Patient Privacy Laws Create Legal Risk for Labs

Laboratories must comply with a patchwork of federal and state requirements for patient privacy

CEO SUMMARY: Before the nation’s healthcare system can achieve the integrated universal EHR, it must fix the crazy contradictions in state and federal laws governing patient privacy. There is discordance between federal law and state law that defines the role and responsibility of the clinical laboratory which performs a laboratory test and reports those results to the referring physician. The federal Centers for Medicare and Medicaid Services (CMS) did publish revised language this March, but more needs to be done.

FOR THE CLINICAL LAB INDUSTRY, the road to the universal health record (EHR) is loaded with plenty of patient privacy potholes and detours. Blame it on the patchwork of federal and state laws enacted when lab test reports were generally printed on paper and delivered to doctors by courier or by fax.

Clinical laboratories and pathology groups are all too familiar with the consequences of breaching patient privacy. Laboratory test results often represent highly sensitive information about the patient’s health. For that reason, laboratories are diligent in their compliance with patient privacy mandates.

However, increasingly, laboratories find themselves in a Catch 22 situation when they are asked to support electronic medical record (EMR) systems and health information exchanges (HIEs). When it comes to reporting a patient’s laboratory test results to the referring physicians, clinical laboratories generally have clear, well-defined protocols.

However, existing federal and state laws create thorny problems for clinical labs when they are asked to pass patient lab test data to EMRs and HIEs. Existing laws create situations where laboratories may have legal liability should a patient privacy violation occur within these EMRs and HIEs, even though the labs no longer have control over who views this laboratory data.

Within the laboratory testing profession, efforts are under way to fix the legal jeopardy created by the existing patchwork of federal and state patient privacy laws. For example, the American Clinical Laboratory Association (ACLA) is actively lobbying for reforms in two areas.

Two Proposed Amendments

Both proposed reforms would change existing language in the Clinical Laboratory Improvement Act (CLIA). One amendment would allow more consistent and reasonable rules about the release of laboratory test results. The second amendment would limit the laboratory’s responsibility in how lab test data is displayed by end users.

The first proposed amendment deals with the ability of clinical laboratories to release historical lab test data to health information networks for treatment purposes or for peer-to-peer release for sec- ondary uses.

These secondary uses of laboratory test data include: 1) transmission to health plans for quality improvement efforts; 2) case management; 3) patient safety; and/or, 4) pay-for-performance initiatives. Currently, some state laws allow these uses of laboratory test data, even as other states make it illegal without individual patient or provider permission.

This state-by-state variation is due to CLIA. While access to most individual health information is governed by federal regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, release of data from clinical laboratories falls under the purview of CLIA. And because CLIA— which predates HIPAA—defers to state law in defining who has access to laboratory test data, privacy rules often change according to the geography of the clinical laboratory and the providers that it serves.

“This CMS guidance now allows the provider who orders the laboratory test to designate on the requisition other persons who are authorized to receive the lab test results.”

This problem becomes immense when it involves HIEs, for example. In testimony before the HIT Policy Committee Information Exchange Workgroup in October of last year, Don Horton, Vice President of Public Policy and Advocacy for Laboratory Corporation of America observed that “While obtaining authorization may not be difficult with respect to a single lab test result to be sent, for example, to a non-ordering treating provider, it is far more difficult in the context of making millions of historical test results available for health information networks.”

“It’s important to recognize that laws governing labs at the state level were not promulgated to protect patient privacy,” stated Joy Pritts, J.D., who is Chief Privacy Officer for the Office of the National Coordinator for Health Information Technology (ONC). ONC is part of the Department of Health and Human Services (HHS).

Now At The ONC

Prior to joining ONC, Pritts was on the faculty at Georgetown University where she held a joint appointment as a Senior Scholar with the O’Neill Institute for National and Global Health Law and as a research associate professor with the Health Policy Institute. Her work has focused on the privacy of health information and patient access to medical records at both the federal and state levels.

“State laws focus on patient safety and ensure that providers work within their scope of practice,” noted Pritts, who gave the example of how, in some states, laws governing licensure of chiropractors might prohibit them from receiving laboratory test results.

Differences In State Laws

CLIA allows release of laboratory test results only to an “authorized person” (a term which CLIA allows individual states to define) or to a “person responsible for using the results” (a term that CLIA does not define). Thus, state-by-state, there are varying interpretations of who can receive a patient’s laboratory test data.

“In response to the testimony given in the October hearing, CMS issued new guidance in March of this year as to whom lab data could be released,” explained Pritts. “This CMS guidance now allows the provider who orders the laboratory test to designate on the requisition other persons who are authorized to receive the lab test results.

“There was another helpful change,” she added. “CMS guidance also clarified that the laboratory may release test results to the patient—as long as state law does not expressly forbid it. Under this guidance, the patient is defined as a person who is responsible for using the test results. Also, CMS guidance did not change current references in state laws.”

CMS’s new guidance did not address the issue of how clinical laboratories release laboratory test data to health information networks. Experts say that existing laws and requirements will continue to be a major barrier to sharing of laboratory test data and the creation of a universal electronic health record.

When asked if HHS was considering any action on this aspect of sharing of laboratory test data, Pritts chose her words very carefully, saying, “Clinical laboratories continue to raise this issue with HHS, and HHS continues to listen to labs and other parties and is taking their concerns under consideration.”

Final Report Destination

The second area about which ACLA and other laboratory groups seek action from HHS has to do with the responsibility of clinical laboratories for accurate and timely test reporting to “the final report destination.” Currently, data transmitted by laboratories to electronic health record (EHR) interfaces can be reformatted however the EHR vendor chooses.

However, under current CLIA regulations, the lab retains responsibility for the end product—how the report of the patient’s laboratory test results is presented within the provider’s EHR system. This legal situation exists despite the fact that the clinical laboratory has no way of knowing how the EHR vendor manipulates the data or even the location of the final report destination.

LabCorp’s Horton addressed this dilemma in his testimony last October before the HIT Policy Committee Information Exchange Workgroup. “In the current electronic health information exchange environment, ‘the final report destination’ has become a virtually meaningless term,” he stated.

Existing Requirements

ACLA’s proposed reform centers around changing existing requirements so that the clinical laboratory’s responsibility ends “once the result is provided to the ordering provider’s EHR, or to the system of another permitted intended recipient, or to an intermediary contractually obligated to send the result to the intended destination,” explained Horton.

It is important for pathologists and clinical laboratory administrators to be aware of how state and federal laws governing patient privacy and lab test reporting are in conflict with federal efforts to bring about a universal electronic health record. It is a situation where the different federal and state patient privacy requirements involving the reporting of laboratory test results create added legal risks for clinical laboratories and anatomic pathology groups.

This confusing mix of conflicting reporting standards and patient privacy requirements shows how rapid and ongoing advances in information technology are outrunning the ability of health policy experts and elected officials to keep pace.

Need To Enact Reforms

There is a clear need for federal and state health officials and elected representatives to enact needed reforms to the existing patchwork of requirements for patient privacy and lab test results reporting. Until such reforms are put into place, all clinical laboratories and pathology groups will need to be diligent in their efforts to comply with existing state and federal patient privacy mandates.


Leave a Reply


You are reading premium content from The Dark Report, your primary resource for running an efficient and profitable laboratory.

Get Unlimited Access to The Dark Report absolutely FREE!

You have read 0 of 1 of your complimentary articles this month

Privacy Policy: We will never share your personal information.