
of HIPAA Version 5010 and ICD–10.
Commenters stated that sequenced
deadlines would better take into
account the significant amount of
financial, operational, and technological
resources needed to fully comply with
all of these new requirements.
Response: While we appreciate the
commenters’ concerns regarding the
compliance date, we decline to extend
the 180-day compliance period for this
final rule. We believe 180 days will
provide HIPAA-covered laboratories
with sufficient time to become prepared
to provide individuals who request
them with copies of test reports and will
also ensure that individuals are afforded
and able to benefit from this new right
in a timely manner after the rule’s
issuance. Thus, HIPAA-covered
laboratories are required to comply with
E:\FR\FM\06FER2.SGM
06FER2
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
emcdonald on DSK67QTVN1PROD with RULES2
the individual access provisions of the
Privacy Rule by no later than 180 days
after the effective date of the final rule.
The effective date of the final rule is 60
days after publication in the Federal
Register; therefore, laboratories have a
total of 240 days after publication of this
final rule to come into compliance.
Moreover, in a number of cases,
laboratories that operate in states that
allow an individual to receive test
reports directly from the laboratories
will already have policies for providing
individuals with access to test reports,
which can then be modified as needed
to be consistent with Privacy Rule
requirements. The HITECH Act
enhancements to an individual’s right of
access under the Privacy Rule were
finalized and incorporated into the
Privacy Rule on March 26, 2013. Thus,
in implementing this rule and the
HITECH Act changes, HIPAA-covered
laboratories need only develop one set
of policies. Finally, while we
understand that overlapping compliance
deadlines for different rules may be
burdensome to entities that are subject
to all of the rules, we do not believe it
is feasible to completely sequence
regulatory deadlines and still realize in
a timely manner the benefits and
protections the new requirements are
intended to provide.
L. Other Comments
Comment: Commenters asked
whether a laboratory could be subject to
penalties for charging more than the
reasonable cost-based fee allowed by the
Privacy Rule, for failing to comply with
an individual’s request for completed
test reports within the appropriate time
period, or for failing to comply with an
individual’s request altogether.
Response: HIPAA-covered
laboratories that fail to comply with the
Privacy Rule’s access provisions are
subject to an enforcement action for
noncompliance by the Department,
which may include the imposition of
civil money penalties. More information
about HIPAA enforcement is available
on the OCR Web site at: https://
www.hhs.gov/ocr/privacy/hipaa/
enforcement/.
Comment: A few commenters
suggested that the rule increases burden
on individuals, by making them first
call their provider’s office to learn the
name of the laboratory producing the
test report and then making them call
the laboratory for a copy of the test
report, instead of just having them
contact the provider’s office for the test
results.
Response: We do not agree that this
final rule increases the burden on
individuals. As previously discussed in
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
detail above, the rule does not supplant
the role of the treating provider in
discussing test results with a patient or
an individual’s right under the HIPAA
Privacy Rule to access protected health
information about the individual
maintained by the provider, including
laboratory test results. The rule merely
provides an additional avenue for
individuals to obtain copies of their test
reports by allowing individuals to
obtain their test reports directly from
the laboratories.
Comment: One commenter stated that
certain third-party payers and insurers
do not allow laboratories to bill a
patient any amount in addition to what
is paid to the laboratory for testing
services by that third-party payer or
insurer. The commenter contended that
this prohibition would prevent a
laboratory from charging an individual
a cost-based fee for providing a copy of
the test report.
Response: First, we note that charging
an individual a fee for access is optional
and not required under the Privacy
Rule. Second, the billing restriction
described by the commenter is likely
tied to the costs associated with the
provision of health care services, and
not to a laboratory’s ability to charge an
individual for reasonable costs
associated with providing the
individual access to his or her protected
health information. It has not been our
experience that covered health care
providers subject to similar billing
restrictions have been unable to charge
individuals reasonable cost-based fees
for access to their records.
Comment: One commenter asked,
when a patient fails to compensate the
laboratory for services provided,
whether a laboratory may withhold
future test results from the patient until
payment is made.
Response: A covered entity may not
withhold or suspend an individual’s
right under the HIPAA Privacy Rule to
access his or her protected health
information because the individual has
not paid the covered entity for the
health care services provided.
Comment: One commenter stated that
laboratories should not be required to
provide test reports in a patient’s
preferred language.
Response: A covered entity’s
obligations under civil rights or other
laws to ensure equal access to health
care for individuals, including
requirements for when certain
documents must be translated, are not
diminished or disturbed by this rule.
Comment: A few commenters
suggested that laboratories should be
required to notify the ordering provider
when a patient has received, or will
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
7305
receive, copies of test reports directly
from the laboratory.
Response: We do not believe this
requirement is warranted. As discussed
above, this rule does not change the
ability of an ordering provider to receive
test reports and discuss them with the
patient. However, a laboratory that
wishes to provide notification to a
provider that an individual will receive
a copy of a test report directly may do
so.
Comment: One commenter stated that,
by deferring to state law, the CLIA
regulations impede disclosures of test
reports to other HIPAA covered entities
and business associates for purposes
that are otherwise permitted by HIPAA.
This commenter stated that the list of
persons authorized to receive the
reports should be expanded to include
HIPAA covered entities and business
associates. This commenter believes that
the expansion of the list will eliminate
barriers to legitimate disclosures to
these entities, such as for treatment or
quality improvement purposes.
Response: The CLIA regulations at
§ 493.1291(f) state that test results must
be released only to authorized persons
and, if applicable, to the persons
responsible for using the test results,
and to the laboratory that initially
requested the test. ‘‘Responsible for
using’’ would cover those HIPAA
covered entities that are in a treatment
relationship with the individual. CLIA
also defines ‘‘authorized person’’ as an
individual authorized under state law to
order tests or receive test results, or
both. State law can expand the list of
entities that can be considered
‘‘authorized’’ persons under CLIA.
VI. Collection of Information
Requirements
Under the Paperwork Reduction Act
of 1995 (PRA), we are required to
provide 30-day notice in the Federal
Register and to solicit public comment
before a collection of information
requirement is submitted to the Office of
Management and Budget (OMB) for
review and approval. In order to fairly
evaluate whether an information
collection should be approved by OMB,
section 3506(c)(2)(A) of the PRA
requires that we solicit comment on the
following issues:
• The need for the information
collection and its usefulness in carrying
out the proper functions of our agency.
• The accuracy of our estimate of the
information collection burden.
• The quality, utility, and clarity of
the information to be collected.
• Recommendations to minimize the
information collection burden on the
E:\FR\FM\06FER2.SGM
06FER2
7306
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
affected public, including automated
collection techniques.
In our September 14, 2011 proposed
rule (76 FR 56712), we solicited public
comment on each of these issues, as
required by section 3506(c)(2)(A) of the
PRA. We did not receive any PRArelated comments.
Except as provided in § 493.1291(l),
test reports must be released only to
authorized persons and, if applicable,
the individuals (or their personal
representatives) responsible for using
the test reports and, to the laboratory
that initially requested the test. Under
§ 493.1291(l), the laboratory may, upon
request by the patient (or the patient’s
personal representative), provide access
to the patient’s test reports that the
laboratory can identify as belonging to
that patient. The CLIA regulations do
not require that CLIA-certified
laboratories provide this access—rather,
these laboratories are allowed to provide
for access. However, the accompanying
changes to the HIPAA Privacy Rule in
this final rule require that CLIA-certified
laboratories that are HIPAA covered
entities provide individuals with access
in accordance with the Privacy Rule.
The CLIA-certified laboratories that are
covered entities under HIPAA will need
to ensure that their practices conform to
CLIA and HIPAA requirements.
We have prepared the Paperwork
Reduction Act and the Regulatory
Impact Analysis (RIA) that represents
the costs and benefits of the final rule
based on an analysis of identified
variables and data sources needed for
this change. We identified known data
elements (Table 1) and made
assumptions on elements where a
source could not be identified (Table 2).
Our assumptions are based on internal
discussions and consultation with
laboratories representative of the
industry.
TABLE 1—SUMMARY OF KNOWN DATA ELEMENTS
Variable
Data element
States/territories where laboratories, as listed in Table 3,
are impacted by the new individual access provisions.
39
Laboratories, as listed in Table
6, impacted by the new individual access provisions.
Test results in laboratories, as
listed in Table 6, impacted by
the new individual access
provisions.
States/territories, as noted in
Table 7, where the HIPAA
Privacy Rule will pre-empt
State Law 1.
Source
22,816
7,025,841,649
46
Laboratories, as indicated in
Table 7, required to update
their HIPAA notices of privacy practices.
Hourly salary of clerical level
employee to process requests for test reports.
33,807
$30.09
Hourly salary of management
level employee to determine
policy.
$50.06
Determination of this finding is based on two reports as listed here:
1. Privacy and Security Solutions for Interoperable Health Information Exchange, Releasing Clinical Laboratory Test Results; Report on Survey of State Laws prepared by Joy
Pritts, JD, for the Agency for Health care Research and Quality and Office of the National Coordinator August 2009; RIT Project Number 0209825.000.015.100 (Accessed
July 15, 2010).
2. Electronic Release of Clinical Laboratory Results: A Review of State and Federal Policy, prepared by Kitty Purington, JD, for the California Health care Foundations January
2010 (Accessed July 15, 2010).
Data from CLIA Online Survey Certification and Reporting database (OSCAR) database
accessed August 27, 2012.
Includes Certificate of Compliance and Certificate of Accreditation in the 39 states impacted by the patient access provisions.
Data from OSCAR database accessed August 27, 2012
Includes Certificate of Compliance and Certificate of Accreditation in the 39 states impacted by the patient access provisions.
Determination of this finding is based on two reports as listed here:
1. Privacy and Security Solutions for Interoperable Health Information Exchange, Releasing Clinical Laboratory Test Results; Report on Survey of State Laws prepared by Joy
Pritts, JD, for the Agency for Health care Research and Quality and Office of the National Coordinator August 2009; RIT Project Number 0209825.000.015.100 (accessed
July 15, 2010).
2. Electronic Release of Clinical Laboratory Results: A Review of State and Federal Policy prepared by Kitty Purington, JD, for the California Health care Foundations January
2010 (Accessed July 15, 2010).
Data from OSCAR database accessed August 27, 2012
Includes Certificate of Compliance and Certificate of Accreditation in the 27 states impacted by the HIPAA provisions to update the notices of privacy practice.
2013 salary/wages and benefits—use 2012 salary/wages and benefits obtained from the
U.S. Bureau of Labor Statistics, Economic News Release, March 2012 U.S.—Total employer costs per hour worked for employee compensation: Civilian workers; Occupational Group: Service-providing at https://www.bls.gov/news.release/ecec.t01.htm) and
adjusts annually by 2.78 percent to reflect an average increase in total compensation
costs from 2007–2011.
2013 salary/wages and benefits—use 2012 salary/wages and benefits obtained from the
U.S. Bureau of Labor Statistics, Economic News Release, March 2012 U.S.—Total employer costs per hour worked for employee compensation: Civilian workers; Occupational Group: Service-providing at https://www.bls.gov/news.release/ecec.t01.htm) and
adjusts annually by 2.78 percent to reflect an l average increase in total compensation
costs from 2007–2011.
emcdonald on DSK67QTVN1PROD with RULES2
1. Note that there may be circumstances where a laboratory is able to comply with both HIPAA and the state law.
TABLE 2—SUMMARY OF ASSUMPTIONS
Variable
Low
Number of test results per test report ............................................................................................................
Percentage of patients requesting test report ...............................................................................................
Time required to process request for test report ...........................................................................................
10 test results .....
0.05% .................
10 minutes .........
VerDate Mar<15>2010
19:09 Feb 05, 2014
Jkt 232001
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
E:\FR\FM\06FER2.SGM
06FER2
High
20 test results.
0.50%.
30 minutes.
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
We determined that the impacted
CLIA-certified laboratories can be
broken down into four categories:
Laboratories in states and territories
where there is no law regarding who can
receive test reports (N=26), laboratories
in states and territories where test
reports can only be given to the provider
(N=13), laboratories in states and
territories that allow test reports to go
directly to the patient through some
means or mechanism (N=9), and
laboratories in states and territories that
allow the test reports to go to the patient
with provider approval (N=7). Of these
four categories, we believe that
laboratories in the 39 states and
territories where there is either no law
regarding receipt of test reports or where
reports can only go to the provider are
affected by the individual access
provisions contained in this rulemaking
7307
(see Table 3 for a list of states and
territories by category). Laboratories in
the remaining categories would most
likely have existing procedures in place
to respond to patient requests for test
reports, whereas the laboratories in the
first two categories would most likely
not have procedures in place and would
have to develop mechanisms for
handling these requests and providing
access.
TABLE 3—IMPACT ON LABORATORIES OF NEW INDIVIDUAL ACCESS PROVISIONS
Impacts laboratories
Allows test reports only to
provider
No State law
Alabama
Alaska
Arizona
Colorado
Guam
Idaho
Indiana
Iowa
Kentucky
Louisiana
Minnesota
Mississippi
Montana
Nebraska
New Mexico
North Carolina
North Dakota
Northern Mariana Islands
Ohio
Oklahoma
South Carolina
South Dakota
Texas
Utah
Vermont
Virgin Islands
Does not impact laboratories
Arkansas
Georgia
Hawaii
Illinois
Kansas
Maine
Missouri
Pennsylvania
Rhode Island
Tennessee
Washington
Wisconsin
Wyoming
In addition to the impact from the
access provisions, laboratories both in
the 39 states and territories where there
is either no law regarding receipt of test
reports or where reports can only go to
the provider, as well as in the 7 states
and territories that currently allow test
reports to go to the patient only with
provider approval, will be affected by
the requirement to update HIPAA
notices of privacy practices as a result
Allows test reports to patient with
provider approval
Allows test reports to patient
Delaware
District of Columbia
Maryland
New Hampshire
New Jersey
Nevada
Oregon
Puerto Rico
West Virginia
of this final rule (see Table 4 for a list
of states and territories by category).
Even if laboratories in the 7 states and
territories that currently allow test
reports to go to the patient with
provider approval have processes in
place to provide test reports to patients,
their notices of privacy practices may
now contain inaccurate statements
about how individuals can obtain copies
of their test reports, given that this final
California
Connecticut
Florida
Massachusetts
Michigan
New York
Virginia
rule preempts these state laws.
Therefore, by the compliance date of
this rule, the laboratories in the 46 states
and territories identified in Table 4 will
need to revise their notices to inform
individuals of their right to obtain
reports directly from the laboratory,
provide a brief description of how to
exercise this right, and must remove any
statements to the contrary (see
§ 164.520(b)(1)(iv)(C)).
TABLE 4—IMPACT ON LABORATORIES OF HIPAA PRIVACY RULE REQUIREMENT TO REVISE THEIR NOTICES OF PRIVACY
PRACTICES
emcdonald on DSK67QTVN1PROD with RULES2
Impacts laboratories
Allows test reports only to
provider
No State law
Alabama
Alaska
Arizona
Colorado
Guam
Idaho
VerDate Mar<15>2010
Does not impact laboratories
Arkansas
Georgia
Hawaii
Illinois
Kansas
Maine
18:25 Feb 05, 2014
Jkt 232001
PO 00000
Allows test reports to patient with
provider approval
California
Connecticut
Florida
Massachusetts
Michigan
New York
Frm 00019
Fmt 4701
Sfmt 4700
E:\FR\FM\06FER2.SGM
Allows test reports to patient
Delaware
District of Columbia
Maryland
New Hampshire
New Jersey
Nevada
06FER2
7308
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
TABLE 4—IMPACT ON LABORATORIES OF HIPAA PRIVACY RULE REQUIREMENT TO REVISE THEIR NOTICES OF PRIVACY
PRACTICES—Continued
Impacts laboratories
Allows test reports only to
provider
No State law
Indiana
Iowa
Kentucky
Louisiana
Minnesota
Mississippi
Montana
Nebraska
New Mexico
North Carolina
North Dakota
Northern Mariana Islands
Ohio
Oklahoma
South Carolina
South Dakota
Texas
Utah
Vermont
Virgin Islands
Does not impact laboratories
Missouri
Pennsylvania
Rhode Island
Tennessee
Washington
Wisconsin
Wyoming
The CMS Online Survey,
Certification, and Reporting (OSCAR)
database indicates that there are a total
of 234,756 laboratories which provide
approximately 12.8 billion tests
annually (see Table 5) in the United
States. We assume Certificate of Waiver
laboratories and Certificate of PPM
laboratories would not be impacted
because the tests are usually performed
in these sites during a patient’s visit. We
Allows test reports to patient with
provider approval
Virginia
Allows test reports to patient
Oregon
Puerto Rico
West Virginia
assume that the physician or health
practitioner would inform the patient of
those results during the visit, and we
anticipate that the patient would ask
that person with whom they interacted
as opposed to the laboratory, if they
have reason to seek copies of the test
report in the future. In the 39 states and
territories that are impacted by the
patient access provision, there are
22,816 laboratories that perform over 7
billion tests annually (see Table 6).
However, we recognize that some
laboratories included in these estimates
may not be covered entities under
HIPAA (because they do not conduct
covered health care transactions
electronically, for example, filing
electronic claims for payment) and,
therefore, would not be required to
provide direct individual access.
TABLE 5—ALL U.S. LABORATORY TESTING SUBJECT TO CLIA
Number of
laboratories
CLIA certificate type
Certificate
Certificate
Certificate
Certificate
of
of
of
of
Number of tests
Compliance ....................................................................................................................................
Accreditation ...................................................................................................................................
Waiver ............................................................................................................................................
Provider Performed Microscopy (PPM) .........................................................................................
20,470
16,829
158,996
38,461
3,122,772,023
8,998,058,524
477,094,700
207,777,472
Totals ............................................................................................................................................................
234,756
12,805,702,719
TABLE 6—NUMBER OF LABORATORIES IMPACTED BY NEW INDIVIDUAL ACCESS PROVISIONS
Number of
laboratories
emcdonald on DSK67QTVN1PROD with RULES2
State or territory
Alaska ..............................................................................................................................................................
Alabama ...........................................................................................................................................................
Arkansas ..........................................................................................................................................................
Arizona .............................................................................................................................................................
Colorado ..........................................................................................................................................................
Georgia ............................................................................................................................................................
Guam ...............................................................................................................................................................
Hawaii ..............................................................................................................................................................
Idaho ................................................................................................................................................................
Illinois ...............................................................................................................................................................
Indiana .............................................................................................................................................................
Iowa .................................................................................................................................................................
Kansas .............................................................................................................................................................
Kentucky ..........................................................................................................................................................
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
E:\FR\FM\06FER2.SGM
103
868
540
581
499
1,190
13
117
230
1,053
621
548
438
710
06FER2
Number of tests
10,688,466
252,267,262
74,686,910
195,731,588
138,847,079
217,997,888
2,500,654
36,918,267
33,092,465
1,852,543,312
190,732,493
82,389,916
240,744,893
133,586,267
7309
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
TABLE 6—NUMBER OF LABORATORIES IMPACTED BY NEW INDIVIDUAL ACCESS PROVISIONS—Continued
Number of
laboratories
State or territory
Number of tests
Louisiana ..........................................................................................................................................................
Maine ...............................................................................................................................................................
Minnesota ........................................................................................................................................................
Mississippi ........................................................................................................................................................
Missouri ............................................................................................................................................................
Montana ...........................................................................................................................................................
Nebraska ..........................................................................................................................................................
New Mexico .....................................................................................................................................................
North Carolina ..................................................................................................................................................
North Dakota ....................................................................................................................................................
Northern Mariana Islands ................................................................................................................................
Ohio .................................................................................................................................................................
Oklahoma .........................................................................................................................................................
Pennsylvania ....................................................................................................................................................
Rhode Island ....................................................................................................................................................
South Carolina .................................................................................................................................................
South Dakota ...................................................................................................................................................
Tennessee .......................................................................................................................................................
Texas ...............................................................................................................................................................
Utah .................................................................................................................................................................
Vermont ...........................................................................................................................................................
Virgin Islands ...................................................................................................................................................
Washington ......................................................................................................................................................
Wisconsin .........................................................................................................................................................
Wyoming ..........................................................................................................................................................
677
140
832
523
683
961
317
189
673
177
181
634
485
747
477
453
469
2,626
1,594
705
245
45
936
482
54
135,050,184
36,150,552
165,066,668
45,808,928
192,145,580
300,480,983
33,103,996
44,642,110
48,771,993
49,833,112
56,185,878
163,151,403
111,005,884
87,776,132
91,657,444
38,185,190
171,638,497
949,935,182
155,118,958
256,856,757
174,974,043
11,413,475
167,818,742
73,457,876
2,884,622
Total ..........................................................................................................................................................
22,816
7,025,841,649
In addition to complying with the
individual access requirements, a total
of 33,087 laboratories in the states and
territories that are affected by the
HIPAA notice provisions will need to
revise their notices of privacy practices
to reflect the right of individuals to
obtain test reports directly from
laboratories (see Table 7). However, as
stated above, we recognize that some
laboratories included in these estimates
may not be covered entities under
HIPAA and, therefore, would not be
required to provide direct individual
access and would not be required to
revise any notices.
TABLE 7—NUMBER OF LABORATORIES
IMPACTED BY THE HIPAA PRIVACY
RULE REQUIREMENT TO REVISE
THEIR NOTICES OF PRIVACY PRACTICES
emcdonald on DSK67QTVN1PROD with RULES2
State
Alaska .................................
Alabama ..............................
Arkansas .............................
Arizona ................................
California .............................
Colorado .............................
Connecticut .........................
Florida .................................
Georgia ...............................
Guam ..................................
Hawaii .................................
Idaho ...................................
VerDate Mar<15>2010
18:25 Feb 05, 2014
Number of
laboratories
103
868
540
581
2,919
499
379
2,462
1,190
13
117
230
Jkt 232001
TABLE 7—NUMBER OF LABORATORIES
IMPACTED BY THE HIPAA PRIVACY
RULE REQUIREMENT TO REVISE
THEIR NOTICES OF PRIVACY PRACTICES—Continued
Number of
laboratories
State
Illinois ..................................
Indiana ................................
Iowa ....................................
Kansas ................................
Kentucky .............................
Louisiana ............................
Massachusetts ....................
Maine ..................................
Michigan .............................
Minnesota ...........................
Mississippi ..........................
Missouri ..............................
Montana ..............................
Nebraska ............................
New Mexico ........................
New York ............................
North Carolina ....................
North Dakota ......................
Northern Mariana Islands ...
Ohio ....................................
Oklahoma ...........................
Pennsylvania ......................
Rhode Island ......................
South Carolina ....................
South Dakota ......................
Tennessee ..........................
Texas ..................................
Utah ....................................
Vermont ..............................
Virgin Islands ......................
Virginia ................................
PO 00000
Frm 00021
Fmt 4701
TABLE 7—NUMBER OF LABORATORIES
IMPACTED BY THE HIPAA PRIVACY
RULE REQUIREMENT TO REVISE
THEIR NOTICES OF PRIVACY PRACTICES—Continued
Sfmt 4700
1,053
621
548
438
710
677
693
140
926
832
523
683
961
317
189
2,425
673
177
181
634
485
747
477
453
469
2,626
1,594
705
245
45
467
State
Number of
laboratories
Washington .........................
Wisconsin ...........................
Wyoming .............................
936
482
54
Totals ...........................
33,087
A. Information Collection Requests
(ICRs) Regarding the Development of
Process To Provide Patient Access to
Test Reports (§ 493.1291)
Under § 493.1291(l), we assume that
the development of the mechanisms to
provide patient access to laboratory test
reports will be a one-time burden and
that each laboratory will develop its
own unique policies and procedures to
address patient access or adopt
mechanisms/procedures developed by
consultants or associations representing
laboratories. We assume a one-time
burden of 2 to 9 hours to identify the
applicable legal obligations and to
develop the processes and procedures
for handling patient requests for access
to test reports. While we provide a range
of burden estimates in this final rule, for
purposes of OMB review and approval
we will submit burden estimates based
E:\FR\FM\06FER2.SGM
06FER2
7310
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
on 9 hours. We also assume an hourly
rate for a management-level employee to
be $50.06 (see Table 1).
The range of costs for laboratories to
develop the necessary processes and
procedures for handling patient requests
is:
(2 hours × $50.06 per hour × 22,816
laboratories) = $2,284,338
(9 hours × $50.06 per hour × 22,816
laboratories) = $10,279,521
Since this is a one-time burden, the
average annual cost over the 3-year
OMB approval period, which is the
period between approval and renewal of
the information collection by OMB, will
range between $761,446 and $3,426,507.
The ongoing burden associated with
responding to test report requests is
dependent upon the total number of test
reports that exist in affected
laboratories, the percent of the results
that would be requested, and the cost of
producing these reports for those
individuals who ask for direct access.
Laboratory test reports are commonly
understood to contain multiple test
results with many laboratory tests being
ordered as panels of tests. Each
laboratory may have its own unique test
report panels which may contain
anywhere from 1 to 20 individual test
results.
Using a range of 10 to 20 test results
in a test report, we estimated the annual
number of test reports that may be
requested to be:
(7,025,841,649 tests per year/20 tests per
report) = 351,292,082 test reports/year
(7,025,841,649 tests per year/10 tests per
report) = 702,584,165 test reports/year
We are unaware of any data that
would provide a reasonable estimate for
the number of patients who would
request test reports from laboratories if
they are available. We solicited public
comments on this issue but did not
receive any to inform our estimates.
Therefore, we assume a range of 1 in
2,000 patients (0.05 percent) to 1 in 200
patients (0.50 percent) will request
direct access to his or her test report.
Using these figures, the range of the
number of patient requests per year will
be:
(351,292,082 test reports per year ×
.0005) = 175,646 patient requests per
year
(702,584,165 test reports per year × .005)
= 3,512,921 patient requests per year
The processing of a patient request for
a test report generally covers steps from
actual receipt of the patient’s request to
the delivery of the report and
documentation of the delivery. Requests
for laboratory results are usually
handled by non-managerial or clerical
staff. Due to the lack of data that
indicates the amount of time it takes for
staff to process a test report request, we
assume a range of 10 minutes (0.17
hours) to 30 minutes (0.5 hours) to
handle a request from start to finish.
We then multiplied this range by the
range of the anticipated number of
patient requests to obtain the total
annual burden hours:
(175,646 patient requests per year × 0.17
hours) = 29,860
(3,512,921 patient request per year × 0.5
hours) = 1,756,461
We then multiplied this range by the
hourly rate of $30.09 for a clerical-level
employee (see Table 1) to develop the
total labor cost of reporting:
29,860 (total annual burden hours) ×
$30.09 = $898,487
1,756,461 (total annual burden hours) ×
$30.09 = $52,851,911
TABLE 8—SUMMARY OF ANNUAL REQUIREMENTS AND BURDEN ESTIMATES
Regulation
section(s)
OMB
Control No.
Respondents
Responses
Burden per
response
(hours)
Hourly labor
cost of
reporting
($)
Total annual
burden
(hours)
Total labor
cost of
reporting
($)
Total capital/
maintenance
costs
($)
Total cost
($)
0938—New
22,816
22,816
9
205,344
50.06
10,279,521
0
10,279,521
0938—New
3,512,921
3,512,921
.5
1,756,461
30.09
52,851,911
0
52,851,911
Total .......
emcdonald on DSK67QTVN1PROD with RULES2
42 CFR
493.1291 ....
42 CFR
493.1291 ....
......................
3,535,737
3,535,737
......................
1,961,804
........................
63,131,432
........................
63,131,432
We will exercise our enforcement
discretion to allow HIPAA-covered
laboratories to revise their notices only
once to reflect the changes to privacy
practices of these entities both resulting
from this rule, as well as the final rule
published on January 25, 2013,
modifying the HIPAA Rules, which
became effective on March 26, 2013 (78
FR 5566). Since we accounted for the
overall burden to covered health care
providers, including laboratories, of
revising notices in the burden statement
accompanying the January 25, 2013,
final rule (78 FR 5669), we do not
include estimates of any additional
burden in this rule.
If you comment on these information
collection and recordkeeping
requirements, please submit your
comments to the Office of Information
and Regulatory Affairs, Office of
Management and Budget, Attention:
CMS Desk Officer, [CMS–2319–F] Fax:
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
(202) 395–6974; or Email: OIRA_
submission@omb.eop.gov.
VII. Regulatory Impact Analysis
A. Overall Impact
We have examined the impacts of this
final rule as required by Executive
Order 12866 on Regulatory Planning
and Review (September 30, 1993),
Executive Order 13563 on Improving
Regulation and Regulatory Review
(January 18, 2011), the Regulatory
Flexibility Act (RFA) (September 19,
1980, Pub. L. 96–354), section 1102(b) of
the Social Security Act, section 202 of
the Unfunded Mandates Reform Act of
1995 (March 22, 1995; Pub. L. 104–4),
Executive Order 13132 on Federalism
(August 4, 1999), and the Congressional
Review Act (5 U.S.C. 804(2)).
Executive Orders 13563 and 12866
direct agencies to assess all costs and
benefits of available regulatory
alternatives and, if regulation is
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety
effects, distributive impacts, and
equity). Executive Order 13563
emphasizes the importance of
quantifying both costs and benefits, of
reducing costs, of harmonizing rules,
and of promoting flexibility. This final
rule has been designated a ‘‘significant
regulatory action’’ although not
economically significant, under section
3(f) of Executive Order 12866.
Accordingly, the rule has been reviewed
by the Office of Management and
Budget.
Laboratories regulated under CLIA
that do not currently provide patients
with an opportunity to receive, upon
request, a copy of their laboratory test
report (defined in CLIA § 493.1291) are
affected by this final rule. According to
the CMS OSCAR database accessed on
August 27, 2012, there are 234,756
E:\FR\FM\06FER2.SGM
06FER2
emcdonald on DSK67QTVN1PROD with RULES2
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
laboratories in the United States that are
subject to CLIA. OSCAR is a data
network maintained by CMS in
cooperation with the state surveying
agencies and accrediting organizations
that provides a compilation of all the
data elements collected during
inspection surveys conducted at
laboratories. Of the total CLIA-certified
laboratories identified in the OSCAR
database, we believe approximately 90
percent of these would not be impacted
by the individual access provisions
because they perform testing either
under a Certificate of Waiver or
Certificate of Provider Performed
Microscopy (PPM) or they are located in
states that already allow the laboratory
to provide patient access to test reports,
either directly or with provider
approval. Removing the step in which
the provider grants permission to the
laboratory should not pose an additional
impact on the laboratory, as we believe
these laboratories already have
processes in place to provide patients
access to test reports once that
permission is received.
We expect that 22,816 laboratories
located in the 39 states and territories
identified in Table 3 as having no state
law or a state law that provides test
reports only to the provider will be
impacted by the individual access
provisions in this final rule. In addition,
we expect that 33,087 laboratories
located in the 46 states and territories
identified in Table 4 as having no state
law, a state law that provides test
reports only to the provider, or a state
law that permits test reports to go to
patients only with provider approval,
will be affected by the HIPAA
requirement to update their notices of
privacy practices. We believe that this
final rule does not constitute an
economically significant rule because
we estimate the range of overall annual
costs that would be expended by the
affected laboratories would be less than
$100 million for 2013.
The RFA requires agencies to analyze
options for regulatory relief of small
entities, if a rule has a significant impact
on a substantial number of small
entities. For purposes of the RFA, we
assume that the great majority of
medical laboratories are small entities,
either by virtue of being nonprofit
organizations or by meeting the SBA
definition of a small business by having
revenues of less than $13.5 million in
any 1 year. We believe at least 83
percent of medical laboratories qualify
as small entities based on their
nonprofit status as reported in the
American Hospital Association Fast
Fact Sheet updated June 24, 2010
(https://www.aha.org/aha/resource-
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
center/Statistics-and-Studies/Fast_
Facts_Nov_11_2009.pdf).
Other options for regulatory relief of
small businesses, as discussed in
section E of this final rule, were
determined not to be feasible and
therefore these options were not
analyzed for this final rule. We believe
any alternative to allowing the
laboratory to provide patient access to
test reports would be counterproductive
to the Department’s efforts to provide
patient-centered health care. We are
unaware of any instances in which the
changes included in this final rule
would affect health care entities
operated by small government
jurisdictions.
Section 1102(b) of the Social Security
Act also requires us to prepare a
regulatory impact analysis if a rule may
have a significant impact on the
operations of a substantial number of
small rural hospitals. This analysis must
conform to the provisions of section 604
of the RFA. For purposes of section
1102(b) of the Act, we define a small
rural hospital as a hospital that is
located outside of a metropolitan
statistical area and has fewer than 100
beds. We do not expect this final rule
would have a significant impact on
small rural hospitals. The final rule
applies only to laboratories. If a small
rural hospital operates a laboratory, we
anticipate compliance with this final
rule will require minimal effort as we
expect that the hospital already has
procedures in place for responding to
individual access requests for hospital
records under the HIPAA Privacy Rule.
We believe that these existing policies
and procedures should be easy to
translate for use in direct access
requests to hospital-operated
laboratories. Therefore, the Secretary
has determined that this final rule does
not have a significant impact on the
operations of a substantial number of
small rural hospitals.
Section 202 of the Unfunded
Mandates Reform Act of 1995 (UMRA)
also requires that agencies assess
anticipated costs and benefits before
issuing any rule whose mandates
require spending in any 1 year of $100
million in 1995 dollars, updated
annually for inflation. In 2013, that
threshold is approximately $142
million. We do not anticipate this final
rule will impose an unfunded mandate
on states, tribal governments, or the
private sector of more than $142 million
annually. Executive Order 13132
establishes certain requirements that an
agency must meet when it promulgates
a proposed rule (and subsequent final
rule) that imposes substantial direct
requirements and costs on state and
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
7311
local governments, preempts state law,
or otherwise has Federalism
implications.
The changes to the CLIA regulations
at § 493.1291 will not have a substantial
direct effect on state and local
governments, preempt state law, or
otherwise have a Federalism
implication and there is no change in
the distribution of power and
responsibilities among the various
levels of government.
The Federalism implications of the
Privacy Rule were assessed as required
by Executive Order 13132 and
published as part of the preamble to the
final rule on December 28, 2000 (65 FR
82462, 82797). Regarding preemption,
though the changes to the Privacy Rule
will preempt a number of state laws (see
Table 4), this preemption of state law is
consistent with the preemption
provision of the HIPAA statute. The
preamble to the final Privacy Rule
explains that the HIPAA statute dictates
the relationship between state law and
Privacy Rule requirements, and the
rule’s preemption provisions do not
raise Federalism issues.
We do not believe that this rule will
impose substantial direct compliance
costs on state and local governments.
We do not believe that a significant
number of laboratories affected by these
proposals are operated by state or local
governments. Therefore, the
modifications in these areas will not
cause additional costs to state and local
governments.
In considering the principles in and
requirements of Executive Order 13132,
the Department has determined that the
modifications to the Privacy Rule will
not significantly affect the rights, roles
and responsibilities of the states.
B. Anticipated Effects
The current CLIA regulations and
related laws of the states and territories
pose potential barriers to the laboratory
exchange of health care information
(test reports) directly with the patient.
These regulatory changes will amend
§ 493.1291(f) and add § 493.1291(l) to
the CLIA regulations and also amend
§ 164.524 of the Privacy Rule. These
changes are being made in support of
the Department’s efforts toward
achieving patient-centered and health
IT-enabled health care and would allow
patients direct access to their laboratory
test reports from a laboratory.
The changes providing for individual
access will impact laboratories in 39
states and territories (Table 3) where
state law does not permit the laboratory
to provide test reports directly to the
patient. These changes do not impact
the laboratories in the remaining 16
E:\FR\FM\06FER2.SGM
06FER2
7312
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
states and territories where the
laboratory is allowed to provide the test
report to the patient either directly or
after provider approval. However,
laboratories in 46 states and territories
(Table 4) where state law does not
permit the laboratory to provide test
reports directly to the patient or permits
direct access only after provider
approval, will be impacted by the
requirement to update their HIPAA
notice of privacy practices to reflect
individuals’ new access rights under
this final rule.
C. Costs
Although data are not available to
calculate the estimated costs and
benefits that will result from these
changes, we are providing an analysis of
the potential impact based upon
available information and certain
assumptions. These regulatory changes
are anticipated to have the following
associated costs and benefits:
• The impacted laboratories may
require additional resources to ensure
patients receive test reports when
requested.
• Patients will benefit from having
direct access to their laboratory test
results. (See section D below).
1. Quantifiable Impacts
Laboratories that are issued a CLIA
Certificate of Compliance or Certificate
of Accreditation in the 39 states and
territories identified in Table 3 will be
required to provide patients with a copy
of their test report upon request. The
OSCAR database includes 22,816
laboratories in the 39 states and
territories that will be impacted and the
corresponding number of annual tests in
these laboratories is approximately 7
billion as shown in Table 6. Data are not
available for estimating the number of
test results reported per test report.
However, the majority of test reports
contain multiple test results. Tests are
frequently ordered as panels of
individual tests. For example, according
to 2008 CMS reimbursement data, three
of the four most frequently ordered tests
in the Medicare outpatient setting are
panels of multiple individual tests,
some of which may contain up to 20
tests. As part of a medical encounter,
frequently more than one panel is
ordered per patient, and a test report
could contain a large number of
individual test results. Therefore, for the
purposes of this analysis, an assumed
range of 10 to 20 is used to represent the
average number of test results per test
report. Applying this range to the total
number of annual tests (7,025,841,649)
from Table 6, the estimated number of
total annual test reports ranges from a
low of 351,292,082 to a high of
702,584,165.
For the purposes of this analysis, we
assume that many patients will still
prefer to obtain their laboratory result
information from their health care
provider, who will also be able to
provide interpretation of the test results,
and thus an assumed range of from 1 in
2,000 (0.05 percent) to 1 in 200 (0.50
percent) is used to represent the
proportion of test reports requested.
Applying this range to the number of
estimated annual test reports
(351,292,082 to 702,584,165) yields an
estimated annual number patient
requests ranging from 175,646 to
3,512,921.
Processing a request for a test report,
either manually or electronically, will
require completion of the following
steps: (1) Receipt of the request from the
individual; (2) authentication of the
identification of the individual; (3)
retrieval of test reports; (4) verification
of how and where the individual wants
the test report to be delivered and
provision of the report by mail, fax,
email or other electronic means; and (5)
documentation of test report issuance.
We estimate the total time to process
each test report request to be in the
range of 10 minutes (0.17 hours) to 30
minutes (0.5 hours). This estimate for a
range of total time includes estimates for
a range of time for each of the five steps
listed above. The time needed to
complete each step is dependent on the
capabilities of the laboratory, such as
whether manual or automated processes
are available, and the desired method of
communication of test reports to the
individual patient as listed in step four.
We multiplied the range for the number
of patient requests, 175,646 to 3,512,921
by 0.17 hours and 0.5 hours to
determine the total number of hours for
processing the test reports to be in the
range of 29,860 and 1,756,461. The
estimated annual cost to process all test
report requests in 2013 ranges from
$$898,487 to $52,851,911.
The analysis also assumed each of the
estimated 22,816 laboratories to be
impacted by individual access
provisions of this rule (Table 6) will
need to develop and implement a policy
and process to receive and respond to
patient requests as discussed above. To
estimate the initial, one-time
development cost, it is assumed to
require laboratory management staff
time ranging from a low of 2 hours to
a high of 9 hours per laboratory. To
convert the number of hours to an
estimated cost per laboratory, we
applied the rate of $50.06 (see Table 1)
to the assumed 2 to 9 hour time range
yields an estimated cost per laboratory
ranging from $100.12 to $450.54, which
when applied to the estimated 22,816
laboratories impacted results in a total
estimated one-time development cost
ranging from $2,284,338 to $10,279,521.
Table 9 shows the total estimated
range of annual costs for the change in
undiscounted 2013 dollars and
discounted at 3 percent and 7 percent to
translate expected benefits or costs in
any given future year into present value
terms. To calculate the total estimated
costs in 2013, we added the cost to
develop the necessary policies and
processes (which would only be
applicable in the first year) and the cost
of responding to test report requests.
These costs total between $3 million
and $63 million for 2013 to provide
patients with access to their laboratory
test reports. As subsequent years will
only entail the costs associated with
processing requests, we simply took the
2013 values for the cost of responding
to test reports and applied the same
inflation factor used in Table 1 for the
hourly rate calculations. The resulting
values can be found in Table 9.
TABLE 9—TOTAL ESTIMATED ANNUAL COSTS OF PATIENT TEST REPORT REQUESTS
emcdonald on DSK67QTVN1PROD with RULES2
[Policy development and processing for the patient access]
Undiscounted
(Base year: 2013 $)
Low
2013
2014
2015
2016
.........................................................
.........................................................
.........................................................
.........................................................
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
High
$3,182,819
932,243
959,045
986,617
PO 00000
Discounted
at 3%
Frm 00024
Low
$63,131,432
55,934,563
57,542,682
59,197,034
Fmt 4701
$3,090,115
878,728
877,662
876,597
Sfmt 4700
Discounted
at 7%
High
Low
$61,292,652
52,723,690
52,659,705
52,595,798
E:\FR\FM\06FER2.SGM
06FER2
$2,974,597
814,257
782,866
752,686
High
$59,001,338
48,855,414
46,971,969
45,161,134
7313
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
TABLE 9—TOTAL ESTIMATED ANNUAL COSTS OF PATIENT TEST REPORT REQUESTS—Continued
[Policy development and processing for the patient access]
Undiscounted
(Base year: 2013 $)
Low
Discounted
at 3%
High
Low
Low
emcdonald on DSK67QTVN1PROD with RULES2
Laboratories will be able to offset
some of these costs pursuant to
§ 164.524(c)(4) of the HIPAA Privacy
Rule, which permits covered entities to
impose on the individual a reasonable,
cost-based fee for providing access to
their health information, including the
cost of supplies for and labor of copying
the requested information.
As we explain above, with respect to
notices of privacy practices, we are
exercising our enforcement discretion to
allow HIPAA-covered laboratories to
revise their notices only once to reflect
the changes to privacy practices of these
entities both resulting from this rule, as
well as the final rule published on
January 25, 2013, modifying the HIPAA
Rules, which became effective on March
26, 2013 (78 FR 5566). Since we
accounted for the overall costs to
covered health care providers, including
laboratories, of revising and reprinting
notices in the impact statement
accompanying the January 25, 2013,
final rule (78 FR 5669), we do not
include here any estimates of additional
costs to revise and print notices.
Therefore, we estimate the cost to
provide patients with access to their
laboratory test reports is estimated to be
between $3 million and $63 million for
2013.
patient a copy of the test report rather
than referring the patient to the
laboratory for the information. The time
cost to patients of new interactions with
laboratories is a further impact of the
rule that has not been quantified.
these benefits as including increased
patient participation in treatment
programs, such as those that involve
monitoring of chronic diseases, and the
ability of patients to identify and treat
health risks sooner and more effectively.
D. Benefits
Although we cannot quantify the
impact on patients, we believe that it
will be positive in light of findings from
studies that focused on patient receipt
of test results from the provider. We
found several studies where greater than
90 percent of patients stated they
preferred being notified of all test
results, both normal and abnormal (1.
Baldwin DM, Quintela J, Duclos C, et al.
Patient Preferences for Notification of
Normal Laboratory Test Results: A
Report from the ASIPS Collaborative.
BMC Fam Practice 2005; 6:11; 2.
Boohaver EA, Ward RE, Uman JE et al.
Patient Notification and Follow-up of
Abnormal Test Results. Arch Intern Med
1996; 327–331; 3. Grimes GC, Reis MD,
Gokul B, et al. Patient Preferences and
Physician Practices for Laboratory Test
Result Notification. JABFM
2009:22:6:670–676; and 4. Meza JP and
Webster DS. Patient Preferences for
Laboratory Test Result Notification. Am
J Manag Care 2000; 6:1297–300). These
same studies reported, for both the
health care provider and patient, the
preferred method for receiving normal
test results was the U.S. mail, and direct
phone contact from the provider was the
preferred method for abnormal test
results. These preferences may have
changed in the last 5 years given the
increase in the use of electronic
communications. Advantages reported
in these studies for the patient having
direct access to the test report include
reduced workload for the health care
provider’s office, reduced chance of a
patient not being informed of a
laboratory test result, and reduced
numbers of patients who fail to seek
appropriate medical care. Additionally,
we expect significant benefits to flow to
patients as a result of increased access
to their laboratory test results.
Commenters to this final rule describe
E. Alternatives Considered
18:25 Feb 05, 2014
Jkt 232001
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
52,531,968
723,668
High
1,014,982
VerDate Mar<15>2010
875,533
High
2017 .........................................................
2. Non-Quantifiable Impacts
The burden in this final rule would be
primarily on laboratories to provide the
laboratory test reports when requested
by the patient; however, there may be
some non-quantifiable impacts on the
health care provider’s office. If the
patient does not know where the
provider sent the test request, the
provider may need to provide laboratory
contact information to the patient so he
or she may request the test report. We
assume that notification of the
laboratory name and contact
information could be provided in as
little as 30 seconds; however there are
no data to confirm this, and we did not
receive comments on the issue. We also
note that since the provider may need
to provide an interpretation of the test
results, the provider may give the
60,898,949
Discounted
at 7%
43,420,109
The changes to the CLIA regulations
and the HIPAA Privacy Rule are in
support of the Department’s efforts
toward achieving patient-centered
health care. Several alternatives were
considered before selecting the
approach in this final rule to provide
access to laboratory test reports upon a
patient’s request. One alternative would
have been to leave the regulations as
written without making any changes.
However, this option would leave in
place the restrictions on patients’ direct
access to their laboratory test results and
would therefore impede the goal of
promoting patient-centered health care.
Another alternative would have been to
revise the definition of ‘‘authorized
person’’ under CLIA to specifically
include a patient as an authorized
person. This alternative was not
considered feasible because the
definition of ‘‘authorized person’’ in the
CLIA regulations also permits
individuals to order tests, and it defers
to state law for authorization. A last
alternative considered would have been
to require the laboratory to
automatically provide each test report
directly to each patient rather than the
permissive approach to provide patients
access to their reports upon request.
However, this alternative would have
had the potential of significantly
increasing the cost for laboratories since
100 percent of the 350 million to 703
million test reports issued annually
would need to be provided to the
patients.
F. Accounting Statement and Table
We have prepared the following
accounting statement showing the
classification of the expenditures
associated with the provisions of this
final rule.
E:\FR\FM\06FER2.SGM
06FER2
7314
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
Primary
estimate
Category
BENEFITS:
Monetized benefits ...........................................................
Annualized qualified, but unmonetized, benefits ....................
(Unqualified benefits) ..............................................................
COSTS:
Monetized costs (2012 $):
Patient access provisions 2013 .......................................
Patient access provisions 2014 .......................................
Patient access provisions 2015 .......................................
Patient access provisions 2016 .......................................
Patient access provisions 2017 .......................................
Annualized quantified, but unmonetized, benefits ...........
Qualitative (unquantified) costs ..............................................
TRANSFERS:
Annualized monetized transfers: ‘‘on budget’’ .................
From whom to whom? .....................................................
Annualized monetized transfers: ‘‘off-budget’’ .................
From whom to whom? .....................................................
Minimum
estimate
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
$3,182,819
$932,243
$959,045
$986,617
$1,014,982
n/a
n/a
$63,131,432
$55,934,563
$57,542,682
$59,197,034
$60,898,949
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
on
on
on
on
G. Conclusion
emcdonald on DSK67QTVN1PROD with RULES2
Effects
State, local, and/or tribal governments .................
small businesses ...................................................
wages ....................................................................
growth ....................................................................
We estimated the cost to laboratories
to provide patients with a copy of their
test reports upon request and
determined it would cost between $3
million and $63 million in 2013. These
costs will diminish in subsequent years.
In addition laboratory provision of test
reports to patients may provide
information that could benefit the
patient by reducing the chance of the
patient not being informed of a
laboratory test result, reducing the
number of patients lost to follow-up,
and benefiting health care providers by
reducing their workload in providing
laboratory test reports. Finally, as we
explain above, to avoid HIPAA-covered
laboratories having to modify their
notices twice within the same year to
comply with both the January 25, 2013,
final rule and this rule, we will exercise
our enforcement discretion to allow
CLIA laboratories (including CLIAexempt laboratories) that are HIPAA
covered entities to take until the
compliance date of this final rule to
revise their notices to reflect both sets
of modifications. See https://
www.hhs.gov/ocr/privacy/hipaa/
enforcement/clia-labs.html. Therefore,
CLIA and CLIA-exempt laboratories that
are HIPAA covered entities need only
update their notices once to comply
with both rules.
In accordance with the provisions of
Executive Order 12866, this regulation
was reviewed by the Office of
Management and Budget.
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
n/a
n/a
n/a
n/a
Frm 00026
Fmt 4701
Sfmt 4700
RIA Section C2
RIA Section C2
RIA Section C2
RIA
RIA
RIA
RIA
RIA
Sec
Sec
Sec
Sec
Sec
C1
C1
C1
C1
C1
(Table
(Table
(Table
(Table
(Table
7)
7)
7)
7)
7)
RIA Section C2
Source Citation
(RIA, preamble, etc.)
n/a
n/a
n/a
n/a
VIII. Analysis of and Responses to
Public Comments on the Paperwork
Reduction and Regulatory Impact
Analysis
We have provided an analysis of the
potential impact of this final rule, based
upon available information and certain
assumptions. We have prepared the
Paperwork Reduction Act and the
Regulatory Impact Analysis representing
the costs and benefits of the final rule
based on analysis of identified variables
and data sources needed for this change.
We requested that commenters provide
any additional data that would assist us
in the analysis of the potential impact
of this regulation on CLIA certified
laboratories but we did not receive any
additional data.
Therefore, based on our analysis and
assessment of the overall annual costs to
the laboratories affected by this final
rule, we are finalizing the provisions as
set forth in the proposed rule. The
comments we received on this provision
and our responses are set forth below.
Comment: We received several
comments from organizations and
individuals suggesting the
implementation and operations cost
estimate provided in the regulatory
impact analysis (that is, for the
laboratory to receive the request,
authenticate the requestor is allowed to
have access to the test report, process
the request and provide the test report)
was too low. Some suggested there were
other factors that were not considered in
the proposed rule’s RIA, such as costs
for training staff to provide the reports
PO 00000
Source citation
(RIA, preamble, etc.)
n/a
n/a
n/a
n/a
Category ..................................................................................
Effects
Effects
Effects
Effects
Maximum
estimate
n/a
n/a
n/a
n/a
RIA Sec A (Table 4)
RIA Section A
in a compliant manner, verification that
the information was received, and for
providing an explanation or summary of
results, which may require higher level
staff than those at a clerical level. Some
recommended we review the
anticipated cost structure and contact
several laboratories to request best
estimates. One organization
recommended that we permit
laboratories to charge a standard fee
between $10 to $15 per test report
issued to cover overall administrative
costs, which would be in addition to the
actual cost of the supplies used to
provide the test report to the patient or
personal representative or, if applicable,
a third party designated by the
individual.
Response: Our cost estimate was
based on assumptions from internal
discussions and consultation with two
laboratories that provide test reports
directly to patients. Although the
proposed rule solicited comments and
additional data from laboratories that
already provide test reports directly to
the patient, we did not receive any data
to support adjusting the estimates
provided in the proposed rule;
therefore, we are not adjusting those
estimates in this final rule and
acknowledge that they may not reflect
costs for every laboratory setting. We
appreciate the commenter’s suggestion
about staff training costs; however we
believe that there is no need to include
additional costs for training staff to
provide the reports in a HIPAA Privacy
Rule compliant manner since training
E:\FR\FM\06FER2.SGM
06FER2
emcdonald on DSK67QTVN1PROD with RULES2
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
cost was part of our original estimate for
developing and implementing a policy
and process.
In addition, the HIPAA Privacy Rule
permits covered entities to charge a
reasonable cost-based fee to provide
individuals with copies of their
protected health information. The fee
may include only the cost of copying
(including supplies and labor) and
postage, if the individual requests that
the copy be mailed. If the individual (or
individual’s personal representative)
has agreed to receive a summary or
explanation of his or her protected
health information, the covered entity
may also charge a reasonable, cost-based
fee for preparation of the summary or
explanation. The fee may not include
costs associated with searching for and
retrieving the requested information,
nor does the HIPAA Privacy Rule permit
charging a standard fee; therefore, this
final rule does not permit laboratories to
charge these fees. The fees permitted to
be charged to individuals under the
HIPAA Privacy Rule are discussed more
fully above in section VII.
Comment: We received a few
comments that smaller, rural hospitals,
particularly Critical Access Hospitals
(CAHs), may face financial constraints
that would make compliance with this
requirement challenging.
Response: The impacts discussed in
the preamble affect only those
laboratories that currently do not
provide patients with access to their
health information. Since most hospitals
are HIPAA covered entities, they are
required already to provide individuals
with access to the protected health
information in their designated record
sets, including laboratory test results, in
accordance with § 164.524 of the HIPAA
Privacy Rule. As discussed above,
laboratories that operate as part of a
legal entity that is a hospital or that are
part of an affiliated covered entity or
organized health care arrangement with
the hospital (see the definition of
‘‘organized health care arrangement’’ in
the HIPAA Rules at § 160.103, and the
provisions for affiliated covered entities
at § 164.105(b)), may continue to utilize
the hospital’s already established
mechanisms for providing access to the
individuals requesting their test reports
from the hospital laboratories, provided
that the established mechanisms are
compliant with the access provisions of
the HIPAA Privacy Rule.
Comment: Several commenters asked
why we used test volume data that was
self-reported rather than validated Part
B claims or actual claims. Other
commenters asked why we did not
analyze the cost of providing access to
completed test reports to Medicare fee-
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
for-service beneficiaries in states that
already allow laboratories to provide a
copy of test results to the patient.
Response: We used data from the
CMS OSCAR database for our estimates.
The OSCAR database is not limited to
Medicare-reimbursed tests only, but also
includes testing totals for laboratory
tests reimbursed by private payers and
those that are not reimbursed. Test
volume is self-reported by laboratories
and validated by CMS surveyors during
laboratory inspections. This data is
more accurate for estimating the impact
of these changes. We requested
comments from laboratories that are
currently providing test reports to the
patient. We did not receive any
comments that would support adjusting
the estimates provided in the proposed
rule; therefore, we conclude that these
estimates are sufficiently accurate and
have retained those estimates in this
final rule.
Comment: We received several
comments disagreeing with the time
estimate of 2 to 9 hours for laboratories
to identify the applicable legal
obligations and develop processes or
procedures to handle the patient
requests for access to test reports. One
commenter stated that his institution
had reported spending several hours in
meetings between administration,
laboratory management, and legal
counsel examining procedural options
and the risks of each procedure. Other
commenters stated that it would not be
possible for the information technology/
data privacy teams to meet this
requirement in the allotted timeframe
for implementation. Several
commenters suggested some laboratories
may need to develop policies related to
sensitive issues, such as minors and
parent/guardian access or release of the
results of drug testing that might have
an impact on the laboratory’s liability
insurance costs. Other comments stated
that the policy development would not
be a one-time charge since laboratories
would need to monitor all new state and
federal regulations related to the
disclosure of protected health
information.
Response: Our cost estimate was
based on assumptions from internal
discussions and consultation with two
laboratories that provide test reports
directly to patients. Although the
proposed rule solicited comments and
additional data from laboratories that
already provide test reports directly to
the patient, we did not receive any data
to support adjusting the estimates
provided in the proposed rule. We
acknowledge that these estimates may
not reflect costs for every laboratory
setting. However, in the absence of data
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
7315
to support changing our estimate, we are
not adjusting those estimates in this
final rule. Laboratories may be able to
learn from those in the 16 states that
allow the laboratory to provide a copy
of the test results to the patient and from
larger reference laboratories that have
already developed policies to
accommodate requests received from
patients that receive testing in these 16
states. The HHS Office for Civil Rights,
which administers and enforces the
HIPAA Privacy Rule, provides guidance
on its Web site and through other
sources on many compliance issues,
including regarding disclosure of
information on minors. See https://
www.hhs.gov/ocr/privacy/ for more
information. This may be a new
requirement for laboratories, but other
HIPAA covered entities have, for quite
some time, followed the requirements in
§ 164.524 of the HIPAA Privacy Rule
when providing protected health
information.
Comment: We received comments
from organizations that supported the
proposed change, but noted it would be
impossible to know how many
individuals would request their test
reports. Other comments suggested the
laboratory could receive a barrage of
requests. One comment said our
estimates of 0.05 percent to 0.5 percent
of patients requesting their test report
from the laboratory falls short of what
is needed to meet the Department’s goal
of patient engagement to ensure the
provider receives and acts on the test
results. The commenters suggested that
under the health care transformation
that is taking place, the patient could be
provided a digitally signed copy of the
laboratory report in his or her electronic
patient health record (EHR) at the same
time and in the same format as the
laboratory report provided
electronically to the requesting health
care provider’s electronic health record.
Patients would only need to give the
requesting provider the repository
identifier for their personally controlled
health record for inclusion with the
laboratory test order.
Response: We agree that it is difficult
to know how many individuals will
request their test report from covered
entity laboratories. However, we
received several comments indicating
that the preferred method for a patient
to receive laboratory test results is the
same procedure as currently practiced;
that is, the health care provider’s office
notifies the patient of the results on the
same day the results are received from
the laboratory. This procedure allows
the patient to ask the health care
provider’s office for interpretation of the
laboratory test report in concert with
E:\FR\FM\06FER2.SGM
06FER2
7316
Federal Register / Vol. 79, No. 25 / Thursday, February 6, 2014 / Rules and Regulations
results of other procedures, as well as
provides an opportunity to discuss any
needed treatment or follow-up.
Allowing patients to request and receive
laboratory test reports directly from the
laboratory will provide an additional
route for them to receive the test report.
However, this will not replace the
current procedure. If the ordering
physician does not contact the patient
with critical or significant laboratory
test results, patients may prompt the
physician’s office to find and act on the
test results. The rate of apparent failures
to inform or document informing the
patient of abnormal test results ranges
from 0 percent to 26.2 percent [Casalino
LP, Dunham D, Chin MH, et al.
Frequency of Failure to Inform Patients
of Clinically Significant Outpatient Test
Results. Arch Intern Med. 2009;
169(12):1123–1129]. When patients
have their laboratory test results, they
are more likely to ask appropriate
questions of their health care provider
and more fully participate in making
better decisions that lead to better care.
The regulations promulgated pursuant
to the HITECH Act, particularly for
Meaningful Use and Certification of
EHRs, encourage patient access to
comprehensive patient data through
robust patient-centered health
information exchange. Technology is
currently being tested to allow patients
the ability to retrieve personal health
data directly from secured health
records. We agree with the comment
about electronic health records in that a
request for access for protected health
information to either the health care
provider or the laboratory may be
replaced with this technology as it
becomes more readily available.
List of Subjects
42 CFR Part 493
emcdonald on DSK67QTVN1PROD with RULES2
Administrative practice and
procedure, Grant programs-health,
Health facilities, Laboratories, Medicaid,
Medicare, Penalties, Reporting and
recordkeeping requirements.
VerDate Mar<15>2010
18:25 Feb 05, 2014
Jkt 232001
45 CFR Part 164
Administrative practice and
procedure, Computer technology,
Electronic information system,
Electronic transactions, Employer
benefit plan, Health, Health care, Health
facilities, Health insurance, Health
records, Hospitals, Medicaid, Medical
research, Medicare, Privacy, Reporting
and recordkeeping requirements,
Security.
For the reasons set forth in the
preamble, the Centers for Medicare &
Medicaid Services amends 42 CFR part
493 as set forth below:
1. The authority citation for part 493
continues to read as follows:
■
Authority: Section 353 of the Public Health
Service Act, secs. 1102, 1861(e), the sentence
following sections 1861(s)(11) through
1861(16) of the Social Security Act (42 U.S.C.
263a, 1302, 1395x(e), the sentence following
1395x(s)(11) through 1395x(s)(16)).
Subpart K—Quality System for
Nonwaived Testing
2. Section 493.1291 is amended by—
A. Revising paragraph (f).
B. Adding a new paragraph (l).
The revision and addition read as
follows:
■
■
■
Standard: Test report.
*
*
*
*
*
(f) Except as provided in
§ 493.1291(l), test results must be
released only to authorized persons and,
if applicable, the persons responsible for
using the test results and the laboratory
that initially requested the test.
*
*
*
*
*
(l) Upon request by a patient (or the
patient’s personal representative), the
laboratory may provide patients, their
personal representatives, and those
persons specified under 45 CFR
164.524(c)(3)(ii), as applicable, with
access to completed test reports that,
using the laboratory’s authentication
process, can be identified as belonging
to that patient.
PO 00000
Frm 00028
Fmt 4701
Sfmt 9990
PART 164—SECURITY AND PRIVACY
1. The authority citation for part 164
continues to read as follows:
■
Authority: 42 U.S.C. 1302(a); 42 U.S.C.
1320d–1320d–9; sec. 264, Pub. L. 104–191,
110 Stat. 2033–2034 (42 U.S.C. 1320d–
2(note)); and secs. 13400–13424, Pub. L. 111–
5, 123 Stat. 258–279.
2. Section 164.524 is amended by
revising paragraphs (a)(1)(i) and (ii) and
removing paragraph (a)(1)(iii) to read as
follows:
■
PART 493—LABORATORY
REQUIREMENTS
§ 493.1291
For the reasons set forth in the
preamble, the Department of Health and
Human Services amends 45 CFR
Subtitle A, Subchapter C, part 164, as
set forth below;
§ 164.524 Access of individuals to
protected health information.
(a) * * *
(1) * * *
(i) Psychotherapy notes; and
(ii) Information compiled in
reasonable anticipation of, or for use in,
a civil, criminal, or administrative
action or proceeding.
*
*
*
*
*
Dated: August 16, 2013.
Thomas R. Frieden,
Director, Centers for Disease Control and
Prevention, Administrator, Agency for Toxic
Substances and Disease Registry.
Dated: August 19, 2013.
Marilyn Tavenner,
Administrator, Centers for Medicare &
Medicaid Services.
Dated: August 19, 2013.
Leon Rodriguez,
Director, Office for Civil Rights.
Dated: August 27, 2013.
Kathleen Sebelius,
Secretary, Department of Health and Human
Services.
Editorial Note: This document was
received at the Office of the Federal Register
on January 30, 2014.
[FR Doc. 2014–02280 Filed 2–3–14; 11:15 am]
BILLING CODE 4120–01–P
E:\FR\FM\06FER2.SGM
06FER2
]]>Agencies
[Federal Register Volume 79, Number 25 (Thursday, February 6, 2014)]
[Rules and Regulations]
[Pages 7289-7316]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-02280]
[[Page 7289]]
Vol. 79
Thursday,
No. 25
February 6, 2014
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
Centers for Medicare & Medicaid Services
-----------------------------------------------------------------------
42 CFR Part 493
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Part 164
CLIA Program and HIPAA Privacy Rule; Patients' Access to Test Reports;
Final Rule
��Federal Register / Vol. 79 , No. 25 / Thursday, February 6, 2014 /
Rules and Regulations��
[[Page 7290]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
42 CFR Part 493
Office of the Secretary
45 CFR Part 164
[CMS-2319-F]
RIN 0938-AQ38
CLIA Program and HIPAA Privacy Rule; Patients' Access to Test
Reports
AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS; Centers
for Disease Control and Prevention (CDC), HHS; Office for Civil Rights
(OCR), HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule amends the Clinical Laboratory Improvement
Amendments of 1988 (CLIA) regulations to specify that, upon the request
of a patient (or the patient's personal representative), laboratories
subject to CLIA may provide the patient, the patient's personal
representative, or a person designated by the patient, as applicable,
with copies of completed test reports that, using the laboratory's
authentication process, can be identified as belonging to that patient.
Subject to conforming amendments, the final rule retains the existing
provisions that require release of test reports only to authorized
persons and, if applicable, to the persons responsible for using the
test reports and to the laboratory that initially requested the test.
In addition, this final rule amends the Health Insurance Portability
and Accountability Act of 1996 (HIPAA) Privacy Rule to provide
individuals (or their personal representatives) with the right to
access test reports directly from laboratories subject to HIPAA (and to
direct that copies of those test reports be transmitted to persons or
entities designated by the individual) by removing the exceptions for
CLIA-certified laboratories and CLIA-exempt laboratories from the
provision that provides individuals with the right of access to their
protected health information. These changes to the CLIA regulations and
the HIPAA Privacy Rule provide individuals with a greater ability to
access their health information, empowering them to take a more active
role in managing their health and health care.
DATES: Effective Date: These regulations are effective on April 7,
2014.
HIPAA covered entities must comply with the applicable requirements
of this final rule by October 6, 2014.
FOR FURTHER INFORMATION CONTACT:
For CLIA regulations: Nancy Anderson, CDC, (404) 498-2280. Judith
Yost, CMS, (410) 786-3531.
For HIPAA Privacy Rule: Andra Wicks, OCR, (202) 205-2292.
SUPPLEMENTARY INFORMATION:
I. Background
A. CLIA Statute and Regulations
The Clinical Laboratory Improvement Amendments of 1988 (CLIA) and
the implementing regulations established nationwide quality standards
to ensure the accuracy, reliability and timeliness of clinical
laboratories' test results. The standards vary based on the complexity
of the laboratory test method; that is, the more complicated the test
method, the more stringent the requirements for the laboratory.
The CLIA regulations established three categories of testing based
on complexity level. In increasing order of complexity, these
categories are waived, moderate complexity (which includes the
subcategory of provider-performed microscopy (PPM)), and high
complexity. Laboratories must hold a CLIA certificate for the most
complex form of CLIA-regulated testing that they perform.
The CLIA regulations cover all phases of laboratory testing,
including the reporting of test results. The CLIA regulatory
limitations that govern to whom a laboratory may issue a test report
have become a point of concern. The requirements for a laboratory test
report are set forth in 42 CFR 493.1291.
Under the current CLIA regulations at Sec. 493.1291(f), a CLIA
laboratory may only disclose laboratory test results to three
categories of individuals or entities: The ``authorized person,'' the
person responsible for using the test results in the treatment context,
and the laboratory that initially requested the test. ``Authorized
person'' is defined in Sec. 493.2 as the individual authorized under
state law to order or receive test results, or both. In states that do
not allow individuals to access their own test results, the individuals
must receive their test results through their health care providers.
Title XIII of Division A and Title IV of Division B of the American
Recovery and Reinvestment Act of 2009 (The Recovery Act), which was
enacted on February 17, 2009, incorporated the Health Information
Technology for Economic and Clinical Health (HITECH) Act. The HITECH
Act created a Federal advisory committee known as the Health
Information Technology (HIT) Policy Committee. The HIT Policy Committee
has broad representation from major health care constituencies and
provides recommendations to the Department's Office of the National
Coordinator for Health Information Technology (ONC) on issues relating
to the implementation of an interoperable, nationwide health
information infrastructure. The HIT Policy Committee has sought to
identify barriers to the adoption and use of health information
technology. According to the HIT Policy Committee, some stakeholders
perceive the CLIA regulations as imposing barriers to the exchange of
health information. These stakeholders include large and medium sized
laboratories, public health laboratories, electronic health record
(EHR) system vendors, health policy experts, health information
exchange organizations (HIOs), and health care providers who believe
that the individual's access to his or her own records is impeded,
preventing patients from having a more active role in their personal
health care decisions.
We believe these concerns, as well as the advent of certain health
reform concepts (for example, personalized medicine, an individual's
active involvement in his or her own health care, and the Department's
work toward the widespread adoption of EHRs), call for revisiting
barriers or challenges to individuals' gaining access to their health
information.
The Centers for Medicare & Medicaid Services (CMS) worked with ONC,
the Centers for Disease Control and Prevention (CDC), and the Office
for Civil Rights (OCR) to propose changes to the CLIA regulations and
to the Health Insurance Portability and Accountability Act of 1996
(HIPAA) Privacy Rule to remove barriers to an individual's direct
access to his or her own test reports from laboratories. See CLIA
Program and HIPAA Privacy Rule; Patients' Access to Test Reports, 76
Fed. Reg. 56712, September 14, 2011. The Department believes that this
right is crucial to provide individuals with vital information to
empower them to better manage their health and take action to prevent
and control disease. In addition, removing barriers in this area
supports the commitments and goals of the Secretary of the Department
of Health and Human Services (the Department) and the Administrator of
CMS regarding personalized medicine, an individual's active involvement
in his or her own health care, and the widespread adoption of EHRs by
2014.
[[Page 7291]]
B. HIPAA Statute and Privacy Rule
The Health Insurance Portability and Accountability Act of 1996,
Title II, subtitle F--Administrative Simplification, Public Law 104-
191, 110 Stat., 2021, provided for the establishment of national
standards to protect the privacy and security of certain individually
identifiable health information. The Administrative Simplification
provisions of HIPAA and their implementing regulations apply to three
types of entities, which are known as ``covered entities'': Health care
providers who conduct covered health care transactions electronically,
health plans, and health care clearinghouses.
A laboratory, as a health care provider, is only a covered entity
if it conducts one or more covered transactions electronically, such as
transmitting health care claims or equivalent encounter information to
a health plan, requesting prior authorization from a health plan for a
health care item or service it wishes to provide to an individual with
coverage under the plan, or sending an eligibility inquiry to a health
plan to confirm an individual's coverage under that plan.
If a laboratory does not conduct any of these or the other HIPAA
standard transactions electronically (either because it does not
conduct the transactions at all or because it does so via paper), then
the laboratory is not subject to the HIPAA Privacy Rule (45 CFR Part
160 and Part 164, subparts A and E). Any laboratory that conducts a
single electronic transaction for which there is a HIPAA standard under
the HIPAA Transactions and Code Sets Rule becomes a covered entity and
is subject to the Privacy Rule with respect to all protected health
information that it creates or maintains (that is, the application of
the Privacy Rule is not limited to the individuals or records
associated with an electronic transaction). This final rule does not
alter the requirements for what makes a laboratory a HIPAA covered
entity.
The Privacy Rule at Sec. 164.524 provides individuals with a
general right of access to inspect and obtain a copy of protected
health information about the individual in a designated record set
maintained by or for a covered entity. A ``designated record set'' is
defined at 45 CFR Sec. 164.501 as a group of records maintained by or
for a covered entity that is comprised of: The medical records and
billing records about individuals maintained by or for a covered health
care provider; the enrollment, payment, claims adjudication, and case
or medical management record systems maintained by or for a health
plan; or other records that are used, in whole or in part, by or for
the covered entity to make decisions about individuals.
The term ``record'' means ``any item, collection, or grouping of
information that includes protected health information and is
maintained, collected, used or disseminated by or for a covered
entity.'' Laboratory test reports that are maintained by or for a
laboratory that is a covered entity are part of a designated record
set.
The HIPAA Privacy Rule requires a HIPAA covered entity to provide
the individual with a copy of the information in his or her designated
record set in the form and format requested by the individual, if a
copy in that form and format is readily producible. Where the
information in the designated record set is maintained electronically,
and the individual requests an electronic copy of the information, the
covered entity must provide the individual with access to the
information in the requested electronic form and format, if it is
readily producible in that form and format. When it is not readily
producible in the electronic form and format requested, then the
covered entity must provide the copy in an alternative readable
electronic format as agreed to by the covered entity and the individual
(see Sec. 164.524(c)(2)(ii)).
The right of access under Sec. 164.524 extends not only to
individuals, but also to individuals' personal representatives, who
generally are persons authorized under applicable law to make health
care decisions for the individual. The rules governing who may act as a
personal representative under the Privacy Rule are set forth at Sec.
164.502(g). Additionally, under Sec. 164.524(c)(3)(ii), if requested
by an individual who is exercising his or her right of access, a
covered entity must transmit the copy of protected health information
directly to another person or entity designated by the individual.
However, while individuals (and personal representatives) generally
have the right to inspect and obtain a copy of their protected health
information in a designated record set, the current Privacy Rule
includes a set of exceptions related to CLIA. Specifically, the right
of access under Sec. 164.524 of the Privacy Rule does not apply to:
Protected health information maintained by a covered entity that is--
(1) subject to CLIA to the extent the provision of access to the
individual would be prohibited by law; or (2) exempt from CLIA. These
exceptions, found at Sec. 164.524(a)(1)(iii)(A) and (B) of the Privacy
Rule, cover test reports and other protected health information only at
CLIA and CLIA-exempt laboratories. The individual has a right to access
this information when held by any other type of covered entity (for
example, a hospital or treating physician).
These exceptions were included in the Privacy Rule because the
Department wanted to avoid a conflict with the CLIA regulatory
requirements that limited patient access to test reports (65 FR 82485,
December 28, 2000). However, because CMS proposed to amend the CLIA
regulations to allow CLIA-certified laboratories to provide patients
with direct access to their test reports, the Department simultaneously
proposed to remove the exceptions for CLIA and CLIA-exempt laboratories
from the right of access at Sec. 164.524 so that HIPAA-covered
laboratories would be required by HIPAA to provide individuals, upon
request, with access to their completed test reports.
II. Summary of the Proposed Changes to the CLIA Regulations (Sec.
493.1291)
On September 14, 2011, we published a proposed rule in the Federal
Register entitled, ``Patients' Access to Test Reports'' (76 FR 56712)
that, if finalized, would amend Sec. 493.1291 of the CLIA regulations.
Specifically, we proposed to add at 42 CFR 493.1291(l) to specify that,
upon a patient's request (or upon the request of the patient's personal
representative), the laboratory may provide a patient with access to
his or her completed test reports that, using the laboratory's
authentication processes, can be identified as belonging to that
patient. While we proposed to use the word ``may,'' we highlighted the
importance of reading the proposed amendments to the CLIA regulations
in concert with the proposed changes to the HIPAA Privacy Rule
(discussed below), which would require covered entity laboratories to
provide patients with access to test reports. We did not propose to
specify in the CLIA regulations the mechanism by which patient requests
for access would be submitted, processed, or responded to by the
laboratories. In providing this latitude, we intended to allow patients
and their personal representatives access to patient test reports in
accordance with the requirements of the HIPAA Privacy Rule. Subject to
conforming amendments, we proposed to retain the existing requirements
at Sec. 493.1291(f) that otherwise limit the release of test reports
to authorized persons and, if applicable, the individuals (or their
personal representatives) responsible for using
[[Page 7292]]
the test reports and the laboratory that initially requested the test.
III. Summary of the Proposed Changes to the HIPAA Privacy Rule (Sec.
164.524)
The Department also proposed to amend the HIPAA Privacy Rule at 45
CFR 164.524(a)(1)(iii)(A) and (B) to remove the exceptions to an
individual's right of access that relate to CLIA and CLIA-exempt
laboratories to align the Privacy Rule with CMS' proposed changes to
the CLIA regulations and the Department's goal of improving
individuals' access to their health information.
Under the proposal, HIPAA covered entities that are laboratories
subject to CLIA, as well as those that are exempt from CLIA, would have
the same obligations as other types of covered health care providers
with respect to providing individuals (or their personal
representatives) with access to their protected health information in
accordance with Sec. 164.524.
Consistent with the proposed change to the CLIA regulatory
requirements, which would allow a laboratory to provide patients and
their personal representatives with direct access to completed test
reports when the laboratory can authenticate that the test report
pertains to the patient, we also clarified that CLIA and CLIA-exempt
laboratories that are HIPAA covered entities would have to satisfy the
verification requirement of Sec. 164.514(h) of the Privacy Rule before
providing an individual with access. We recognized that a laboratory
could receive a test order with only an anonymous identifier and be
unable to identify the individual who is the subject of the test
report. We noted that it was not our intent to discourage anonymous
testing. As we discussed in the proposed rule, a laboratory that
received a request for access from an individual where the laboratory
could not authenticate that the requesting individual is the subject of
a test report would be under no obligation to provide access.
The proposed rule also explained that the changes to the HIPAA
Privacy Rule would result in the preemption of a number of state laws
that prohibit a laboratory from releasing a test report directly to the
individual or that prohibit the release without the ordering provider's
consent because the state laws now would be contrary to the access
provision of the HIPAA Privacy Rule mandating direct access by the
individual.
Finally, we explained that it was our intent that HIPAA-covered
laboratories would be required to comply with the revised individual
access requirements of the Privacy Rule by no later than 180 days after
the effective date of any final rule. The effective date of the final
rule would be 60 days after publication in the Federal Register, so
laboratories subject to HIPAA would have a total of 240 days after
publication of the final rule to come into compliance.
IV. Provisions of the Final Regulations
This final rule adopts the proposed changes to both the CLIA
regulations and the HIPAA Privacy Rule, with minor clarifications and
conforming changes, which are explained below in the relevant responses
to comments. These modifications broaden individuals' rights to access
their protected health information directly from laboratories subject
to HIPAA. In addition, the changes remove federal barriers to direct
access for laboratories not subject to HIPAA. With respect to the CLIA
regulations, this final rule allows laboratories subject to CLIA, upon
the request of a patient (or the patient's personal representative) to
provide access to completed test reports that, using the laboratory's
authentication process, can be identified as belonging to that patient.
The final rule also clarifies that laboratories subject to CLIA may
provide a copy of the patient's test reports to a person or entity
designated by the patient to receive such reports in accordance with
the HIPAA Privacy Rule at Sec. 164.524(c)(3)(ii). Subject to certain
conforming amendments, this final rule retains the CLIA regulatory
provision that requires the release of test reports only to authorized
persons, to the persons responsible for using the test reports, and to
the laboratory that initially requested the test. These CLIA regulatory
modifications take effect 60 days after publication of this final rule
in the Federal Register.
With respect to the Privacy Rule, the final rule removes the
exceptions to an individual's right of access at Sec.
164.524(a)(1)(iii) related to CLIA and CLIA-exempt laboratories. Thus,
as of the compliance date of this final rule, HIPAA-covered
laboratories will be required to provide an individual (or the
individual's personal representative) with access, upon request, to the
individual's completed test reports (and other information maintained
in a designated record set) in accordance with the provisions of Sec.
164.524 of the Privacy Rule. The compliance date of this rule is
October 6, 2014.
The Department's rationale for adopting the proposed provisions in
this final rule, along with further clarifications and interpretations
of the provisions, is explained below in the responses to the public
comments.
V. Analysis of and Responses to Public Comments
In response to the September 2011 proposed rule, we received over
160 timely public comments on various issues related to the rule.
Interested parties that submitted comments included health care
consumers and patient advocacy organizations; laboratories, hospitals,
and other health care providers and their associations; information
technology organizations; governmental organizations, and others. We
have analyzed these comments and determined that it is appropriate to
finalize the provisions as set forth in the proposed rule. The comments
we received on these provisions and our responses are set forth below.
A. Right of Direct Access to Laboratory Test Reports
Comment: A number of providers and laboratories expressed concerns
about giving individuals a way to receive laboratory test reports
without the benefit of provider interpretation and without contextual
knowledge that may be necessary to properly read and understand the
reports. For example, commenters expressed concern that patients might
receive and act upon results that appear to be abnormal (showing false
positives or false negatives, or results that are out of the normal
range for the general population) but may be normal for that particular
patient due to his or her medical conditions. Commenters also requested
that the Department clarify that the laboratories themselves would not
be required to interpret test reports for individuals.
Other commenters stated that the proposed rule was redundant, and
would add significant burden without a commensurate benefit to
individuals, as existing HIPAA and HITECH Act (Sec. 13405(e)) laws
already provide individuals with a comprehensive right to access their
protected health information, including test reports, through their
physicians. Further, some commenters stated that the Medicare and
Medicaid Electronic Health Record (EHR) Incentive Programs,\1\ which
include criteria to ensure that certain laboratory test reports become
standardized elements in a certified EHR, are a better mechanism than
the proposed rule to ensure more timely access to all health
information. The
[[Page 7293]]
commenters also stated that the information provided to individuals
through the Medicare and Medicaid EHR Incentive Programs' requirements
will be in a more consistent, more user-friendly, and more
interoperable format than that obtained directly from a laboratory.
Furthermore, commenters stated that many providers have already
invested significant dollars and resources in secure patient portals to
provide for individual access to health information directly from these
providers.
---------------------------------------------------------------------------
\1\ See https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/.
---------------------------------------------------------------------------
In contrast, other commenters, including certain laboratories,
consumers, and consumer advocates, generally supported expanding an
individual's right of access to include receiving test reports directly
from laboratories. These commenters stated that providing individuals
with the ability to access their laboratory test reports directly from
laboratories would provide individuals with an increased ability to
play a more active role in their health care and have more informed
conversations with their health care providers, resulting in better
health outcomes. Some commenters also thought that the proposals would
remove barriers to the electronic exchange of individually identifiable
health information.
Further, in response to concerns regarding instances in which
patients might misunderstand or become distressed over the results of
laboratory tests due to the lack of treating provider interpretation or
counseling, some commenters stated that they would not anticipate that
many patients will request direct access to any test reports that they
do not feel prepared to review on their own. Rather, the commenters
indicated that the proposals would encourage doctors to more
proactively discuss the range of possible results and the consequences
of each before tests are ordered. One laboratory noted that, in its
experience, many patients do not request access to their test results
until they have spoken to a physician about them. Some commenters
challenged what they termed to be a ``paternalistic'' notion that
patients are unable to understand their health data without physician
explanation. These commenters stated that if patients want additional
information from, or consultation with, their physicians, they will
follow up with their physicians directly.
Response: We appreciate all of the comments that we received with
regard to the right of individuals to access their laboratory test
reports directly from laboratories. We agree with those commenters who
stated that the rule is necessary to ensure patients have better and
more complete access to their health information, which will enable
patients to be more proactive and more informed with regard to their
health care. However, we disagree with those commenters who argued that
the rule would be redundant. While individuals do have a right of
access to their health information under the HIPAA Privacy Rule, there
may be circumstances when an ordering or treating provider is not
subject to the HIPAA Privacy Rule (for example, because the provider
does not bill health plans electronically) and, thus, is not required
to provide an individual with access to his or her health information.
Further, some studies have found that physician practices failed to
inform patients of abnormal test results about seven percent of the
time, resulting in a substantial number of patients not being informed
by their providers of clinically significant tests results. See
Casalino LP, Dunham D, Chin MH, et al. Frequency of Failure To Inform
Patients of Clinically Significant Outpatient Test Results, Arch Intern
Med., June 22, 2009, 169 (12): 1123-1129. The rule strengthens
individuals' current ability to have access to completed test reports
by ensuring they are able to access them directly from HIPAA-covered
laboratories.
Finally comments regarding the provision of access through the
mechanisms established by EHR Incentive Programs failed to recognize
the voluntary nature of the programs or the fact that the programs'
requirements do not pertain to laboratories.
Furthermore, the rule does not diminish the investment health care
providers have made to provide individuals with access to their health
information through patient portals, as those portals provide patients
with access to a much broader range of health information than just
test results. The rule provides an additional avenue for an individual
to obtain test reports directly from laboratories, which we expect will
reduce the chances of patients not being informed of laboratory test
results and potentially reduce the numbers of patients who fail to seek
appropriate care. We also agree with commenters that increased patient
access to laboratory test reports, which can then be shared with the
patient's other providers, will help reduce unnecessary and duplicative
testing.
With respect to those comments concerned about patients receiving
test reports without the benefit of provider interpretation, we
emphasize that this rule does not alter the role of the ordering or
treating provider in reporting and explaining test results to patients.
We expect that patients will continue to obtain test results and advice
about what those test results mean, through their ordering or treating
providers. Further, as noted above, for those individuals who do or
will request access to test reports from a laboratory, it was the
experience of one large laboratory that many patients do not request
access to their test reports from a laboratory until they have spoken
with their physicians. We expect this trend to continue to generally be
the case. We also agree with commenters that the rule will further
encourage ordering and treating providers to more proactively discuss
with patients the range of possible test results and what the results
may mean for the particular patient before or at the time the test is
ordered.
Further, under the HIPAA Privacy Rule, in most cases, laboratories
will be required to provide individuals with access to their laboratory
test reports within 30 days of the request (see Sec.
164.524(b)(2)(i)). As discussed more fully below, in cases where an
individual requests access to completed test reports, we believe 30
days will generally be sufficient to allow the ordering or treating
provider to receive the test report in advance of the patient's receipt
of the report, and to communicate the result to the patient, and
counsel the patient as necessary with regard to the result.
Finally, we clarify that this final rule does not require that
laboratories interpret test results for patients. Patients merely have
the right to inspect and receive a copy of their completed test reports
and other individually identifiable health information maintained in a
designated record set by a HIPAA-covered laboratory. Laboratories may
continue to refer patients with questions about the test results back
to their ordering or treating providers.
Comment: Some commenters indicated they would support changes to
the regulations, which would permit, but not require, laboratories to
provide individuals with access to their completed test reports. One
commenter stated that the proposed rule was unclear as to whether
laboratories will have the discretion to provide access, or whether
they will be required to provide access, to individuals who request
their test reports. Other commenters were concerned about the
differential application of the rule to HIPAA-covered versus non-HIPAA-
covered laboratories, stating that this construct will create confusion
and frustration among patients who may expect to be able to access
their test reports from any
[[Page 7294]]
laboratory and who may not understand the distinction among
laboratories based on HIPAA covered entity status.
Response: Laboratories that are HIPAA covered entities are required
by this final rule to provide, upon request by an individual or the
individual's personal representative, access to the protected health
information about the individual maintained in a designated record set
in accordance with the HIPAA Privacy Rule at Sec. 164.524. CLIA
laboratories that are not subject to HIPAA will have discretion to
provide patients with direct access to their laboratory test reports,
subject to any applicable state laws that may constrain access.
We do not believe it is appropriate to only permit rather than
require HIPAA-covered laboratories to provide individuals with access
to their test reports. This may not significantly expand individuals'
ability to access their health information, as some laboratories not
currently providing individuals with direct access to their test
reports might choose not to begin providing direct access. Further, in
a number of states, state law prohibits laboratories from providing
individuals with direct access to their test reports. If the HIPAA
Privacy Rule merely permitted access, it would not preempt those state
laws that prohibit direct access, because a permissive federal
requirement is not contrary to a prohibitive state law (see Sec.
160.202). As of the effective date of this final rule, the CLIA
regulations will expressly permit the disclosure of test reports to the
individual. The combination of the change in the HIPAA Privacy Rule,
combined with the change to the CLIA regulations, will result in HIPAA-
covered laboratories being required to disclose test reports to
patients, in most cases, within 30 days of a request.
Comment: A few commenters stated that the rule should only apply to
the primary laboratory to which the specimen was submitted, as opposed
to reference laboratories that may perform some or all of the testing.
These commenters stated that reference laboratories have no
relationship with the individual and have either limited or inadequate
information about the individual to enable the laboratory to provide
individuals with access. A few commenters indicated that, while
applying the rule to hospital laboratories with respect to the test
reports of the hospital's own patients may not be a significant
challenge, applying the rule to hospital laboratories in their role as
reference laboratories for other providers, such as community
physicians and other laboratories, would raise significant operational
challenges.
In contrast, one laboratory commenter recommended that no
laboratories be exempt from the individual access requirements,
stressing the importance of uniform application of the rule and a
patient's ability to access his or her test report from whatever
laboratory performed the test.
Response: We appreciate the commenters' concerns regarding
laboratory contact with individuals; however, we do not agree that
limited information about the individual who is the subject of a test
report is a sufficient reason to exempt reference laboratories from the
access requirements of the HIPAA Privacy Rule. We believe applying the
access requirements as broadly and uniformly as possible best furthers
the Department's goal of increasing direct individual access rights to
health information. To the extent that reference laboratories are
covered entities under HIPAA, they will be required, upon the
compliance date of this rule, to provide individuals with access to
test reports in compliance with Sec. 164.524 of the Privacy Rule.
Reference laboratories that are not subject to HIPAA will not be under
any federal obligation to provide access, but they will be permitted to
do so under Federal law. However, we expect that, in most cases,
individuals will continue to request access to their health information
either from their treating provider, or from the referring
laboratories. This expectation is based on our understanding that many,
if not most, individuals will not be aware of the identity of the
reference laboratory, or may not know that a reference laboratory is
conducting all or part of the ordered tests. Therefore, we do not
expect reference laboratories to encounter many individual requests for
access. Furthermore, in the limited circumstances where a patient may
request access to test reports from a laboratory acting as a reference
laboratory with respect to that patient, the reference laboratory need
only provide the individual with the requested access to the extent the
laboratory can authenticate the test report as belonging to that
patient. The same applies for hospital laboratories that also act as
reference laboratories. Finally, we do not believe that there will be
significant operational issues for hospital laboratories as hospitals
already have policies and procedures in place to comply with the
existing HIPAA Privacy Rule access provisions and the hospital
laboratories can use these policies and procedures for purposes of this
rule.
B. Scope of Information to Which an Individual Has Access
Comment: A number of commenters indicated that the rule should
apply only to tests administered after the final rule is published or
becomes effective. These commenters expressed concern with laboratories
having to retrieve copies of old test reports that have been archived
and may exist offsite. For example, commenters stated that many
laboratories have archived test reports that exist on paper or on
backup tapes, and that it would be costly and burdensome to retrieve
and transfer the archived test reports to other suitable media to
transmit to an individual.
A few commenters asked that the rule not require laboratories to
provide test reports that have been kept beyond the retention date(s)
required in the CLIA regulations. One commenter indicated that the rule
should specify a timeframe after a test report is first generated
beyond which an individual would not have a right to access the test
report directly from the laboratory.
Response: While we appreciate the commenters' concerns, as with any
other HIPAA covered entity, under this final rule, an individual has a
right to access information about the individual in one or more
designated record sets maintained by a HIPAA-covered laboratory, for as
long as the information is maintained by the laboratory (see Sec.
164.524(a)(1)). This right extends to test reports and other
information about the individual in a designated record set maintained
offsite, archived, or created before the publication or effective date
of this final rule. We do not agree that information created before the
effective date of this final rule should be exempt from the access
requirement. The reasons for granting individuals access to health
information pertaining to them do not vary with the date the
information was created. In cases where retrieving records that have
been archived may take longer than 30 days from the individual's
request, a covered laboratory may request one 30-day extension, if it
provides the reason for the delay in writing to the requesting
individual. See the Privacy Rule requirements for timely action on
access requests at Sec. 164.524(b)(2).
We also clarify that this final rule does not impose any new record
retention requirements for laboratory test reports. These obligations
are established under CLIA and other applicable Federal and state laws.
See, for example, 42 CFR Sec. 493.1105. Rather, it provides an
individual with a right to access protected health information in the
designated record set of a HIPAA-
[[Page 7295]]
covered laboratory for as long as the laboratory maintains the
information (even in those cases where the information is maintained
beyond applicable record retention requirements).
Comment: Some commenters supported the language in the proposed
rule at Sec. 493.1291(l) that limited patients' access to
``completed'' test reports. Other commenters felt that additional
guidance was needed as to what information qualified as a ``completed''
test report. For example, one commenter asked whether a test report is
considered ``completed'' (and subject to the right of access) each time
a component of a multi-step test is completed or only when all aspects
of the ordered test are completed and recorded in a finalized report
that is ready for issuance. The commenter also asked, in circumstances
where a single order involves a test to be performed multiple times
over a period of time, whether the report is considered complete each
time the test is performed or only after the entire series of tests is
performed. This commenter suggested that the test report should be
considered ``complete,'' and subject to the right of access, only when
all of the test results are final.
Response: Under the HIPAA Privacy Rule at Sec. 164.524(a)(1), an
individual has a general right to access the protected health
information about the individual in a designated record set maintained
by a covered entity or its business associate. As described above,
laboratory test reports maintained by or for a laboratory that is a
HIPAA covered entity fall within the definition of ``designated record
set.'' However, test reports may be only part of a designated record
set that a HIPAA-covered laboratory holds. To the extent an individual
requests access to all of his or her protected health information, a
HIPAA-covered laboratory is required to provide access to all of the
protected health information in the entire designated record set. This
could include, for example, completed test reports, test orders,
ordering provider information, billing information, and insurance
information.
While an individual may have a right to all of this information, we
do not expect that many individuals will request access to all of the
protected health information about the individual that the laboratory
may hold in a designated record set. Rather, we expect that most
individuals will request access to test reports of discrete laboratory
tests that they know were ordered by their providers. In these cases,
the Privacy Rule requires a HIPAA-covered laboratory to provide the
individual with a copy of or access to only the specific information
requested by the individual.
Further, a HIPAA-covered laboratory is required to provide an
individual with access only to that information that it actually
maintains about the individual in a designated record set at the time
the request for access is fulfilled. For purposes of this final rule,
we clarify that we do not consider test reports to be part of the
designated record set until they are ``complete.'' To maintain
consistency with CLIA, we consider a test report to be complete when
all results associated with an ordered test are finalized and ready for
release.
If an individual requests access to a particular test report, we
expect that the HIPAA Privacy Rule's time allowance of 30 days from the
request to provide access will be sufficient in most cases to provide
the individual with access to the completed test report as we expect
many requests for access will be made days after the order has been
placed by the physician or even after the patient has discussed a
particular result with his or her physician. In those limited cases
where 30 days may not be sufficient to complete the test report, due to
the nature of the tests to be performed, and the laboratory knows this
at the time the individual requests access, we expect a covered entity
laboratory to explain this circumstance to the individual. Upon
informing individuals when they request access that the test report
they are seeking will take longer than 30 days to complete, the
individuals are likely to be willing to withdraw or hold their request
until a later time to ensure that they get access to what they want or
need. If an individual chooses not to withdraw his or her request for
access, the individual will then have a right only to obtain the
protected health information in the designated record set at the time
the request is fulfilled, which may not include a particular test
report because it is not yet complete. If a laboratory determines,
after it has accepted a request, that the requested test will take more
than 30 days to analyze and complete, it may notify the individual in
writing within the initial 30-day period of the need and specific
reason for the delay in providing access to the completed test result
and the date by which the laboratory will complete its action on the
request, in accordance with Sec. 164.524(b)(2)(iii) of the HIPAA
Privacy Rule. We note, however, that the HIPAA Privacy Rule allows only
one extension on an access request. In the rare circumstance where 60
days is not sufficient to provide the individual with access to a
completed test report, the covered laboratory must provide the
individual with only the existing protected health information that is
part of the designated record set within that time (for example, other
completed test reports or test requisitions), which would then not
include the test report requested by the individual, because the test
report is not yet complete.
In general, we expect the initial 30-day period allowed by the
Privacy Rule to provide sufficient time to provide individuals with
access to completed test reports. However, we acknowledge there may be
rare circumstances when it would not be, and we expect covered
laboratories to communicate and work with individuals concerning these
limitations.
Comment: Some providers and laboratories objected to individuals
having direct access to laboratory test reports they characterize as
``sensitive,'' including genetic, cancer, pregnancy, sexually-
transmitted disease, and mental health test results. Commenters stated
there are tests for which it is acceptable to release results to the
patient without physician involvement (for example, cholesterol test
results) and there are tests for which it is not (for example, cancer
or HIV test results). One commenter stated, for example, that under
California law, before the disclosure of HIV test results, the
physician has a duty to discuss what the results may mean and offer the
patient appropriate education and psychological counseling. Some
commenters recommended giving ordering and treating providers ample
discretion to determine when it is in the patient's best interest to
receive test reports without the benefit of a physician's
interpretation. Others recommended that laboratories be permitted to
identify tests or categories of tests that may only be released to the
physician and to limit an individual's direct access to the reports.
In contrast, some commenters stated that all test reports should be
treated equally, providing several reasons, including: Patients today
are much better informed and have access to interpretative information
on laboratory results from many sources, including the internet; given
the timeframes allowed for providing access under the HIPAA Privacy
Rule, it is likely that the ordering or treating provider will receive
results well before the patient and will have adequate time to discuss
the result and what it means in terms of the patient's health care with
the patient; and trying to identify which tests are sensitive is
subjective and not
[[Page 7296]]
necessarily in the best interest of the patient.
Response: Under the HIPAA Privacy Rule, an individual generally has
a broad right of access to any or all of his or her health information
maintained in a designated record set. In this final rule, we extend
that broad right to the laboratory setting. With a very limited
exception, covered entities may not deny an individual access to his or
her health information based on the information's sensitive nature or
potential for causing distress to the individual. The limited exception
is for cases where a licensed health care professional has determined,
in the exercise of professional judgment, that the access requested is
reasonably likely to endanger the life or physical safety of the
individual or another person, and the individual is provided a right to
have the denial of access reviewed by an unaffiliated health care
professional (see Sec. 164.524(a)(3)(i)).
As we discuss elsewhere in this final rule, we do not believe that
this rule will eliminate or interfere with the role or obligation of
the treating or ordering provider to report and counsel patients on
laboratory test results. The rule provides ample time to ensure
providers receive sensitive test reports before the patient and to
allow providers to counsel individuals on the test reports. In
addition, as indicated above, we believe the rule will further
encourage providers, at the time the test is ordered, to counsel
patients on the potential outcomes of a test and what they may mean for
the patient, given his or her medical history.
Finally, we agree with commenters who stated that categorizing
laboratory testing into ``sensitive'' and ``non-sensitive'' categories
would be a subjective endeavor that would not necessarily result in
policies that are in the patient's best interest. This endeavor also
would result in a lack of uniformity across states and laboratories
with respect to the types of information to which an individual has
access under the rule. This outcome would be too complex and burdensome
for laboratories to administer and confusing for individuals attempting
to exercise their rights.
Comment: A few commenters, while in general support of the proposed
rule, raised specific concerns about providing laboratory test reports
directly to certain mental health patients (for example, those who may
be suffering from medical conditions such as paranoia). These
commenters were concerned that direct access to laboratory test reports
without any involvement of the treatment team could have a very
negative impact on the mental health of these patients. Some commenters
asked that the current provision in the HIPAA Privacy Rule allowing the
denial of access to protected health information when the access is
reasonably likely to endanger the life or physical safety of the
individual or another person also apply to access made available under
this final rule. They suggested that this would allow providers to
determine when prior provider review and approval would be required
before the release of given laboratory test reports to mentally ill
patients.
Response: We believe the existing exceptions to access in the
Privacy Rule appropriately balance an individual's right to access his
or her health information with other considerations, such as the
potential for harm. Therefore, we decline to provide a specific
exception to the right of access for mental health patients. A
laboratory is subject to the same requirements under the HIPAA Privacy
Rule as other covered entities to generally provide all individuals
with access to their health information. As previously discussed, we
believe the 30 day time-frame (plus one 30 day extension) provides
laboratories with sufficient time to ensure treating or ordering
physicians receive test reports before the patient's receipt of the
test report, which will allow them to counsel the patient with respect
to the test result.
As noted above, the HIPAA Privacy Rule at Sec. 164.524(a)(3)(i)
provides that a covered entity may deny access to an individual if a
``licensed health care professional'' has determined, in the exercise
of professional judgment, that the access requested by the individual
is reasonably likely to endanger the life or physical safety of the
individual or another person. However, this is a limited exception to
an individual's right of access and applies only with respect to
endangerment of the life or physical safety of the individual or
another person; thus, concerns about psychological or emotional harm
are not sufficient to justify denial of access. Furthermore, a HIPAA-
covered laboratory that wishes to deny access to the individual based
on a determination by a licensed health care professional must provide
the individual with an opportunity to have the denial reviewed by a
licensed health care professional who is designated by the laboratory
to act as a reviewing official and who did not participate in the
original decision to deny. The HIPAA-covered laboratory must promptly
refer a request for review to the reviewing official, who must
determine, within a reasonable amount of time, whether or not to deny
the access requested. See Sec. 164.524(d). The laboratory would then
be required to provide or deny access in accordance with the
determination of the reviewing official (see Sec. 164.524(a)(4)).
Comment: Two commenters requested clarification on whether the
expanded right of individual access would apply to food or
environmental test reports maintained by a laboratory, that are the
result, for example, of testing done after an outbreak of disease, and
that may be linked to particular patients. A public health laboratory
requested clarification on how this rule applies to public health
surveillance or outbreak test reports. One commenter requested
clarification as to whether individuals would have a right to
employment-related test results, such as testing for drug and alcohol
use. Finally, another commenter asked that patient access to laboratory
results be expanded to include the results of radiologic assessments.
Response: This final rule is intended to remove barriers in the
HIPAA Privacy and CLIA regulations to individual access to test reports
maintained by laboratories subject to or exempt from CLIA. If the
samples tested are not of the human body, the entity conducting the
testing is not subject to CLIA for purposes of that testing or those
test results. Furthermore, if the testing is not for the purpose of
providing information for the diagnosis, prevention, or treatment of
any disease or impairment of, or the assessment of the health of human
beings, that testing and those test results are also not subject to
CLIA. Some outbreak and surveillance activities may involve testing
samples from humans and thus be subject to CLIA if individual patient-
specific test results are reported to ordering providers. However, CLIA
does not apply to test results that are only used for epidemiological
studies or reported in the aggregate without patient identifiers.
As for employment-related testing, the CLIA regulations are not
applicable to an employer or entity that performs substance abuse
testing strictly for the purpose of employment screening where test
results are merely used to determine compliance with conditions of
employment, as opposed to counseling or some other form of treatment.
Substance abuse testing as part of a treatment program is covered by
CLIA.
Even if CLIA does not apply to the conduct of certain types of
laboratory tests, HIPAA may still apply to require access to certain
test reports to the extent the laboratory is a HIPAA covered entity and
the information to
[[Page 7297]]
which an individual is requesting access is protected health
information under HIPAA. Individuals have a right to access test
reports in designated record sets held by or for HIPAA-covered
laboratories that constitute protected health information under the
HIPAA Privacy Rule--that is, those reports that relate to the past,
present, or future physical or mental health or condition of an
individual or the provision of health care to an individual (which
would include testing for the presence of alcohol or drugs) and that
identify the individual, or with respect to which there is a reasonable
basis to believe that information in the test report can be used to
identify the individual. See the definitions of ``individually
identifiable health information'' and ``protected health information''
at Sec. 160.103. Food, environmental, or other test reports that do
not identify or relate to an individual are not protected health
information for purposes of the HIPAA Privacy Rule.
Although the CLIA regulations do not cover radiologic testing or
assessments, these tests and assessments have always been subject to an
individual's right of access under the HIPAA Privacy Rule to the extent
they are maintained by a hospital or other HIPAA covered entity.
C. Access by Personal Representatives and Designated Third Parties
Comment: Several commenters raised concerns regarding access to an
individual's sensitive laboratory test reports, such as those
concerning reproductive health, by the individual's parents, spouse,
partner, or other persons, when the individual may not want these
persons to see the test report.
Response: We understand commenters' concerns and provide the
following guidance to HIPAA-covered laboratories regarding how the
Privacy Rule ensures that only persons with appropriate authority are
provided access. With respect to adult individuals, the only persons
that have a right to access an individual's test reports directly from
a HIPAA covered entity are those persons who qualify as a personal
representative of the individual. A personal representative for
purposes of the Privacy Rule generally is a person who has authority
under applicable law to make health care decisions for the individual
(see Sec. 164.502(g)). Before providing access to a person other than
the individual who is requesting access, a HIPAA-covered laboratory is
required under Sec. 164.514(h) of the Privacy Rule to verify both the
identity and authority of the person to have access to the individual's
protected health information. In order to conduct the required
verification, a covered laboratory may need to obtain documentation
that the person requesting access to the individual's protected health
information qualifies as the individual's personal representative, for
example, by having the person present a written health care power of
attorney or, general power of attorney or durable power of attorney
that includes the power to make health care decisions, or other
evidence of the person's authority to act as a personal representative.
With respect to an unemancipated minor, in most cases, a parent is
the personal representative of the minor, because the parent usually
has the authority under state law to make health care decisions about
his or her minor child. However, there are limited exceptions in the
HIPAA Privacy Rule to the parent being a personal representative of his
or her minor child, which generally apply in circumstances where minors
are able to obtain specified health care services without parental
consent under state or other laws, or standards of professional
practice. Additional information on these circumstances is available at
https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html.
Regardless, however, of whether a parent is the personal
representative of a minor child, the Privacy Rule defers to state or
other applicable laws that expressly address the ability of the parent
to obtain health information about the minor child. In doing so, the
Privacy Rule permits a covered entity to provide the parent with access
to a minor child's protected health information when and to the extent
it is permitted or required by state or other laws (including relevant
case law). Likewise, the Privacy Rule prohibits a covered entity from
providing a parent with access to a minor child's protected health
information, when and to the extent it is prohibited under state or
other laws (including relevant case law). If state or other applicable
law is silent concerning parental access to the minor's protected
health information, and a parent is not the personal representative of
a minor child based on one of the exceptional circumstances described
above, a covered entity has discretion to provide or deny the parent
access to the minor's health information, if doing so is consistent
with state or other applicable law, and provided the decision is made
by a licensed health care professional in the exercise of professional
judgment. For example, where a minor is able under state law to consent
and obtain treatment for a reproductive health care service that
involves laboratory testing, and the state law is otherwise silent on
parental access to a minor's protected health information, a testing
laboratory that has received a parent's request for access to this test
report of the minor child may wish to take into account any
instructions of the treating medical professional in determining
whether to grant or deny access to the parent of the minor.
In general, we expect personal representatives will continue to
obtain access to individuals' health information through the
individual's treating providers, with whom many personal
representatives will already have established a relationship and be
known to the provider. Therefore, we do not expect HIPAA-covered
laboratories will receive many requests from persons requesting access
as a personal representative of the individual.
With respect to laboratories that are not HIPAA covered entities,
the changes to the CLIA regulations in this final rule merely permit,
not require, the disclosure of completed test reports to an
individual's personal representative. Thus, laboratories not subject to
HIPAA should exercise their judgment in providing access to personal
representatives, while taking into account any other applicable federal
or state laws.
Comment: A few commenters asked how a laboratory should determine
whether a person requesting access to another individual's completed
test reports has the appropriate legal authority to act on behalf of
the individual, and, by virtue of that authority, is a personal
representative for the individual. Commenters indicated that the
laboratory test order from the ordering provider does not include this
information. These commenters also expressed concern about the costs to
determine whether a particular person had authority to access an
individual's laboratory test reports.
Response: As indicated above, a HIPAA-covered laboratory is
required to verify the identity and authority of any person requesting
access to laboratory test reports as a personal representative of an
individual. Depending on the circumstances, a HIPAA-covered laboratory
could verify a person's authority by asking for documentation of a
health care power of attorney, or general power or durable power of
attorney that includes the power to make health care decisions, proof
of legal guardianship, or, in the case of a parent, information that
establishes the relationship of the person to the minor
[[Page 7298]]
individual. A HIPAA-covered laboratory may also contact the treating
provider to inquire whether the treating provider can provide
documentation of the person's status as a personal representative of
the individual.
We address the costs that a HIPAA-covered laboratory may incur in
the verification process, in section VII below. We note here as we did
above, however, that we do not anticipate HIPAA-covered laboratories
will receive many requests from persons requesting access as a personal
representative of the individual. Thus, we do not expect HIPAA-covered
laboratories will incur significant costs for verification of such
persons. Several clinical laboratory commenters indicated that most
patients or personal representatives do not know what laboratory
conducted the laboratory tests. Based on these comments, we expect
personal representatives, like individuals themselves, generally will
continue to obtain access to the individuals' health information
through the individuals' treating providers, with whom many personal
representatives will already have established a relationship for the
purposes of obtaining access.
Comment: One commenter requested that the same requirements for
denying access to protected health information by a personal
representative in cases where access may cause substantial harm to the
individual (for example, in cases of spousal abuse) should also be
available when personal representatives request direct access to an
individual's test reports from laboratories.
Response: As described above, the Privacy Rule's access and
personal representative provisions apply in the same manner to HIPAA-
covered laboratories as to other types of covered entities. Section
164.524(a)(3)(iii) of the Privacy Rule permits a covered entity to deny
a personal representative access to an individual's protected health
information when a licensed health care professional has determined, in
the exercise of professional judgment, that providing access to the
personal representative is reasonably likely to cause substantial harm
to the individual or another person. Thus, a HIPAA-covered laboratory
may deny a personal representative access to an individual's protected
health information under this provision when the laboratory has
received and documented the requisite determination from a licensed
health care professional that granting access to the personal
representative is reasonably likely to cause substantial harm to the
individual or another person. As was described above with respect to
individuals denied access to their own records because of concerns of
endangerment, the personal representative retains the right to have the
denial reviewed by another licensed health care professional who is
designated by the HIPAA-covered laboratory to act as a reviewing
official and who did not participate in the original decision to deny.
A laboratory denying access must inform the personal representative of
this right and have the ability to have the denial reviewed in
accordance with these requirements.
We also note that Sec. 164.502(g)(5) of the Privacy Rule allows a
covered entity to elect not to treat a person as the personal
representative of an individual if the covered entity has a reasonable
belief that the individual has been or may be subjected to domestic
violence, abuse, or neglect by the person, and the covered entity, in
the exercise of professional judgment, decides that it is not in the
best interests of the individual to treat the person as the
individual's personal representative. We do not anticipate that this
provision will frequently apply in the circumstances where a personal
representative is requesting direct access to an individual's test
report maintained by a HIPAA-covered laboratory, as most laboratories
will not have the requisite relationship with the individual that will
enable them to make this type of assessment. However, there may be
situations where a HIPAA-covered laboratory is made aware of the
dangers by a treating provider or the individual. The HIPAA-covered
laboratory should consider this information in the exercise of its own
professional judgment.
Comment: One commenter stated that it was unclear from the proposed
rule whether a patient's access right would include the right to have
the test reports shared with others who do not have independent access
rights. This commenter urged the Department to amend the CLIA
regulations to clarify that the laboratory may provide access to the
patient, his or her personal representative, or any other party
designated by the patient or his or her personal representative.
Response: We clarify that, in certain circumstances, an
individual's access right includes the right to have test reports
shared with others who do not have independent access rights. In
addition to access by personal representatives, the HITECH Act
strengthened an individual's right of electronic access, which included
giving individuals the right to direct that a covered entity transmit
an electronic copy of the individual's protected health information
directly to another person or entity designated by the individual (see,
section 13405(e) of the HITECH Act). The regulations that implemented
these statutory provisions were published as part of the HIPAA Privacy
Rule on January 25, 2013, and became effective on March 26, 2013. While
Section 13405(e) of the HITECH Act is applicable to electronic copies,
the Department also used its general authority under sections 262 and
264 of HIPAA to implement this right uniformly regardless of whether
the access requested is for an electronic or a paper copy of the
individual's protected health information. Thus, upon the compliance
date of this final rule, HIPAA-covered laboratories will be required to
abide by an individual's request to have the laboratory transmit the
copy of the individual's protected health information to another person
or entity designated by the individual. The Privacy Rule requires that
such requests must be made in writing, signed by the individual,
clearly identify the designated person or entity, and provide
information regarding where to send the copy of the protected health
information. See Sec. 164.524(c)(3)(ii) and the preamble to the final
HITECH rule (78 FR 5566) for more information.
With respect to the changes to the CLIA regulations, the CLIA
regulatory text as written in this rule will be sufficient to allow a
laboratory to, upon the request of a patient (or their personal
representative, if applicable), provide a copy of the patient's test
report to a person or entity designated by the individual in accordance
with the HIPAA Privacy Rule.
Comment: One commenter requested that organ procurement
organization laboratories that perform tests on decedent tissue and
blood be exempted from the rule altogether, since the outcome of these
tests would not be of meaningful value to the personal representatives
of decedents, and in the case of blood tests, could cause undue concern
given the frequency of false positive results.
Response: We appreciate that Organ Procurement Organization
laboratories operate under different circumstances than clinical
laboratories. However, we do not believe there should be an exemption
for these laboratories. Laboratories that are covered entities under
HIPAA are required to provide individuals (or their personal
representatives) with access to protected health information, including
that of decedents (see Sec. 164.524). We do not believe the concerns
raised by the commenter justify removing a personal representative's
right to access the protected health information of a
[[Page 7299]]
decedent at an Organ Procurement Organization laboratory that is a
covered entity. However, we do not expect many Organ Procurement
Organization laboratories will be HIPAA covered entities unless they
also provide clinical or other laboratory services that involve
reimbursement by health plans. Further, we emphasize that a HIPAA-
covered laboratory is only required to provide an individual (or
personal representative) with access when they receive a request for
access, which we do not expect to be a very frequent occurrence in the
context of testing for organ procurement purposes.
D. Requests for and Provision of Access
1. HIPAA Access Processes
Comment: Several commenters supported allowing flexibility in how
requests for access may be submitted, processed, and responded to by
laboratories. Commenters indicated a flexible approach was important
since laboratories vary greatly in terms of how they interact with
patients, if at all, and flexibility would allow laboratories to
implement processes that would not disrupt operations. One commenter
stated that some state laws may affect the processes that laboratories
may put in place and urged that the Department clarify that the
authority for specifying the processes for handling requests for access
lies with the laboratories rather than the states. Another commenter
expressed concern with the rule not spelling out the mechanisms by
which patient requests for access would be submitted, processed, or
responded to by laboratories. The commenter suggested that the final
rule should require some type of written record, such as a signature on
an office form, and verification of the identity of the person
requesting the records.
Response: We agree with the commenters that flexibility in how
laboratories receive and respond to access requests is important given
the varied circumstances of each laboratory. This final rule provides
laboratories with flexibility as to how to set up systems to receive,
process, and respond to requests for access by individuals, so long as
these processes comply with the timing and other requirements for
access in Sec. 164.524 of the HIPAA Privacy Rule where HIPAA-covered
laboratories are concerned. For example, some laboratories that
interact directly with individuals may give individuals the option to
request a copy of their completed test reports when the individuals are
physically present at the laboratory for specimen collection.
With regard to state laws, it is unclear from the comments how
exactly these laws impact laboratory processes. The HIPAA Privacy Rule
only preempts contrary provisions of state law. Thus, where a HIPAA-
covered laboratory can continue to comply with both the HIPAA Privacy
Rule and state law, it must frame its policies and procedures in a way
that complies with both laws. Further, the HIPAA Privacy Rule does not
preempt more stringent state laws, even if contrary to the Privacy
Rule. In the context of individuals' rights to access their health
information, ``more stringent'' means that the state law provides
greater rights of access. Therefore, a HIPAA-covered laboratory must
continue to abide by state laws that provide the individual with a
greater right of access. For example, if a state law requires
individual access to test reports within a shorter timeframe than the
Privacy Rule requires, access must be provided within that shorter
timeframe. Finally, as noted above and discussed more fully below,
while the HIPAA Privacy Rule provides some flexibility to HIPAA-covered
laboratories in how their access processes are developed, it does have
specific requirements for verification of identity and authority of the
individual requesting access, as well as timeliness and the form of
access provided, among other requirements, that must be followed in
providing access to individuals. With respect to the form of the
individual's request, the Privacy Rule does permit covered entities to
require that individuals make requests for access in writing (see Sec.
164.524(b)(1)).
Comment: Some commenters asked for clarification as to whether
hospital laboratories may continue to rely on existing hospital HIPAA
access processes, which may have been implemented through their health
information management departments, to provide individuals with access
to their test reports, rather than having to create an additional
process outside the normal customary practices followed by hospitals to
comply with the access requirements of the HIPAA Privacy Rule. A few
commenters specifically noted that some hospitals have patient portals
in place to provide individuals with access to their protected health
information, including laboratory results.
Response: Laboratories that operate as part of a larger legal
entity that is a hospital or that are part of an affiliated covered
entity or organized health care arrangement with a hospital (see the
definition of ``organized health care arrangement'' in the HIPAA Rules
at Sec. 160.103, and the provisions for affiliated covered entities at
Sec. 164.105(b)), may continue to utilize the hospital's already
established mechanisms for providing access to individuals requesting
their test reports from the hospital laboratories, provided that the
established mechanisms are compliant with the access provisions of the
HIPAA Privacy Rule. This includes providing individuals with access to
their test reports through a patient portal to the extent the
individuals have agreed to receive access in this manner. However,
laboratories that are not part of a hospital need to establish their
own process for providing individuals with direct access to their
protected health information in accordance with the Privacy Rule, even
if the laboratories' test reports are otherwise available to an
individual through an unaffiliated treating hospital or provider's
patient portal or other access mechanism.
Comment: One commenter asked whether a patient will be expected to
make a request for access from the laboratory to test reports at the
time the patient is in the treating provider's office, or whether
patients have a right to contact the laboratory directly for access.
Another commenter asked whether, with regard to the referral of
specimens from one laboratory to another, a patient will need to
request access to the test reports of both laboratories or just request
access from one of the laboratories to obtain all of the test results.
Response: Under this final rule, individuals have a right to make
requests for access to their protected health information directly to
HIPAA-covered laboratories. Laboratories may not require individuals to
make requests through their providers. While laboratories cannot
require individuals to submit requests for access to protected health
information maintained by the laboratories through their treating
providers, individuals may do so if that is one avenue the laboratory
uses to receive requests for access from individuals. Laboratories,
however, may require that individuals make access requests directly to
the laboratory.
With respect to laboratories that refer specimens to another
laboratory, an individual has a right to access his or her protected
health information maintained in a designated record set at either
laboratory. However, where one laboratory refers only one part of a
test to another laboratory, the individual may need to request access
from the referring laboratory to obtain access to a complete set of
test results. As explained above, a HIPAA-covered laboratory is
required to provide an
[[Page 7300]]
individual with access only to that protected health information
maintained by the laboratory in its designated record sets.
2. Time Frame for Providing Access
Comment: Some commenters were concerned that the required 30-day
timeframe in the HIPAA Privacy Rule for providing an individual with
access to laboratory test reports may not be sufficient to ensure that
a provider receives the report before the patient. The commenters
believe this is particularly problematic in the case of ``sensitive''
test results. One commenter suggested that laboratories should have the
option of using up to two 30-day extensions when a licensed health care
professional has determined, in the exercise of professional judgment,
that the ordering provider should have additional time to receive and
review the test report before the patient is provided access. Another
commenter stated that the rule should not require laboratories to
release a test report to a patient before a treating provider, except
in emergency circumstances. Other commenters suggested that there
should be a defined delay or lag time, such as 48 or 72 hours, between
when a laboratory provides a test report to a treating provider and
when the laboratory provides the test report to the patient.
In contrast, other commenters were against providing a defined
delay between when the provider and the patient could obtain the test
report. Some commenters stated that the Privacy Rule's 30-day timeframe
for providing access affords ample opportunity for a provider to
receive a test report and consult with the patient before the patient
receives the test report he or she requested directly from the
laboratory. For example, one commenter suggested that the 30-day period
provides laboratories with sufficient flexibility to release routine
test results within a few days, while delaying the results of more
sensitive tests to allow more time for consultation between the
provider and the patient.
Response: We believe 30-days is generally sufficient time to allow
a treating provider to receive a test report in advance of the
patient's receipt of the report and to communicate the result to and
counsel the patient as necessary with regard to the result.
Specifically, requests to a laboratory for access may be made some time
after the provider has ordered the test or even after the provider has
received the completed test report. In cases where the end of the
initial 30-day period after an individual's request for access is
approaching and, due to the nature of the test, the laboratory is just
completing the test report, the laboratory may delay providing access
to the individual to ensure the completed test report is provided first
to the individual's provider, so long as the delay is no more than 30
days and the individual is informed in writing of the reason for the
delay and the date by which the laboratory will provide the individual
with access. However, laboratories may have only one extension (see
Sec. 164.524(b)(2)(iii)). Since we believe the timeframes provided in
the HIPAA Privacy Rule generally are sufficient to enable laboratories
to provide test reports to ordering providers before patients, we
decline to specify a specific lag time or to allow an additional 30-day
extension beyond the one 30-day extension currently permitted.
Comment: A few commenters expressed concern that the 30-day period
(and one 30-day extension) for providing access may not be sufficient
for all laboratory test reports to be completed. One commenter
suggested that the 30-day period to provide the individual with a copy
of the test report should begin from the time of the individual's
request for access, or test completion, whichever is later.
Response: We understand the commenters' concerns; however, we do
not believe it is necessary to establish the completion of the test
report as the trigger for the beginning of the 30-day period if the
completion of the test report is later than the individual's request
for access, or to otherwise create a timeliness requirement for
laboratories that is different than the requirement for other types of
covered entities. As discussed above in the section on ``Scope of
Information to Which an Individual Has Access,'' the Privacy Rule
provides sufficient flexibility in most cases to enable laboratories to
provide individuals with access to the completed test reports they
request. In those rare cases where a test report is not completed, and
therefore is not available, within the HIPAA timeframe for responding
to requests and the individual is not willing to withdraw his or her
request so that he or she will receive a completed test report, the
Privacy Rule requires only that the laboratory provide access to the
existing protected health information in its designated record set(s)
about the individual, which would not include the completed test report
requested. We believe that uniformity of the timeliness requirement in
the Privacy Rule for all covered entities, including laboratories, is
important to ensure consumer understanding and covered entity
compliance.
E. Allowable Fees for Copying
Comment: Several commenters stated that laboratories should be
permitted to charge individuals that request a copy of one or more test
reports an additional fee along with the current fee permitted by the
HIPAA Privacy Rule. A number of commenters were specifically concerned
with the costs of retrieving archived test reports, which may only be
available on paper or limited media, and transferring them to a
suitable medium for distribution to the patient. A few commenters
suggested that a laboratory should be able to recoup the full costs of
providing reports to the individual, including costs associated with
retrieval of the information, copying, verification, documentation,
liability insurance, and other administrative costs.
In contrast, a number of commenters stated that individuals should
not encounter any additional fee to receive copies of test reports from
laboratories, other than the costs associated with completing the
tests.
Response: We appreciate the comments on this issue. The fee
provisions in the Privacy Rule are carefully balanced to reduce costs
to covered entities while at the same time avoid being an impediment to
individuals' ability to receive copies of their protected health
information. Therefore, we decline to expand the fees that may be
charged to individuals or to disallow any fees that are currently
provided for under the HIPAA Privacy Rule. HIPAA-covered laboratories
must comply with the same fee limitations at Sec. 164.524(c)(4) of the
Privacy Rule as other HIPAA covered entities in providing individuals
with copies of their health information. This means a HIPAA-covered
laboratory may charge an individual a reasonable, cost-based fee that
includes only the cost of: (1) Labor for copying the protected health
information requested by the individual, whether in paper or electronic
form; (2) supplies for creating the paper copy or electronic media if
the individual requests that the electronic copy be provided on
portable media; (3) postage, when the individual has requested the copy
be mailed; and (4) preparation of an explanation or summary of the
protected health information, if agreed to by the individual. HIPAA-
covered laboratories may not charge fees to reflect the costs they
incur in searching for and retrieving the information that is the
subject of the individual's request. Further, fees for costs associated
with verification, documentation, liability
[[Page 7301]]
insurance, maintaining systems, and other similar activities are not
permissible fees under this provision.
Comment: One commenter asked for a more definitive framework of
what is an appropriate fee.
Response: We are unable to provide a more definitive framework of
what is an appropriate fee, given that costs will vary depending on a
number of circumstances, such as the form of the copy requested (paper
versus electronic), the amount of information to be included in the
copy, and whether the individual has requested the copy to be placed on
electronic media or mailed. Covered entities may take into account all
of these factors in determining what is a reasonable, cost-based fee.
However, we consider fees expressly permitted under state law for
copying and postage to be reasonable (as long as they do not include
amounts associated with fees not provided for under the HIPAA Privacy
Rule, such as the fees for the cost of search and retrieval or other
costs).
F. Form and Format of Access
Comment: Some commenters stated that HIPAA-covered laboratories
should be able to limit the types of electronic formats in which
patients could receive copies of their completed test reports, and that
the format provided should not be controlled solely by patient
preference. These commenters were concerned with requiring laboratories
to have the capability to convert test reports to all types of
universal formats (for example, Microsoft (MS) Word, MS Excel, or
Portable Document Format (PDF)). One commenter stated it is not
practicable to reproduce all of the data of the official report into
some formats, such as MS Excel. A few commenters expressed concern that
HIPAA-covered laboratories will be required to invest in new technology
to allow for patient portals into laboratory systems so that patients
can view their test reports online. Certain commenters were
specifically concerned about the resources involved with having to
convert final laboratory reports that exist only on paper to PDF or
other electronic format.
Other commenters advocated for the use of patient portals and
personal health records (PHRs) to deliver test reports to patients in a
readable and secure manner. One commenter stated that the rule should
ensure laboratories are not allowed to provide test reports exclusively
through proprietary formats that require expensive proprietary software
to view, interpret, or process the results. Finally, one commenter
asked who makes the determination about which format is acceptable.
Response: The Privacy Rule does not require that a HIPAA-covered
laboratory have the capability to produce a copy of a completed test
report in whatever electronic format or manner the individual requests.
Rather, the Privacy Rule requires a covered entity to provide the
individual with a copy of the requested information in the form and
format requested by the individual, if a copy in that form or format is
readily producible. With respect to protected health information
maintained by the covered entity only in paper form, the Privacy Rule
requires the covered entity to provide the individual with a copy of
the protected health information in the form and format requested by
the individual, if it is readily producible. If not, the copy must be
either a readable hard copy or in another form or format as agreed to
by the covered entity and the individual (see Sec. 164.524(c)(2)(i)).
Thus, where an individual requests an electronic copy of test reports
that a HIPAA-covered laboratory maintains only on paper, the laboratory
is required to provide the individual with the type of electronic copy
requested if it is readily producible electronically and in the format
requested. For example, a HIPAA-covered laboratory maintaining the
requested test reports on paper may be able to readily produce a
scanned PDF version of the report but not the requested Word version.
In this case, the laboratory may provide the individual with the PDF
version if the individual agrees to accept the PDF version. If the
individual declines to accept the PDF version, or if the laboratory is
not able to readily produce a PDF version of the test reports, the
laboratory may provide the individual with hard copies of the reports
such as photocopies of the original reports.
However, when the protected health information to which the
individual seeks access is maintained electronically by the covered
entity and the individual requests an electronic copy of the
information, the Privacy Rule requires the covered entity to provide
the individual with access to the information in the requested
electronic form and format if it is readily producible in that form and
format. When it is not readily producible in the electronic form and
format requested, then the covered entity must provide the copy in an
alternative readable electronic format as agreed to by the covered
entity and the individual (see Sec. 164.524(c)(2)(ii)). In short, this
means that any HIPAA-covered laboratory that maintains protected health
information about an individual in one or more designated record sets
electronically must have the capability to provide the individual with
some form of electronic copy of the individual's protected health
information. For example, this would include providing the individual
with an electronic copy of the protected health information in the
format of MS Word or Excel, text, HTML, or text-based PDF. In addition,
we encourage laboratories to make available to individuals, upon
request, an electronic copy of their protected health information in
machine-readable formats (such as in HL7), which will enable
individuals to use their protected health information in electronic
health information tools, such as PHRs, if they choose.
We agree with the commenters that individuals should not have an
unlimited choice in the form of electronic copy they will receive. The
Privacy Rule allows a covered laboratory to make some other agreement
with individuals as an alternative means to provide a readable
electronic copy to the individual where the covered laboratory is not
able to readily provide the form of electronic copy requested. If an
individual requests a form of electronic copy that the HIPAA-covered
laboratory is unable to produce, the laboratory must offer the
individual other electronic formats that are available on its systems.
If the individual declines to accept any of the electronic formats that
are readily producible by the HIPAA-covered laboratory, the laboratory
must provide a hard copy as an option to fulfill the access request. We
remain neutral on the type of technology that covered entities may
adopt. We note that a PDF is a widely recognized format that would
satisfy the electronic access requirement if it is the individual's
requested format or if the individual agrees to accept a PDF instead of
the individual's requested format. Alternatively, there may be
circumstances where an individual prefers a simple text or rich text
file and the laboratory is able to accommodate this preference. In this
case, a hard copy of the individual's protected health information
would not satisfy the electronic access requirement. However, a hard
copy may be provided if the individual decides not to accept any of the
electronic formats offered by the covered entity.
For example, if a HIPAA-covered laboratory receives a request from
an individual to have access to test reports through a web-based
portal, but the only readily producible version of the
[[Page 7302]]
protected health information by the laboratory is in PDF, the Privacy
Rule requires the laboratory to provide the individual with the PDF
copy of the protected health information, if the individual agrees to
receive it in that form. If the individual declines to receive the PDF
copy, the laboratory may provide the individual with a hard copy of the
information.
Further, while we encourage laboratories to offer patients the
ability to access their test reports through patient portals maintained
by the laboratories, the HIPAA Privacy Rule does not require covered
entities to have this capability. We recognize that what is available
in a readable electronic form and format will vary by system and
technological capabilities will improve over time. Therefore, the
Privacy Rule allows covered entities the flexibility to provide
individuals with electronic copies of protected health information that
are currently readily producible and available on their various
systems. A HIPAA-covered laboratory is not required to purchase new
software or systems in order to accommodate an electronic copy request
for a specific form that is not readily producible by the laboratory at
the time of the request, provided the laboratory is able to provide
some form of electronic copy. We note that providing the individual
with an electronic copy of a test report in a proprietary format that
will require the purchase or acquisition by the individual of
proprietary software to view the report would not satisfy these access
requirements.
Comment: A few commenters suggested that any electronic copies
provided to individuals should include a digital signature to provide
assurance that test results had not been modified.
Response: HIPAA-covered laboratories may include digital signatures
on electronic copies of test reports given to individuals, provided the
electronic copy is still in a format that has either been requested by
the individual or is an alternative that has been agreed to by the
individual and the laboratory.
Comment: Some commenters were concerned about the ability of
laboratories to transmit electronic copies of test reports to
individuals in a secure manner, and asked for guidance on how test
reports should be transmitted to patients. A few commenters were
concerned with transmitting test reports to patients via unencrypted
email. One commenter expressed concern about being found responsible
for a breach if a HIPAA-covered laboratory sent test reports in an
unsecure manner after a specific request by the individual to send them
in that manner. Other commenters suggested that any method of
transmitting test reports to individuals should be acceptable, whether
it be by mail, email, transmission to a PHR or patient portal, or other
method.
Response: How a test report is transmitted to an individual will
vary depending on the circumstances and the request of the individual.
In cases where an individual is in close proximity of the laboratory,
the individual may wish to come and pick up the test report from the
laboratory directly; however, the individual is not required to do so.
Individuals also have a right under the Privacy Rule to have either the
paper or electronic (for example, on compact disk) copies of their
protected health information mailed to them, and HIPAA-covered
laboratories may charge an individual for postage in cases where the
individual has asked that the copy be mailed. In sending the copy to an
individual, covered laboratories are required to reasonably safeguard
the information (see Sec. 164.530(c)). This may include ensuring the
packaging is securely sealed and that none of the information from the
test reports is visible from the outside of the package.
Individuals also may request that a laboratory email an electronic
copy of a test report. In emailing copies of test reports to
individuals, HIPAA-covered laboratories are required to comply with the
HIPAA Security Rule, which, among other requirements, requires
implementation of technical security measures to guard against
unauthorized access to electronic protected health information that is
being transmitted over an electronic communications network (see Sec.
164.312(e)). As a security measure, the Security Rule requires
encryption when transmitting electronic protected health information
where it is reasonable and appropriate to encrypt the information. In
general, encryption is a reasonable and appropriate measure to
safeguard email transmissions. However, we have found that there may be
instances when an individual may not want to receive his or her
protected health information in an encrypted format or may be unable to
access the information when encrypted. In these cases, a HIPAA-covered
laboratory is permitted to send the individual copies of the test
reports via unencrypted email, if it advises the individual of the
risks associated with unencrypted email, and, after doing so, the
individual still wishes to receive his or her protected health
information via unencrypted email. A HIPAA-covered laboratory is not
responsible for any unauthorized access that may occur while protected
health information is in transit using the means requested by the
individual. Further, a HIPAA-covered laboratory is not responsible for
safeguarding protected health information once it is delivered to the
individual.
Finally, as mentioned above, we encourage laboratories to offer
individuals access to their test reports and other health information
through secure patient portals or PHRs. However, use of this method is
not required.
Comment: One commenter asked if CMS has the regulatory authority to
establish minimum requirements for the provision of electronic test
results to patients in a structured format or at least to suggest
guidance to laboratories if the test results are to be provided in an
electronic format.
Response: CMS does not have current plans to establish regulations
that would impose minimum requirements for the provision of electronic
results in a structured format, but could examine these options going
forward. Furthermore, CLIA guidance on electronic formats was provided
as part of the March 2010 revision to the CLIA State Operations Manual
Appendix C--Survey Procedures and Interpretive Guidelines for
Laboratories and Laboratory Services (see, CMS Ref: S&C-10-12-CLIA).\2\
---------------------------------------------------------------------------
\2\ https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/downloads/SCLetter10-12.pdf.
---------------------------------------------------------------------------
G. Content of Test Report, Educational Materials, and Standard
Statements
Comment: A few commenters requested further guidance on what the
test report that is provided to an individual should look like.
Commenters noted that the laboratory coding schema on the official test
report sent to the provider may need further interpretation and context
before it would be useful to the patient. These commenters expressed
concern with the resources and information system development that
would be needed to provide a more understandable test report to the
individual. Other commenters stated that the report furnished to the
individual should be the ``official'' report furnished to the ordering
provider rather than one that is reworded and redesigned in an effort
to meet the needs of the individual. Otherwise, they noted, there could
be inadvertent inconsistencies or inaccuracies when one compared the
``official'' report to the patient-centric report.
[[Page 7303]]
In addition, some commenters suggested that laboratories should
provide brief explanations or patient-specific educational materials on
the tests reported, including reference ranges, so that the individual
can interpret the information (for example, similar to a pharmacy's
provision of the package insert for prescription drugs).
Response: As discussed above, the final rule does not require
laboratories to interpret test reports for individuals. An individual
has a right to receive a copy of the information about the individual
maintained by or on behalf of a HIPAA-covered laboratory in a
designated record set, which may include the official test report that
is also provided to the individual's provider. However, while not
required, a laboratory may also provide additional educational or
explanatory materials regarding the test results to individuals if it
chooses to do so.
Comment: A number of commenters suggested that the information
provided to individuals should include a standard statement explaining
the limitations of the laboratory data alone in confirming or ruling
out a diagnosis, explaining that the laboratory results are subject to
a physician's interpretation and encouraging the individual to discuss
the results with his or her physician, and providing the contact
information of the physician who ordered the tests.
Response: As we explain above, this final rule does not supplant
the treatment conversation a health care provider has with a patient
about the patient's test results. We expect that individuals will
continue to obtain test results through their treating or ordering
providers, and even when individuals request access to test reports
directly from laboratories, we believe that, in most cases, these
individuals will have had conversations with their treating providers
about their test results before receiving access. Therefore, we do not
believe a regulatory requirement for a standard statement is warranted.
However, laboratories that wish to include one with test reports are
free to do so.
H. Verification of Identity and Authentication
Comment: Some commenters stated that many laboratories would have
challenges with verifying an individual's identity because they often
have no direct interaction with the individual and any contact
information they receive from a health care provider can be incomplete
or incorrect. One commenter indicated that these limitations would
necessitate that an individual make a request for a test report in
person. These commenters requested guidance or sample authentication
practices for verifying an individual's identity upon receiving a
request, whether in person, by phone, fax, or other means. One
commenter suggested that the Department should provide guidance on the
appropriate assurance levels for identity proofing and authentication,
as defined by the National Institute of Standards and Technology (NIST)
(Publication 800-63).
Response: Under Sec. 164.514(h) of the Privacy Rule, a covered
entity is required to take reasonable steps to verify the identity of
the individual making a request for access. The rule does not mandate
any particular form of verification (such as obtaining a copy of a
driver's license), but rather leaves the type and manner of the
verification to the discretion and professional judgment of the covered
entity. Further, covered entities may rely on industry standards in
developing reasonable verification processes. The type of verification
may also vary depending on how the individual is to receive access, the
form of the request, and whether the covered entity is requiring that
all requests for access be made in writing, as permitted by Sec.
164.524(b)(1), or permitting oral requests for access. For example, in
those cases where an individual requests to pick up a copy of a test
report directly from a laboratory, the laboratory may require that some
form of photo identification be provided before the individual receives
a copy. When a HIPAA-covered laboratory requires that a request for a
copy of the test report be made on its own supplied form (whether by
fax, email, or otherwise), the laboratory could request basic
information on the form (date of birth, provider's name, date specimen
was collected, etc.) to verify that the person requesting access is the
individual who is the subject of the test report. Similarly, if a
laboratory allows an individual to verbally request access over the
phone, the laboratory can, at that time, request the information needed
to verify the person is the subject individual. For those laboratories
using patient portals to provide access, those portals should already
be set up with appropriate authentication controls, as required by
Sec. 164.312(d) of the HIPAA Security Rule, to ensure that the person
seeking access is the one claimed. However, we do not prescribe
specific levels of authentication.
We understand that, in many cases, a laboratory may not have
extensive contact or other information about an individual. However,
the rule makes clear that a laboratory is only required to provide an
individual with access to test reports that can be identified as
belonging to the individual who has requested access, based on the
laboratory's authentication processes. Thus, when a laboratory is able
to authenticate a test report as belonging to a particular patient,
that laboratory will have at least some basic information about the
patient, such as name, date of birth, date specimen was collected,
etc., that can also be used to verify the identity of a person
requesting access to that test report. When a laboratory believes a
provider may have supplied incorrect information for a patient, which
prevents the laboratory from properly verifying the individual, the
laboratory may contact the provider to see if correct information is
available.
While the Privacy Rule requires verification of the identity of the
person requesting access, a HIPAA-covered laboratory may not impose
unreasonable verification measures on an individual as a means to avoid
having to provide the individual with access. For example, a HIPAA-
covered laboratory may not require an individual who wants a copy of
his or her test reports mailed to his or her home address to physically
come to the laboratory to request access and provide proof of identity
in person.
I. Informing Individuals of Their New Right of Access
Comment: A few commenters stated that providers should be required
to inform or notify individuals of their right to receive test reports
directly from laboratories, and to provide the information necessary
for individuals to request test reports from the appropriate clinical
laboratories. One commenter suggested this information could be
included in the provider's notice of privacy practices. Another
commenter asked if this final rule would require HIPAA-covered
laboratories to revise their notices of privacy practices to include a
statement regarding an individual's right to receive test results
directly from the laboratory.
Response: We encourage, but do not require, treating health care
providers to inform individuals of their right to receive test reports
directly from HIPAA-covered laboratories. We believe requiring
providers to do so would create an unwarranted burden on providers.
However, whenever providers send a specimen(s) to the laboratory, as
opposed to the individual going to the laboratory himself or herself to
provide the testing sample, we encourage providers to supply the
individual with the name of the
[[Page 7304]]
laboratory to which the specimen is being or has been sent and the
other information necessary for the individual to request access from
the laboratory.
With respect to HIPAA notices of privacy practices, a covered
entity is required to promptly revise its notice whenever there is a
material change to any of its privacy practices, including those
pertaining to individuals' rights to access their protected health
information (see Sec. 164.520(b)(3) of the Privacy Rule). This final
rule provides individuals with a right to access their protected health
information directly from HIPAA-covered laboratories. A change in an
individual's access rights constitutes a material change to the privacy
practices of HIPAA-covered laboratories. Thus, by the compliance date
of this final rule, HIPAA-covered laboratories must revise their
notices to inform individuals of this right and to include a brief
description of how to exercise this right, and must remove any
statements to the contrary (see Sec. 164.520(b)(1)(iv)(C)). Further,
HIPAA-covered laboratories must make the revised notice available as
required by Sec. 164.520(c). We do not require that other covered
health care providers, such as ordering providers, revise their notices
of privacy practices to inform individuals of their right to access
protected health information directly from laboratories.
The Department recognizes that HIPAA-covered laboratories are
already required by the modifications to the HIPAA Rules that were
published on January 25, 2013 (78 FR 5566) to revise their notices by
September 23, 2013. To avoid HIPAA-covered laboratories having to
modify their notices twice within the same year to comply with both the
January 25, 2013, final rule and this rule, the Department announced on
September 19, 2013, that it was exercising its enforcement discretion
to allow CLIA laboratories (including CLIA-exempt laboratories) that
are HIPAA covered entities to take until the compliance date of this
final rule, October 6, 2014, to revise their notices to reflect both
sets of modifications. See https://www.hhs.gov/ocr/privacy/hipaa/enforcement/clia-labs.html. Thus, CLIA and CLIA-exempt laboratories
that are HIPAA covered entities need only update their notices once to
comply with both rules.
J. Preemption
Comment: A number of commenters supported the rule's general
preemption of contrary state laws, stating that it would bring further
harmonization of federal and state laws and ensure, regardless of where
an individual lives, that he or she has access to laboratory test
reports. Other commenters requested clarification with respect to
preemption, asking whether state laws that require more timely access
to test reports than the Privacy Rule or that would limit the types of
identification a laboratory could ask an individual to present to
verify identity would continue to stand. One commenter stated that the
final rule should preempt state laws that restrict laboratory-initiated
contact with patients for purposes of communicating laboratory results.
This commenter stated that there can be compelling medical reasons for
laboratories to initiate contact. Another commenter stated that the
rule should not preempt state laws that require the provider to discuss
the results and provide psychological counseling along with disclosure
of HIV test results.
Response: We agree with commenters that preemption of certain
contrary state law is necessary to ensure that individuals' access
rights under the Privacy Rule are strengthened. A number of states have
laws that prohibit a laboratory from releasing a test report directly
to the individual or that prohibit the release without the ordering
provider's consent. Upon the effective date of this final rule, the
Privacy Rule preempts these laws and HIPAA-covered laboratories should
begin to come into compliance.
With respect to those commenters requesting clarification on HIPAA
preemption, we note that HIPAA preempts only state laws that are
contrary to the Privacy Rule. ``Contrary'' generally means a covered
entity would find it impossible to comply with both the state and HIPAA
requirements. In certain cases, a contrary state law is not preempted,
such as where a state law is more stringent than the Privacy Rule.
``More stringent'' means, with respect to individuals' access rights,
that the state law provides greater rights of access to individuals
(see, 45 CFR Part 160, Subpart B). A state law that requires a
laboratory to provide an individual with more timely access to test
reports is not contrary to the Privacy Rule and thus, is not preempted.
Similarly, a state law that limits the types of identification a
laboratory can ask an individual to produce is not contrary to the
Privacy Rule, provided the laboratory is still able to verify the
identity of the person requesting access as required by Sec.
164.514(h). HIPAA-covered laboratories should be able to comply with
both sets of requirements in providing individuals with access to their
test reports. Further, we clarify that this final rule applies only to
laboratories. State laws that place requirements on other types of
health care providers, such as those requiring a provider to discuss
with and counsel a patient on HIV test results are not preempted by
this final rule. Finally, the trigger for the access obligations under
the Privacy Rule is a request from an individual or the individual's
personal representative. This final rule does not impose any
requirement or establish any permission in regard to a laboratory
initiating contact with an individual for purposes of communicating
test results.
K. Compliance Date
Comment: A number of commenters advocated for a longer time period
for HIPAA-covered laboratories to come into compliance than the
proposed 180-day compliance period. Commenters suggested a variety of
different compliance dates, including one year and beyond. Some
commenters raised specific concerns with respect to laboratories that
do not currently provide individuals with access to test reports, since
the laboratories would need to develop all new policies, protocols, and
mechanisms for receiving and responding to requests for access to test
reports.
Other commenters asked that the Department wait to finalize the
rule until after the HITECH Act changes to the Privacy Rule become
final so that HIPAA-covered laboratories would need to develop only one
set of policies, protocols, and procedures one time, to comply with the
Privacy Rule's access provisions. A few commenters requested that the
Department implement reasonable, sequenced compliance deadlines for all
related regulations under the HITECH Act and HIPAA, such as changes to
the Privacy Rule, EHR Incentive Programs' requirements, and the
implementation of HIPAA Version 5010 and ICD-10. Commenters stated that
sequenced deadlines would better take into account the significant
amount of financial, operational, and technological resources needed to
fully comply with all of these new requirements.
Response: While we appreciate the commenters' concerns regarding
the compliance date, we decline to extend the 180-day compliance period
for this final rule. We believe 180 days will provide HIPAA-covered
laboratories with sufficient time to become prepared to provide
individuals who request them with copies of test reports and will also
ensure that individuals are afforded and able to benefit from this new
right in a timely manner after the rule's issuance. Thus, HIPAA-covered
laboratories are required to comply with
[[Page 7305]]
the individual access provisions of the Privacy Rule by no later than
180 days after the effective date of the final rule. The effective date
of the final rule is 60 days after publication in the Federal Register;
therefore, laboratories have a total of 240 days after publication of
this final rule to come into compliance. Moreover, in a number of
cases, laboratories that operate in states that allow an individual to
receive test reports directly from the laboratories will already have
policies for providing individuals with access to test reports, which
can then be modified as needed to be consistent with Privacy Rule
requirements. The HITECH Act enhancements to an individual's right of
access under the Privacy Rule were finalized and incorporated into the
Privacy Rule on March 26, 2013. Thus, in implementing this rule and the
HITECH Act changes, HIPAA-covered laboratories need only develop one
set of policies. Finally, while we understand that overlapping
compliance deadlines for different rules may be burdensome to entities
that are subject to all of the rules, we do not believe it is feasible
to completely sequence regulatory deadlines and still realize in a
timely manner the benefits and protections the new requirements are
intended to provide.
L. Other Comments
Comment: Commenters asked whether a laboratory could be subject to
penalties for charging more than the reasonable cost-based fee allowed
by the Privacy Rule, for failing to comply with an individual's request
for completed test reports within the appropriate time period, or for
failing to comply with an individual's request altogether.
Response: HIPAA-covered laboratories that fail to comply with the
Privacy Rule's access provisions are subject to an enforcement action
for noncompliance by the Department, which may include the imposition
of civil money penalties. More information about HIPAA enforcement is
available on the OCR Web site at: https://www.hhs.gov/ocr/privacy/hipaa/enforcement/.
Comment: A few commenters suggested that the rule increases burden
on individuals, by making them first call their provider's office to
learn the name of the laboratory producing the test report and then
making them call the laboratory for a copy of the test report, instead
of just having them contact the provider's office for the test results.
Response: We do not agree that this final rule increases the burden
on individuals. As previously discussed in detail above, the rule does
not supplant the role of the treating provider in discussing test
results with a patient or an individual's right under the HIPAA Privacy
Rule to access protected health information about the individual
maintained by the provider, including laboratory test results. The rule
merely provides an additional avenue for individuals to obtain copies
of their test reports by allowing individuals to obtain their test
reports directly from the laboratories.
Comment: One commenter stated that certain third-party payers and
insurers do not allow laboratories to bill a patient any amount in
addition to what is paid to the laboratory for testing services by that
third-party payer or insurer. The commenter contended that this
prohibition would prevent a laboratory from charging an individual a
cost-based fee for providing a copy of the test report.
Response: First, we note that charging an individual a fee for
access is optional and not required under the Privacy Rule. Second, the
billing restriction described by the commenter is likely tied to the
costs associated with the provision of health care services, and not to
a laboratory's ability to charge an individual for reasonable costs
associated with providing the individual access to his or her protected
health information. It has not been our experience that covered health
care providers subject to similar billing restrictions have been unable
to charge individuals reasonable cost-based fees for access to their
records.
Comment: One commenter asked, when a patient fails to compensate
the laboratory for services provided, whether a laboratory may withhold
future test results from the patient until payment is made.
Response: A covered entity may not withhold or suspend an
individual's right under the HIPAA Privacy Rule to access his or her
protected health information because the individual has not paid the
covered entity for the health care services provided.
Comment: One commenter stated that laboratories should not be
required to provide test reports in a patient's preferred language.
Response: A covered entity's obligations under civil rights or
other laws to ensure equal access to health care for individuals,
including requirements for when certain documents must be translated,
are not diminished or disturbed by this rule.
Comment: A few commenters suggested that laboratories should be
required to notify the ordering provider when a patient has received,
or will receive, copies of test reports directly from the laboratory.
Response: We do not believe this requirement is warranted. As
discussed above, this rule does not change the ability of an ordering
provider to receive test reports and discuss them with the patient.
However, a laboratory that wishes to provide notification to a provider
that an individual will receive a copy of a test report directly may do
so.
Comment: One commenter stated that, by deferring to state law, the
CLIA regulations impede disclosures of test reports to other HIPAA
covered entities and business associates for purposes that are
otherwise permitted by HIPAA. This commenter stated that the list of
persons authorized to receive the reports should be expanded to include
HIPAA covered entities and business associates. This commenter believes
that the expansion of the list will eliminate barriers to legitimate
disclosures to these entities, such as for treatment or quality
improvement purposes.
Response: The CLIA regulations at Sec. 493.1291(f) state that test
results must be released only to authorized persons and, if applicable,
to the persons responsible for using the test results, and to the
laboratory that initially requested the test. ``Responsible for using''
would cover those HIPAA covered entities that are in a treatment
relationship with the individual. CLIA also defines ``authorized
person'' as an individual authorized under state law to order tests or
receive test results, or both. State law can expand the list of
entities that can be considered ``authorized'' persons under CLIA.
VI. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995 (PRA), we are required to
provide 30-day notice in the Federal Register and to solicit public
comment before a collection of information requirement is submitted to
the Office of Management and Budget (OMB) for review and approval. In
order to fairly evaluate whether an information collection should be
approved by OMB, section 3506(c)(2)(A) of the PRA requires that we
solicit comment on the following issues:
The need for the information collection and its usefulness
in carrying out the proper functions of our agency.
The accuracy of our estimate of the information collection
burden.
The quality, utility, and clarity of the information to be
collected.
Recommendations to minimize the information collection
burden on the
[[Page 7306]]
affected public, including automated collection techniques.
In our September 14, 2011 proposed rule (76 FR 56712), we solicited
public comment on each of these issues, as required by section
3506(c)(2)(A) of the PRA. We did not receive any PRA-related comments.
Except as provided in Sec. 493.1291(l), test reports must be
released only to authorized persons and, if applicable, the individuals
(or their personal representatives) responsible for using the test
reports and, to the laboratory that initially requested the test. Under
Sec. 493.1291(l), the laboratory may, upon request by the patient (or
the patient's personal representative), provide access to the patient's
test reports that the laboratory can identify as belonging to that
patient. The CLIA regulations do not require that CLIA-certified
laboratories provide this access--rather, these laboratories are
allowed to provide for access. However, the accompanying changes to the
HIPAA Privacy Rule in this final rule require that CLIA-certified
laboratories that are HIPAA covered entities provide individuals with
access in accordance with the Privacy Rule. The CLIA-certified
laboratories that are covered entities under HIPAA will need to ensure
that their practices conform to CLIA and HIPAA requirements.
We have prepared the Paperwork Reduction Act and the Regulatory
Impact Analysis (RIA) that represents the costs and benefits of the
final rule based on an analysis of identified variables and data
sources needed for this change. We identified known data elements
(Table 1) and made assumptions on elements where a source could not be
identified (Table 2). Our assumptions are based on internal discussions
and consultation with laboratories representative of the industry.
Table 1--Summary of Known Data Elements
------------------------------------------------------------------------
Variable Data element Source
------------------------------------------------------------------------
States/territories where 39 Determination of this
laboratories, as listed in finding is based on
Table 3, are impacted by the two reports as
new individual access listed here:
provisions. 1. Privacy and
Security Solutions
for Interoperable
Health Information
Exchange, Releasing
Clinical Laboratory
Test Results; Report
on Survey of State
Laws prepared by Joy
Pritts, JD, for the
Agency for Health
care Research and
Quality and Office
of the National
Coordinator August
2009; RIT Project
Number
0209825.000.015.100
(Accessed July 15,
2010).
2. Electronic Release
of Clinical
Laboratory Results:
A Review of State
and Federal Policy,
prepared by Kitty
Purington, JD, for
the California
Health care
Foundations January
2010 (Accessed July
15, 2010).
Laboratories, as listed in 22,816 Data from CLIA Online
Table 6, impacted by the new Survey Certification
individual access provisions. and Reporting
database (OSCAR)
database accessed
August 27, 2012.
Includes Certificate
of Compliance and
Certificate of
Accreditation in the
39 states impacted
by the patient
access provisions.
Test results in laboratories, 7,025,841,649 Data from OSCAR
as listed in Table 6, database accessed
impacted by the new August 27, 2012
individual access provisions. Includes Certificate
of Compliance and
Certificate of
Accreditation in the
39 states impacted
by the patient
access provisions.
States/territories, as noted 46 Determination of this
in Table 7, where the HIPAA finding is based on
Privacy Rule will pre-empt two reports as
State Law \1\. listed here:
1. Privacy and
Security Solutions
for Interoperable
Health Information
Exchange, Releasing
Clinical Laboratory
Test Results; Report
on Survey of State
Laws prepared by Joy
Pritts, JD, for the
Agency for Health
care Research and
Quality and Office
of the National
Coordinator August
2009; RIT Project
Number
0209825.000.015.100
(accessed July 15,
2010).
2. Electronic Release
of Clinical
Laboratory Results:
A Review of State
and Federal Policy
prepared by Kitty
Purington, JD, for
the California
Health care
Foundations January
2010 (Accessed July
15, 2010).
Laboratories, as indicated in 33,807 Data from OSCAR
Table 7, required to update database accessed
their HIPAA notices of August 27, 2012
privacy practices. Includes Certificate
of Compliance and
Certificate of
Accreditation in the
27 states impacted
by the HIPAA
provisions to update
the notices of
privacy practice.
Hourly salary of clerical $30.09 2013 salary/wages and
level employee to process benefits--use 2012
requests for test reports. salary/wages and
benefits obtained
from the U.S. Bureau
of Labor Statistics,
Economic News
Release, March 2012
U.S.--Total employer
costs per hour
worked for employee
compensation:
Civilian workers;
Occupational Group:
Service-providing at
https://www.bls.gov/news.release/ecec.t01.htm) and
adjusts annually by
2.78 percent to
reflect an average
increase in total
compensation costs
from 2007-2011.
Hourly salary of management $50.06 2013 salary/wages and
level employee to determine benefits--use 2012
policy. salary/wages and
benefits obtained
from the U.S. Bureau
of Labor Statistics,
Economic News
Release, March 2012
U.S.--Total employer
costs per hour
worked for employee
compensation:
Civilian workers;
Occupational Group:
Service-providing at
https://www.bls.gov/news.release/ecec.t01.htm) and
adjusts annually by
2.78 percent to
reflect an l average
increase in total
compensation costs
from 2007-2011.
------------------------------------------------------------------------
1. Note that there may be circumstances where a laboratory is able to
comply with both HIPAA and the state law.
Table 2--Summary of Assumptions
----------------------------------------------------------------------------------------------------------------
Variable Low High
----------------------------------------------------------------------------------------------------------------
Number of test results per test report... 10 test results................... 20 test results.
Percentage of patients requesting test 0.05%............................. 0.50%.
report.
Time required to process request for test 10 minutes........................ 30 minutes.
report.
----------------------------------------------------------------------------------------------------------------
[[Page 7307]]
We determined that the impacted CLIA-certified laboratories can be
broken down into four categories: Laboratories in states and
territories where there is no law regarding who can receive test
reports (N=26), laboratories in states and territories where test
reports can only be given to the provider (N=13), laboratories in
states and territories that allow test reports to go directly to the
patient through some means or mechanism (N=9), and laboratories in
states and territories that allow the test reports to go to the patient
with provider approval (N=7). Of these four categories, we believe that
laboratories in the 39 states and territories where there is either no
law regarding receipt of test reports or where reports can only go to
the provider are affected by the individual access provisions contained
in this rulemaking (see Table 3 for a list of states and territories by
category). Laboratories in the remaining categories would most likely
have existing procedures in place to respond to patient requests for
test reports, whereas the laboratories in the first two categories
would most likely not have procedures in place and would have to
develop mechanisms for handling these requests and providing access.
Table 3--Impact on Laboratories of New Individual Access Provisions
------------------------------------------------------------------------
Impacts laboratories Does not impact laboratories
------------------------------------------------------------------------
Allows test
Allows test Allows test reports to
No State law reports only to reports to patient with
provider patient provider
approval
------------------------------------------------------------------------
Alabama Arkansas Delaware California
Alaska Georgia District of Connecticut
Columbia
Arizona Hawaii Maryland Florida
Colorado Illinois New Hampshire Massachusetts
Guam Kansas New Jersey Michigan
Idaho Maine Nevada New York
Indiana Missouri Oregon Virginia
Iowa Pennsylvania Puerto Rico ................
Kentucky Rhode Island West Virginia ................
Louisiana Tennessee ................ ................
Minnesota Washington ................ ................
Mississippi Wisconsin ................ ................
Montana Wyoming ................ ................
Nebraska ................. ................ ................
New Mexico ................. ................ ................
North Carolina ................. ................ ................
North Dakota ................. ................ ................
Northern Mariana ................. ................ ................
Islands
Ohio ................. ................ ................
Oklahoma ................. ................ ................
South Carolina ................. ................ ................
South Dakota ................. ................ ................
Texas ................. ................ ................
Utah ................. ................ ................
Vermont ................. ................ ................
Virgin Islands ................. ................ ................
------------------------------------------------------------------------
In addition to the impact from the access provisions, laboratories
both in the 39 states and territories where there is either no law
regarding receipt of test reports or where reports can only go to the
provider, as well as in the 7 states and territories that currently
allow test reports to go to the patient only with provider approval,
will be affected by the requirement to update HIPAA notices of privacy
practices as a result of this final rule (see Table 4 for a list of
states and territories by category). Even if laboratories in the 7
states and territories that currently allow test reports to go to the
patient with provider approval have processes in place to provide test
reports to patients, their notices of privacy practices may now contain
inaccurate statements about how individuals can obtain copies of their
test reports, given that this final rule preempts these state laws.
Therefore, by the compliance date of this rule, the laboratories in the
46 states and territories identified in Table 4 will need to revise
their notices to inform individuals of their right to obtain reports
directly from the laboratory, provide a brief description of how to
exercise this right, and must remove any statements to the contrary
(see Sec. 164.520(b)(1)(iv)(C)).
Table 4--Impact on Laboratories of HIPAA Privacy Rule Requirement To
Revise Their Notices of Privacy Practices
------------------------------------------------------------------------
Impacts laboratories Does not impact
------------------------------------------------------- laboratories
Allows test -----------------
Allows test reports to
No State law reports only to patient with Allows test
provider provider reports to
approval patient
------------------------------------------------------------------------
Alabama Arkansas California Delaware
Alaska Georgia Connecticut District of
Columbia
Arizona Hawaii Florida Maryland
Colorado Illinois Massachusetts New Hampshire
Guam Kansas Michigan New Jersey
Idaho Maine New York Nevada
[[Page 7308]]
Indiana Missouri Virginia Oregon
Iowa Pennsylvania ................ Puerto Rico
Kentucky Rhode Island ................ West Virginia
Louisiana Tennessee ................
Minnesota Washington ................
Mississippi Wisconsin ................
Montana Wyoming ................
Nebraska ................. ................
New Mexico ................. ................
North Carolina ................. ................
North Dakota ................. ................
Northern Mariana ................. ................
Islands
Ohio ................. ................
Oklahoma ................. ................
South Carolina ................. ................
South Dakota ................. ................
Texas ................. ................
Utah ................. ................
Vermont ................. ................
Virgin Islands ................. ................
------------------------------------------------------------------------
The CMS Online Survey, Certification, and Reporting (OSCAR)
database indicates that there are a total of 234,756 laboratories which
provide approximately 12.8 billion tests annually (see Table 5) in the
United States. We assume Certificate of Waiver laboratories and
Certificate of PPM laboratories would not be impacted because the tests
are usually performed in these sites during a patient's visit. We
assume that the physician or health practitioner would inform the
patient of those results during the visit, and we anticipate that the
patient would ask that person with whom they interacted as opposed to
the laboratory, if they have reason to seek copies of the test report
in the future. In the 39 states and territories that are impacted by
the patient access provision, there are 22,816 laboratories that
perform over 7 billion tests annually (see Table 6).
However, we recognize that some laboratories included in these
estimates may not be covered entities under HIPAA (because they do not
conduct covered health care transactions electronically, for example,
filing electronic claims for payment) and, therefore, would not be
required to provide direct individual access.
Table 5--All U.S. Laboratory Testing Subject to CLIA
------------------------------------------------------------------------
Number of
CLIA certificate type laboratories Number of tests
------------------------------------------------------------------------
Certificate of Compliance............. 20,470 3,122,772,023
Certificate of Accreditation.......... 16,829 8,998,058,524
Certificate of Waiver................. 158,996 477,094,700
Certificate of Provider Performed 38,461 207,777,472
Microscopy (PPM).....................
---------------------------------
Totals............................ 234,756 12,805,702,719
------------------------------------------------------------------------
Table 6--Number of Laboratories Impacted by New Individual Access
Provisions
------------------------------------------------------------------------
Number of
State or territory laboratories Number of tests
------------------------------------------------------------------------
Alaska.............................. 103 10,688,466
Alabama............................. 868 252,267,262
Arkansas............................ 540 74,686,910
Arizona............................. 581 195,731,588
Colorado............................ 499 138,847,079
Georgia............................. 1,190 217,997,888
Guam................................ 13 2,500,654
Hawaii.............................. 117 36,918,267
Idaho............................... 230 33,092,465
Illinois............................ 1,053 1,852,543,312
Indiana............................. 621 190,732,493
Iowa................................ 548 82,389,916
Kansas.............................. 438 240,744,893
Kentucky............................ 710 133,586,267
[[Page 7309]]
Louisiana........................... 677 135,050,184
Maine............................... 140 36,150,552
Minnesota........................... 832 165,066,668
Mississippi......................... 523 45,808,928
Missouri............................ 683 192,145,580
Montana............................. 961 300,480,983
Nebraska............................ 317 33,103,996
New Mexico.......................... 189 44,642,110
North Carolina...................... 673 48,771,993
North Dakota........................ 177 49,833,112
Northern Mariana Islands............ 181 56,185,878
Ohio................................ 634 163,151,403
Oklahoma............................ 485 111,005,884
Pennsylvania........................ 747 87,776,132
Rhode Island........................ 477 91,657,444
South Carolina...................... 453 38,185,190
South Dakota........................ 469 171,638,497
Tennessee........................... 2,626 949,935,182
Texas............................... 1,594 155,118,958
Utah................................ 705 256,856,757
Vermont............................. 245 174,974,043
Virgin Islands...................... 45 11,413,475
Washington.......................... 936 167,818,742
Wisconsin........................... 482 73,457,876
Wyoming............................. 54 2,884,622
-----------------------------------
Total........................... 22,816 7,025,841,649
------------------------------------------------------------------------
In addition to complying with the individual access requirements, a
total of 33,087 laboratories in the states and territories that are
affected by the HIPAA notice provisions will need to revise their
notices of privacy practices to reflect the right of individuals to
obtain test reports directly from laboratories (see Table 7). However,
as stated above, we recognize that some laboratories included in these
estimates may not be covered entities under HIPAA and, therefore, would
not be required to provide direct individual access and would not be
required to revise any notices.
Table 7--Number of Laboratories Impacted by the HIPAA Privacy Rule
Requirement to Revise Their Notices of Privacy Practices
------------------------------------------------------------------------
Number of
State laboratories
------------------------------------------------------------------------
Alaska................................................. 103
Alabama................................................ 868
Arkansas............................................... 540
Arizona................................................ 581
California............................................. 2,919
Colorado............................................... 499
Connecticut............................................ 379
Florida................................................ 2,462
Georgia................................................ 1,190
Guam................................................... 13
Hawaii................................................. 117
Idaho.................................................. 230
Illinois............................................... 1,053
Indiana................................................ 621
Iowa................................................... 548
Kansas................................................. 438
Kentucky............................................... 710
Louisiana.............................................. 677
Massachusetts.......................................... 693
Maine.................................................. 140
Michigan............................................... 926
Minnesota.............................................. 832
Mississippi............................................ 523
Missouri............................................... 683
Montana................................................ 961
Nebraska............................................... 317
New Mexico............................................. 189
New York............................................... 2,425
North Carolina......................................... 673
North Dakota........................................... 177
Northern Mariana Islands............................... 181
Ohio................................................... 634
Oklahoma............................................... 485
Pennsylvania........................................... 747
Rhode Island........................................... 477
South Carolina......................................... 453
South Dakota........................................... 469
Tennessee.............................................. 2,626
Texas.................................................. 1,594
Utah................................................... 705
Vermont................................................ 245
Virgin Islands......................................... 45
Virginia............................................... 467
Washington............................................. 936
Wisconsin.............................................. 482
Wyoming................................................ 54
----------------
Totals............................................. 33,087
------------------------------------------------------------------------
A. Information Collection Requests (ICRs) Regarding the Development of
Process To Provide Patient Access to Test Reports (Sec. 493.1291)
Under Sec. 493.1291(l), we assume that the development of the
mechanisms to provide patient access to laboratory test reports will be
a one-time burden and that each laboratory will develop its own unique
policies and procedures to address patient access or adopt mechanisms/
procedures developed by consultants or associations representing
laboratories. We assume a one-time burden of 2 to 9 hours to identify
the applicable legal obligations and to develop the processes and
procedures for handling patient requests for access to test reports.
While we provide a range of burden estimates in this final rule, for
purposes of OMB review and approval we will submit burden estimates
based
[[Page 7310]]
on 9 hours. We also assume an hourly rate for a management-level
employee to be $50.06 (see Table 1).
The range of costs for laboratories to develop the necessary
processes and procedures for handling patient requests is:
(2 hours x $50.06 per hour x 22,816 laboratories) = $2,284,338
(9 hours x $50.06 per hour x 22,816 laboratories) = $10,279,521
Since this is a one-time burden, the average annual cost over the
3-year OMB approval period, which is the period between approval and
renewal of the information collection by OMB, will range between
$761,446 and $3,426,507.
The ongoing burden associated with responding to test report
requests is dependent upon the total number of test reports that exist
in affected laboratories, the percent of the results that would be
requested, and the cost of producing these reports for those
individuals who ask for direct access.
Laboratory test reports are commonly understood to contain multiple
test results with many laboratory tests being ordered as panels of
tests. Each laboratory may have its own unique test report panels which
may contain anywhere from 1 to 20 individual test results.
Using a range of 10 to 20 test results in a test report, we
estimated the annual number of test reports that may be requested to
be:
(7,025,841,649 tests per year/20 tests per report) = 351,292,082 test
reports/year
(7,025,841,649 tests per year/10 tests per report) = 702,584,165 test
reports/year
We are unaware of any data that would provide a reasonable estimate
for the number of patients who would request test reports from
laboratories if they are available. We solicited public comments on
this issue but did not receive any to inform our estimates. Therefore,
we assume a range of 1 in 2,000 patients (0.05 percent) to 1 in 200
patients (0.50 percent) will request direct access to his or her test
report.
Using these figures, the range of the number of patient requests
per year will be:
(351,292,082 test reports per year x .0005) = 175,646 patient requests
per year
(702,584,165 test reports per year x .005) = 3,512,921 patient requests
per year
The processing of a patient request for a test report generally
covers steps from actual receipt of the patient's request to the
delivery of the report and documentation of the delivery. Requests for
laboratory results are usually handled by non-managerial or clerical
staff. Due to the lack of data that indicates the amount of time it
takes for staff to process a test report request, we assume a range of
10 minutes (0.17 hours) to 30 minutes (0.5 hours) to handle a request
from start to finish.
We then multiplied this range by the range of the anticipated
number of patient requests to obtain the total annual burden hours:
(175,646 patient requests per year x 0.17 hours) = 29,860
(3,512,921 patient request per year x 0.5 hours) = 1,756,461
We then multiplied this range by the hourly rate of $30.09 for a
clerical-level employee (see Table 1) to develop the total labor cost
of reporting:
29,860 (total annual burden hours) x $30.09 = $898,487
1,756,461 (total annual burden hours) x $30.09 = $52,851,911
Table 8--Summary of Annual Requirements and Burden Estimates
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Burden per Total annual Hourly labor Total labor Total capital/
Regulation section(s) OMB Control Respondents Responses response burden cost of cost of maintenance Total cost ($)
No. (hours) (hours) reporting ($) reporting ($) costs ($)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
42 CFR 493.1291......................................... 0938--New 22,816 22,816 9 205,344 50.06 10,279,521 0 10,279,521
42 CFR 493.1291......................................... 0938--New 3,512,921 3,512,921 .5 1,756,461 30.09 52,851,911 0 52,851,911
---------------------------------------------------------------------------------------------------------------------------------------
Total............................................... ............ 3,535,737 3,535,737 ............ 1,961,804 .............. 63,131,432 .............. 63,131,432
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
We will exercise our enforcement discretion to allow HIPAA-covered
laboratories to revise their notices only once to reflect the changes
to privacy practices of these entities both resulting from this rule,
as well as the final rule published on January 25, 2013, modifying the
HIPAA Rules, which became effective on March 26, 2013 (78 FR 5566).
Since we accounted for the overall burden to covered health care
providers, including laboratories, of revising notices in the burden
statement accompanying the January 25, 2013, final rule (78 FR 5669),
we do not include estimates of any additional burden in this rule.
If you comment on these information collection and recordkeeping
requirements, please submit your comments to the Office of Information
and Regulatory Affairs, Office of Management and Budget, Attention: CMS
Desk Officer, [CMS-2319-F] Fax: (202) 395-6974; or Email: OIRA_submission@omb.eop.gov.
VII. Regulatory Impact Analysis
A. Overall Impact
We have examined the impacts of this final rule as required by
Executive Order 12866 on Regulatory Planning and Review (September 30,
1993), Executive Order 13563 on Improving Regulation and Regulatory
Review (January 18, 2011), the Regulatory Flexibility Act (RFA)
(September 19, 1980, Pub. L. 96-354), section 1102(b) of the Social
Security Act, section 202 of the Unfunded Mandates Reform Act of 1995
(March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism
(August 4, 1999), and the Congressional Review Act (5 U.S.C. 804(2)).
Executive Orders 13563 and 12866 direct agencies to assess all
costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). Executive
Order 13563 emphasizes the importance of quantifying both costs and
benefits, of reducing costs, of harmonizing rules, and of promoting
flexibility. This final rule has been designated a ``significant
regulatory action'' although not economically significant, under
section 3(f) of Executive Order 12866. Accordingly, the rule has been
reviewed by the Office of Management and Budget.
Laboratories regulated under CLIA that do not currently provide
patients with an opportunity to receive, upon request, a copy of their
laboratory test report (defined in CLIA Sec. 493.1291) are affected by
this final rule. According to the CMS OSCAR database accessed on August
27, 2012, there are 234,756
[[Page 7311]]
laboratories in the United States that are subject to CLIA. OSCAR is a
data network maintained by CMS in cooperation with the state surveying
agencies and accrediting organizations that provides a compilation of
all the data elements collected during inspection surveys conducted at
laboratories. Of the total CLIA-certified laboratories identified in
the OSCAR database, we believe approximately 90 percent of these would
not be impacted by the individual access provisions because they
perform testing either under a Certificate of Waiver or Certificate of
Provider Performed Microscopy (PPM) or they are located in states that
already allow the laboratory to provide patient access to test reports,
either directly or with provider approval. Removing the step in which
the provider grants permission to the laboratory should not pose an
additional impact on the laboratory, as we believe these laboratories
already have processes in place to provide patients access to test
reports once that permission is received.
We expect that 22,816 laboratories located in the 39 states and
territories identified in Table 3 as having no state law or a state law
that provides test reports only to the provider will be impacted by the
individual access provisions in this final rule. In addition, we expect
that 33,087 laboratories located in the 46 states and territories
identified in Table 4 as having no state law, a state law that provides
test reports only to the provider, or a state law that permits test
reports to go to patients only with provider approval, will be affected
by the HIPAA requirement to update their notices of privacy practices.
We believe that this final rule does not constitute an economically
significant rule because we estimate the range of overall annual costs
that would be expended by the affected laboratories would be less than
$100 million for 2013.
The RFA requires agencies to analyze options for regulatory relief
of small entities, if a rule has a significant impact on a substantial
number of small entities. For purposes of the RFA, we assume that the
great majority of medical laboratories are small entities, either by
virtue of being nonprofit organizations or by meeting the SBA
definition of a small business by having revenues of less than $13.5
million in any 1 year. We believe at least 83 percent of medical
laboratories qualify as small entities based on their nonprofit status
as reported in the American Hospital Association Fast Fact Sheet
updated June 24, 2010 (https://www.aha.org/aha/resource-center/Statistics-and-Studies/Fast_Facts_Nov_11_2009.pdf).
Other options for regulatory relief of small businesses, as
discussed in section E of this final rule, were determined not to be
feasible and therefore these options were not analyzed for this final
rule. We believe any alternative to allowing the laboratory to provide
patient access to test reports would be counterproductive to the
Department's efforts to provide patient-centered health care. We are
unaware of any instances in which the changes included in this final
rule would affect health care entities operated by small government
jurisdictions.
Section 1102(b) of the Social Security Act also requires us to
prepare a regulatory impact analysis if a rule may have a significant
impact on the operations of a substantial number of small rural
hospitals. This analysis must conform to the provisions of section 604
of the RFA. For purposes of section 1102(b) of the Act, we define a
small rural hospital as a hospital that is located outside of a
metropolitan statistical area and has fewer than 100 beds. We do not
expect this final rule would have a significant impact on small rural
hospitals. The final rule applies only to laboratories. If a small
rural hospital operates a laboratory, we anticipate compliance with
this final rule will require minimal effort as we expect that the
hospital already has procedures in place for responding to individual
access requests for hospital records under the HIPAA Privacy Rule. We
believe that these existing policies and procedures should be easy to
translate for use in direct access requests to hospital-operated
laboratories. Therefore, the Secretary has determined that this final
rule does not have a significant impact on the operations of a
substantial number of small rural hospitals.
Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also
requires that agencies assess anticipated costs and benefits before
issuing any rule whose mandates require spending in any 1 year of $100
million in 1995 dollars, updated annually for inflation. In 2013, that
threshold is approximately $142 million. We do not anticipate this
final rule will impose an unfunded mandate on states, tribal
governments, or the private sector of more than $142 million annually.
Executive Order 13132 establishes certain requirements that an agency
must meet when it promulgates a proposed rule (and subsequent final
rule) that imposes substantial direct requirements and costs on state
and local governments, preempts state law, or otherwise has Federalism
implications.
The changes to the CLIA regulations at Sec. 493.1291 will not have
a substantial direct effect on state and local governments, preempt
state law, or otherwise have a Federalism implication and there is no
change in the distribution of power and responsibilities among the
various levels of government.
The Federalism implications of the Privacy Rule were assessed as
required by Executive Order 13132 and published as part of the preamble
to the final rule on December 28, 2000 (65 FR 82462, 82797). Regarding
preemption, though the changes to the Privacy Rule will preempt a
number of state laws (see Table 4), this preemption of state law is
consistent with the preemption provision of the HIPAA statute. The
preamble to the final Privacy Rule explains that the HIPAA statute
dictates the relationship between state law and Privacy Rule
requirements, and the rule's preemption provisions do not raise
Federalism issues.
We do not believe that this rule will impose substantial direct
compliance costs on state and local governments. We do not believe that
a significant number of laboratories affected by these proposals are
operated by state or local governments. Therefore, the modifications in
these areas will not cause additional costs to state and local
governments.
In considering the principles in and requirements of Executive
Order 13132, the Department has determined that the modifications to
the Privacy Rule will not significantly affect the rights, roles and
responsibilities of the states.
B. Anticipated Effects
The current CLIA regulations and related laws of the states and
territories pose potential barriers to the laboratory exchange of
health care information (test reports) directly with the patient. These
regulatory changes will amend Sec. 493.1291(f) and add Sec.
493.1291(l) to the CLIA regulations and also amend Sec. 164.524 of the
Privacy Rule. These changes are being made in support of the
Department's efforts toward achieving patient-centered and health IT-
enabled health care and would allow patients direct access to their
laboratory test reports from a laboratory.
The changes providing for individual access will impact
laboratories in 39 states and territories (Table 3) where state law
does not permit the laboratory to provide test reports directly to the
patient. These changes do not impact the laboratories in the remaining
16
[[Page 7312]]
states and territories where the laboratory is allowed to provide the
test report to the patient either directly or after provider approval.
However, laboratories in 46 states and territories (Table 4) where
state law does not permit the laboratory to provide test reports
directly to the patient or permits direct access only after provider
approval, will be impacted by the requirement to update their HIPAA
notice of privacy practices to reflect individuals' new access rights
under this final rule.
C. Costs
Although data are not available to calculate the estimated costs
and benefits that will result from these changes, we are providing an
analysis of the potential impact based upon available information and
certain assumptions. These regulatory changes are anticipated to have
the following associated costs and benefits:
The impacted laboratories may require additional resources
to ensure patients receive test reports when requested.
Patients will benefit from having direct access to their
laboratory test results. (See section D below).
1. Quantifiable Impacts
Laboratories that are issued a CLIA Certificate of Compliance or
Certificate of Accreditation in the 39 states and territories
identified in Table 3 will be required to provide patients with a copy
of their test report upon request. The OSCAR database includes 22,816
laboratories in the 39 states and territories that will be impacted and
the corresponding number of annual tests in these laboratories is
approximately 7 billion as shown in Table 6. Data are not available for
estimating the number of test results reported per test report.
However, the majority of test reports contain multiple test results.
Tests are frequently ordered as panels of individual tests. For
example, according to 2008 CMS reimbursement data, three of the four
most frequently ordered tests in the Medicare outpatient setting are
panels of multiple individual tests, some of which may contain up to 20
tests. As part of a medical encounter, frequently more than one panel
is ordered per patient, and a test report could contain a large number
of individual test results. Therefore, for the purposes of this
analysis, an assumed range of 10 to 20 is used to represent the average
number of test results per test report. Applying this range to the
total number of annual tests (7,025,841,649) from Table 6, the
estimated number of total annual test reports ranges from a low of
351,292,082 to a high of 702,584,165.
For the purposes of this analysis, we assume that many patients
will still prefer to obtain their laboratory result information from
their health care provider, who will also be able to provide
interpretation of the test results, and thus an assumed range of from 1
in 2,000 (0.05 percent) to 1 in 200 (0.50 percent) is used to represent
the proportion of test reports requested. Applying this range to the
number of estimated annual test reports (351,292,082 to 702,584,165)
yields an estimated annual number patient requests ranging from 175,646
to 3,512,921.
Processing a request for a test report, either manually or
electronically, will require completion of the following steps: (1)
Receipt of the request from the individual; (2) authentication of the
identification of the individual; (3) retrieval of test reports; (4)
verification of how and where the individual wants the test report to
be delivered and provision of the report by mail, fax, email or other
electronic means; and (5) documentation of test report issuance. We
estimate the total time to process each test report request to be in
the range of 10 minutes (0.17 hours) to 30 minutes (0.5 hours). This
estimate for a range of total time includes estimates for a range of
time for each of the five steps listed above. The time needed to
complete each step is dependent on the capabilities of the laboratory,
such as whether manual or automated processes are available, and the
desired method of communication of test reports to the individual
patient as listed in step four. We multiplied the range for the number
of patient requests, 175,646 to 3,512,921 by 0.17 hours and 0.5 hours
to determine the total number of hours for processing the test reports
to be in the range of 29,860 and 1,756,461. The estimated annual cost
to process all test report requests in 2013 ranges from $$898,487 to
$52,851,911.
The analysis also assumed each of the estimated 22,816 laboratories
to be impacted by individual access provisions of this rule (Table 6)
will need to develop and implement a policy and process to receive and
respond to patient requests as discussed above. To estimate the
initial, one-time development cost, it is assumed to require laboratory
management staff time ranging from a low of 2 hours to a high of 9
hours per laboratory. To convert the number of hours to an estimated
cost per laboratory, we applied the rate of $50.06 (see Table 1) to the
assumed 2 to 9 hour time range yields an estimated cost per laboratory
ranging from $100.12 to $450.54, which when applied to the estimated
22,816 laboratories impacted results in a total estimated one-time
development cost ranging from $2,284,338 to $10,279,521.
Table 9 shows the total estimated range of annual costs for the
change in undiscounted 2013 dollars and discounted at 3 percent and 7
percent to translate expected benefits or costs in any given future
year into present value terms. To calculate the total estimated costs
in 2013, we added the cost to develop the necessary policies and
processes (which would only be applicable in the first year) and the
cost of responding to test report requests. These costs total between
$3 million and $63 million for 2013 to provide patients with access to
their laboratory test reports. As subsequent years will only entail the
costs associated with processing requests, we simply took the 2013
values for the cost of responding to test reports and applied the same
inflation factor used in Table 1 for the hourly rate calculations. The
resulting values can be found in Table 9.
Table 9--Total Estimated Annual Costs of Patient Test Report Requests
[Policy development and processing for the patient access]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Undiscounted (Base year: 2013 Discounted at 3% Discounted at 7%
$) ---------------------------------------------------------------
--------------------------------
Low High Low High Low High
--------------------------------------------------------------------------------------------------------------------------------------------------------
2013.................................................... $3,182,819 $63,131,432 $3,090,115 $61,292,652 $2,974,597 $59,001,338
2014.................................................... 932,243 55,934,563 878,728 52,723,690 814,257 48,855,414
2015.................................................... 959,045 57,542,682 877,662 52,659,705 782,866 46,971,969
2016.................................................... 986,617 59,197,034 876,597 52,595,798 752,686 45,161,134
[[Page 7313]]
2017.................................................... 1,014,982 60,898,949 875,533 52,531,968 723,668 43,420,109
--------------------------------------------------------------------------------------------------------------------------------------------------------
Laboratories will be able to offset some of these costs pursuant to
Sec. 164.524(c)(4) of the HIPAA Privacy Rule, which permits covered
entities to impose on the individual a reasonable, cost-based fee for
providing access to their health information, including the cost of
supplies for and labor of copying the requested information.
As we explain above, with respect to notices of privacy practices,
we are exercising our enforcement discretion to allow HIPAA-covered
laboratories to revise their notices only once to reflect the changes
to privacy practices of these entities both resulting from this rule,
as well as the final rule published on January 25, 2013, modifying the
HIPAA Rules, which became effective on March 26, 2013 (78 FR 5566).
Since we accounted for the overall costs to covered health care
providers, including laboratories, of revising and reprinting notices
in the impact statement accompanying the January 25, 2013, final rule
(78 FR 5669), we do not include here any estimates of additional costs
to revise and print notices.
Therefore, we estimate the cost to provide patients with access to
their laboratory test reports is estimated to be between $3 million and
$63 million for 2013.
2. Non-Quantifiable Impacts
The burden in this final rule would be primarily on laboratories to
provide the laboratory test reports when requested by the patient;
however, there may be some non-quantifiable impacts on the health care
provider's office. If the patient does not know where the provider sent
the test request, the provider may need to provide laboratory contact
information to the patient so he or she may request the test report. We
assume that notification of the laboratory name and contact information
could be provided in as little as 30 seconds; however there are no data
to confirm this, and we did not receive comments on the issue. We also
note that since the provider may need to provide an interpretation of
the test results, the provider may give the patient a copy of the test
report rather than referring the patient to the laboratory for the
information. The time cost to patients of new interactions with
laboratories is a further impact of the rule that has not been
quantified.
D. Benefits
Although we cannot quantify the impact on patients, we believe that
it will be positive in light of findings from studies that focused on
patient receipt of test results from the provider. We found several
studies where greater than 90 percent of patients stated they preferred
being notified of all test results, both normal and abnormal (1.
Baldwin DM, Quintela J, Duclos C, et al. Patient Preferences for
Notification of Normal Laboratory Test Results: A Report from the ASIPS
Collaborative. BMC Fam Practice 2005; 6:11; 2. Boohaver EA, Ward RE,
Uman JE et al. Patient Notification and Follow-up of Abnormal Test
Results. Arch Intern Med 1996; 327-331; 3. Grimes GC, Reis MD, Gokul B,
et al. Patient Preferences and Physician Practices for Laboratory Test
Result Notification. JABFM 2009:22:6:670-676; and 4. Meza JP and
Webster DS. Patient Preferences for Laboratory Test Result
Notification. Am J Manag Care 2000; 6:1297-300). These same studies
reported, for both the health care provider and patient, the preferred
method for receiving normal test results was the U.S. mail, and direct
phone contact from the provider was the preferred method for abnormal
test results. These preferences may have changed in the last 5 years
given the increase in the use of electronic communications. Advantages
reported in these studies for the patient having direct access to the
test report include reduced workload for the health care provider's
office, reduced chance of a patient not being informed of a laboratory
test result, and reduced numbers of patients who fail to seek
appropriate medical care. Additionally, we expect significant benefits
to flow to patients as a result of increased access to their laboratory
test results. Commenters to this final rule describe these benefits as
including increased patient participation in treatment programs, such
as those that involve monitoring of chronic diseases, and the ability
of patients to identify and treat health risks sooner and more
effectively.
E. Alternatives Considered
The changes to the CLIA regulations and the HIPAA Privacy Rule are
in support of the Department's efforts toward achieving patient-
centered health care. Several alternatives were considered before
selecting the approach in this final rule to provide access to
laboratory test reports upon a patient's request. One alternative would
have been to leave the regulations as written without making any
changes. However, this option would leave in place the restrictions on
patients' direct access to their laboratory test results and would
therefore impede the goal of promoting patient-centered health care.
Another alternative would have been to revise the definition of
``authorized person'' under CLIA to specifically include a patient as
an authorized person. This alternative was not considered feasible
because the definition of ``authorized person'' in the CLIA regulations
also permits individuals to order tests, and it defers to state law for
authorization. A last alternative considered would have been to require
the laboratory to automatically provide each test report directly to
each patient rather than the permissive approach to provide patients
access to their reports upon request. However, this alternative would
have had the potential of significantly increasing the cost for
laboratories since 100 percent of the 350 million to 703 million test
reports issued annually would need to be provided to the patients.
F. Accounting Statement and Table
We have prepared the following accounting statement showing the
classification of the expenditures associated with the provisions of
this final rule.
[[Page 7314]]
----------------------------------------------------------------------------------------------------------------
Primary Minimum Maximum Source citation (RIA,
Category estimate estimate estimate preamble, etc.)
----------------------------------------------------------------------------------------------------------------
BENEFITS:
Monetized benefits................ n/a n/a n/a RIA Section C2
Annualized qualified, but unmonetized, n/a n/a n/a RIA Section C2
benefits.
(Unqualified benefits)................ n/a n/a n/a RIA Section C2
COSTS:
Monetized costs (2012 $):
Patient access provisions 2013.... n/a $3,182,819 $63,131,432 RIA Sec C1 (Table 7)
Patient access provisions 2014.... n/a $932,243 $55,934,563 RIA Sec C1 (Table 7)
Patient access provisions 2015.... n/a $959,045 $57,542,682 RIA Sec C1 (Table 7)
Patient access provisions 2016.... n/a $986,617 $59,197,034 RIA Sec C1 (Table 7)
Patient access provisions 2017.... n/a $1,014,982 $60,898,949 RIA Sec C1 (Table 7)
Annualized quantified, but n/a n/a n/a ........................
unmonetized, benefits.
Qualitative (unquantified) costs...... n/a n/a n/a RIA Section C2
TRANSFERS:
Annualized monetized transfers: n/a n/a n/a ........................
``on budget''.
From whom to whom?................ n/a n/a n/a ........................
Annualized monetized transfers: n/a n/a n/a ........................
``off-budget''.
From whom to whom?................ n/a n/a n/a ........................
----------------------------------------------------------------------------------------------------------------
Category.............................. Effects Source Citation
(RIA, preamble, etc.)
----------------------------------------------------------------------------------------------------------------
Effects on State, local, and/or tribal n/a n/a n/a RIA Sec A (Table 4)
governments.
Effects on small businesses........... n/a n/a n/a RIA Section A
Effects on wages...................... n/a n/a n/a ........................
Effects on growth..................... n/a n/a n/a ........................
----------------------------------------------------------------------------------------------------------------
G. Conclusion
We estimated the cost to laboratories to provide patients with a
copy of their test reports upon request and determined it would cost
between $3 million and $63 million in 2013. These costs will diminish
in subsequent years. In addition laboratory provision of test reports
to patients may provide information that could benefit the patient by
reducing the chance of the patient not being informed of a laboratory
test result, reducing the number of patients lost to follow-up, and
benefiting health care providers by reducing their workload in
providing laboratory test reports. Finally, as we explain above, to
avoid HIPAA-covered laboratories having to modify their notices twice
within the same year to comply with both the January 25, 2013, final
rule and this rule, we will exercise our enforcement discretion to
allow CLIA laboratories (including CLIA-exempt laboratories) that are
HIPAA covered entities to take until the compliance date of this final
rule to revise their notices to reflect both sets of modifications. See
https://www.hhs.gov/ocr/privacy/hipaa/enforcement/clia-labs.html.
Therefore, CLIA and CLIA-exempt laboratories that are HIPAA covered
entities need only update their notices once to comply with both rules.
In accordance with the provisions of Executive Order 12866, this
regulation was reviewed by the Office of Management and Budget.
VIII. Analysis of and Responses to Public Comments on the Paperwork
Reduction and Regulatory Impact Analysis
We have provided an analysis of the potential impact of this final
rule, based upon available information and certain assumptions. We have
prepared the Paperwork Reduction Act and the Regulatory Impact Analysis
representing the costs and benefits of the final rule based on analysis
of identified variables and data sources needed for this change. We
requested that commenters provide any additional data that would assist
us in the analysis of the potential impact of this regulation on CLIA
certified laboratories but we did not receive any additional data.
Therefore, based on our analysis and assessment of the overall
annual costs to the laboratories affected by this final rule, we are
finalizing the provisions as set forth in the proposed rule. The
comments we received on this provision and our responses are set forth
below.
Comment: We received several comments from organizations and
individuals suggesting the implementation and operations cost estimate
provided in the regulatory impact analysis (that is, for the laboratory
to receive the request, authenticate the requestor is allowed to have
access to the test report, process the request and provide the test
report) was too low. Some suggested there were other factors that were
not considered in the proposed rule's RIA, such as costs for training
staff to provide the reports in a compliant manner, verification that
the information was received, and for providing an explanation or
summary of results, which may require higher level staff than those at
a clerical level. Some recommended we review the anticipated cost
structure and contact several laboratories to request best estimates.
One organization recommended that we permit laboratories to charge a
standard fee between $10 to $15 per test report issued to cover overall
administrative costs, which would be in addition to the actual cost of
the supplies used to provide the test report to the patient or personal
representative or, if applicable, a third party designated by the
individual.
Response: Our cost estimate was based on assumptions from internal
discussions and consultation with two laboratories that provide test
reports directly to patients. Although the proposed rule solicited
comments and additional data from laboratories that already provide
test reports directly to the patient, we did not receive any data to
support adjusting the estimates provided in the proposed rule;
therefore, we are not adjusting those estimates in this final rule and
acknowledge that they may not reflect costs for every laboratory
setting. We appreciate the commenter's suggestion about staff training
costs; however we believe that there is no need to include additional
costs for training staff to provide the reports in a HIPAA Privacy Rule
compliant manner since training
[[Page 7315]]
cost was part of our original estimate for developing and implementing
a policy and process.
In addition, the HIPAA Privacy Rule permits covered entities to
charge a reasonable cost-based fee to provide individuals with copies
of their protected health information. The fee may include only the
cost of copying (including supplies and labor) and postage, if the
individual requests that the copy be mailed. If the individual (or
individual's personal representative) has agreed to receive a summary
or explanation of his or her protected health information, the covered
entity may also charge a reasonable, cost-based fee for preparation of
the summary or explanation. The fee may not include costs associated
with searching for and retrieving the requested information, nor does
the HIPAA Privacy Rule permit charging a standard fee; therefore, this
final rule does not permit laboratories to charge these fees. The fees
permitted to be charged to individuals under the HIPAA Privacy Rule are
discussed more fully above in section VII.
Comment: We received a few comments that smaller, rural hospitals,
particularly Critical Access Hospitals (CAHs), may face financial
constraints that would make compliance with this requirement
challenging.
Response: The impacts discussed in the preamble affect only those
laboratories that currently do not provide patients with access to
their health information. Since most hospitals are HIPAA covered
entities, they are required already to provide individuals with access
to the protected health information in their designated record sets,
including laboratory test results, in accordance with Sec. 164.524 of
the HIPAA Privacy Rule. As discussed above, laboratories that operate
as part of a legal entity that is a hospital or that are part of an
affiliated covered entity or organized health care arrangement with the
hospital (see the definition of ``organized health care arrangement''
in the HIPAA Rules at Sec. 160.103, and the provisions for affiliated
covered entities at Sec. 164.105(b)), may continue to utilize the
hospital's already established mechanisms for providing access to the
individuals requesting their test reports from the hospital
laboratories, provided that the established mechanisms are compliant
with the access provisions of the HIPAA Privacy Rule.
Comment: Several commenters asked why we used test volume data that
was self-reported rather than validated Part B claims or actual claims.
Other commenters asked why we did not analyze the cost of providing
access to completed test reports to Medicare fee-for-service
beneficiaries in states that already allow laboratories to provide a
copy of test results to the patient.
Response: We used data from the CMS OSCAR database for our
estimates. The OSCAR database is not limited to Medicare-reimbursed
tests only, but also includes testing totals for laboratory tests
reimbursed by private payers and those that are not reimbursed. Test
volume is self-reported by laboratories and validated by CMS surveyors
during laboratory inspections. This data is more accurate for
estimating the impact of these changes. We requested comments from
laboratories that are currently providing test reports to the patient.
We did not receive any comments that would support adjusting the
estimates provided in the proposed rule; therefore, we conclude that
these estimates are sufficiently accurate and have retained those
estimates in this final rule.
Comment: We received several comments disagreeing with the time
estimate of 2 to 9 hours for laboratories to identify the applicable
legal obligations and develop processes or procedures to handle the
patient requests for access to test reports. One commenter stated that
his institution had reported spending several hours in meetings between
administration, laboratory management, and legal counsel examining
procedural options and the risks of each procedure. Other commenters
stated that it would not be possible for the information technology/
data privacy teams to meet this requirement in the allotted timeframe
for implementation. Several commenters suggested some laboratories may
need to develop policies related to sensitive issues, such as minors
and parent/guardian access or release of the results of drug testing
that might have an impact on the laboratory's liability insurance
costs. Other comments stated that the policy development would not be a
one-time charge since laboratories would need to monitor all new state
and federal regulations related to the disclosure of protected health
information.
Response: Our cost estimate was based on assumptions from internal
discussions and consultation with two laboratories that provide test
reports directly to patients. Although the proposed rule solicited
comments and additional data from laboratories that already provide
test reports directly to the patient, we did not receive any data to
support adjusting the estimates provided in the proposed rule. We
acknowledge that these estimates may not reflect costs for every
laboratory setting. However, in the absence of data to support changing
our estimate, we are not adjusting those estimates in this final rule.
Laboratories may be able to learn from those in the 16 states that
allow the laboratory to provide a copy of the test results to the
patient and from larger reference laboratories that have already
developed policies to accommodate requests received from patients that
receive testing in these 16 states. The HHS Office for Civil Rights,
which administers and enforces the HIPAA Privacy Rule, provides
guidance on its Web site and through other sources on many compliance
issues, including regarding disclosure of information on minors. See
https://www.hhs.gov/ocr/privacy/ for more information. This may be a new
requirement for laboratories, but other HIPAA covered entities have,
for quite some time, followed the requirements in Sec. 164.524 of the
HIPAA Privacy Rule when providing protected health information.
Comment: We received comments from organizations that supported the
proposed change, but noted it would be impossible to know how many
individuals would request their test reports. Other comments suggested
the laboratory could receive a barrage of requests. One comment said
our estimates of 0.05 percent to 0.5 percent of patients requesting
their test report from the laboratory falls short of what is needed to
meet the Department's goal of patient engagement to ensure the provider
receives and acts on the test results. The commenters suggested that
under the health care transformation that is taking place, the patient
could be provided a digitally signed copy of the laboratory report in
his or her electronic patient health record (EHR) at the same time and
in the same format as the laboratory report provided electronically to
the requesting health care provider's electronic health record.
Patients would only need to give the requesting provider the repository
identifier for their personally controlled health record for inclusion
with the laboratory test order.
Response: We agree that it is difficult to know how many
individuals will request their test report from covered entity
laboratories. However, we received several comments indicating that the
preferred method for a patient to receive laboratory test results is
the same procedure as currently practiced; that is, the health care
provider's office notifies the patient of the results on the same day
the results are received from the laboratory. This procedure allows the
patient to ask the health care provider's office for interpretation of
the laboratory test report in concert with
[[Page 7316]]
results of other procedures, as well as provides an opportunity to
discuss any needed treatment or follow-up. Allowing patients to request
and receive laboratory test reports directly from the laboratory will
provide an additional route for them to receive the test report.
However, this will not replace the current procedure. If the ordering
physician does not contact the patient with critical or significant
laboratory test results, patients may prompt the physician's office to
find and act on the test results. The rate of apparent failures to
inform or document informing the patient of abnormal test results
ranges from 0 percent to 26.2 percent [Casalino LP, Dunham D, Chin MH,
et al. Frequency of Failure to Inform Patients of Clinically
Significant Outpatient Test Results. Arch Intern Med. 2009;
169(12):1123-1129]. When patients have their laboratory test results,
they are more likely to ask appropriate questions of their health care
provider and more fully participate in making better decisions that
lead to better care. The regulations promulgated pursuant to the HITECH
Act, particularly for Meaningful Use and Certification of EHRs,
encourage patient access to comprehensive patient data through robust
patient-centered health information exchange. Technology is currently
being tested to allow patients the ability to retrieve personal health
data directly from secured health records. We agree with the comment
about electronic health records in that a request for access for
protected health information to either the health care provider or the
laboratory may be replaced with this technology as it becomes more
readily available.
List of Subjects
42 CFR Part 493
Administrative practice and procedure, Grant programs-health,
Health facilities, Laboratories, Medicaid, Medicare, Penalties,
Reporting and recordkeeping requirements.
45 CFR Part 164
Administrative practice and procedure, Computer technology,
Electronic information system, Electronic transactions, Employer
benefit plan, Health, Health care, Health facilities, Health insurance,
Health records, Hospitals, Medicaid, Medical research, Medicare,
Privacy, Reporting and recordkeeping requirements, Security.
For the reasons set forth in the preamble, the Centers for Medicare
& Medicaid Services amends 42 CFR part 493 as set forth below:
PART 493--LABORATORY REQUIREMENTS
0
1. The authority citation for part 493 continues to read as follows:
Authority: Section 353 of the Public Health Service Act, secs.
1102, 1861(e), the sentence following sections 1861(s)(11) through
1861(16) of the Social Security Act (42 U.S.C. 263a, 1302, 1395x(e),
the sentence following 1395x(s)(11) through 1395x(s)(16)).
Subpart K--Quality System for Nonwaived Testing
0
2. Section 493.1291 is amended by--
0
A. Revising paragraph (f).
0
B. Adding a new paragraph (l).
The revision and addition read as follows:
Sec. 493.1291 Standard: Test report.
* * * * *
(f) Except as provided in Sec. 493.1291(l), test results must be
released only to authorized persons and, if applicable, the persons
responsible for using the test results and the laboratory that
initially requested the test.
* * * * *
(l) Upon request by a patient (or the patient's personal
representative), the laboratory may provide patients, their personal
representatives, and those persons specified under 45 CFR
164.524(c)(3)(ii), as applicable, with access to completed test reports
that, using the laboratory's authentication process, can be identified
as belonging to that patient.
For the reasons set forth in the preamble, the Department of Health
and Human Services amends 45 CFR Subtitle A, Subchapter C, part 164, as
set forth below;
PART 164--SECURITY AND PRIVACY
0
1. The authority citation for part 164 continues to read as follows:
Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264,
Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note)); and
secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.
0
2. Section 164.524 is amended by revising paragraphs (a)(1)(i) and (ii)
and removing paragraph (a)(1)(iii) to read as follows:
Sec. 164.524 Access of individuals to protected health information.
(a) * * *
(1) * * *
(i) Psychotherapy notes; and
(ii) Information compiled in reasonable anticipation of, or for use
in, a civil, criminal, or administrative action or proceeding.
* * * * *
Dated: August 16, 2013.
Thomas R. Frieden,
Director, Centers for Disease Control and Prevention, Administrator,
Agency for Toxic Substances and Disease Registry.
Dated: August 19, 2013.
Marilyn Tavenner,
Administrator, Centers for Medicare & Medicaid Services.
Dated: August 19, 2013.
Leon Rodriguez,
Director, Office for Civil Rights.
Dated: August 27, 2013.
Kathleen Sebelius,
Secretary, Department of Health and Human Services.
Editorial Note: This document was received at the Office of the
Federal Register on January 30, 2014.
[FR Doc. 2014-02280 Filed 2-3-14; 11:15 am]
BILLING CODE 4120-01-P
