Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
Laboratory reports are integral to a medical record and a patient's care. Therefore, this is one area that practices should look at carefully.
On Feb. 3, 2014, two divisions of the U.S. Department of Health and Human Services ("HHS") â the Centers for Medicare and Medicaid Services ("CMS") and the Centers for Disease Control and Prevention ("CDC") â issued a final rule, which gives patients and their authorized personal representatives direct access to laboratory tests. (79 Fed. Reg. 7290 (Feb. 3, 2014)). The new rule amends two laws: the Clinical Laboratory Improvement Amendments of 1988 ("CLIA"), and the Health Insurance Portability and Accountability Act ("HIPAA"). The new rule becomes effective on April 7, 2014 and gives laboratories until Oct. 6, 2014 to become compliant.
Prior to this final rule, there was an exception the HIPAA Privacy Rules related to access to laboratory results. Instead of addressing it outright, HIPAA referenced the CLIA provisions. Additionally, some states allowed direct access, while other did not. Now, the privacy rule exception to requesting laboratory results directly from the lab has been lifted in all circumstances. Furthermore, these amendments expressly preempt any conflicting state laws, rendering the federal provisions supreme.
For laboratories and physicians offices, this means re-evaluating policies, procedures, and forms. Moreover, employers should look at drug screening policies, contracts with laboratories, and authorization forms. For entities performing HIPAA risk assessments and risk analyses, this is one area that should not be overlooked. Ostensibly, a laboratory falls under the category of a covered entity. But, a covered entity may also be the business associate of another covered entity. It is crucial to examine both parties' HIPAA compliance and make sure that the requisite privacy practices reflect these changes. This is also an area that may be included in a Business Associate Agreement in relation to who provides the medical record in this instance. Laboratory reports are integral to a medical record and, in turn, a patient's care. Therefore, this is one area that should not be overlooked.