Health Information Compliance Alert

Clinical laboratories serve an unusual role in the health care system in many cases they provide services without actually interacting with patients and many labs may even now be unsure about where they stand when it comes to Health Insurance Portability and Accountability Act privacy compliance. It turns out that small provisions of the rule make all the difference although recent proposed revisions could complicate matters for labs.

To stay on track to HIPAA compliance, clinical labs should start by undertaking these three key steps, HIPAA experts advise:

1. Know your provider type. Of course, labs are covered entities under the rule because they are considered health care providers, notes Stephen Weiser, an attorney with Michael Best & Friedrich in Chicago. For labs, though, a further distinction may be necessary. Experts disagree about whether a laboratory may fall under the definition of "direct treatment provider," or whether they can be considered "indirect treatment providers."

This small distinction could make a big difference if the Department of Health and Human Services decides to adopt revisions to the privacy rule proposed March 27 .

A lab that interacts directly with patients should read HIPAA's definitions carefully and talk with its attorney in detail to determine if it's a direct treatment provider. If a lab never sees patients, then it likely falls squarely within the definition of an indirect treatment provider.

The number of laboratories that may qualify as direct treatment providers is very small, says Boston attorney Steve Bernstein with McDermott Will & Emery.

The recent privacy rule revisions propose dropping the original rule's patient consent provision. But if the revisions don't become final, direct treatment providers will still need to obtain consent. Indirect treatment providers are not required to obtain consent under any version of the rule.

All covered entities must have a notice of privacy practice under HIPAA, but indirect treatment providers are only required to provide that to patients upon request, instructs Bernstein.

2. Sort out what the lab must and must not tell a patient. Clinical labs may find themselves caught in a tangle of federal and state laws and regulations as they sort out their obligations under the HIPAA privacy rule.

That's because the privacy rule clearly states that the Clinical Laboratory Improvement Amendments preempt HIPAA when it comes to patient access to medical records, Weiser determines.

Covered entities other than laboratories must give patients access to their medical records, allow them to make copies, and allow them to request changes to the records.

HIPAA, though, acknowledges that CLIA instructs laboratories only to deliver test results to authorized persons as defined by state law. Federal regulators conceded that laboratories should continue to follow CLIA when it comes to patient access to test results.

Depending on the state and the test, laboratories may report results to a myriad of individuals, including the patient, or they may be allowed to report the results only to the individual who ordered the test. The good news is HIPAA privacy won't mean anything new for laboratories when it comes to opening their records to patients.

Laboratories, though, must still provide patients with an accounting of protected health information (PHI) disclosures for purposes other than treatment, payment and health care operations (TPO), concludes Weiser. If the lab is disclosing results to someone other than a physician, it must have a way of tracking and accounting for those disclosures, he counsels.

Again, depending on the state, laboratories may be required by law to make disclosures other than for TPO. Just make sure you keep track of all non-TPO disclosures, insists Weiser.

In addition, laboratories must review their information policies and procedures to determine if any of their current disclosures are forbidden by HIPAA, says Gwen Hughes, professional practice manager for the American Health Information Management Association.

3. Determine which physicians have access. HIPAA doesn't clearly say whether laboratories can send information to specialists who treat the patient without authorization from the patient. According to Weiser, the current rule only allows a covered entity to disclose PHI for its own TPO, but not for TPO of another covered entity.

If a specialist calls up and says, "I'm treating the patient, too, can you send me the results," under the current rules the lab would need authorization before sending the results to that person, Bernstein concludes.

If the privacy revisions are adopted, then labs will be able to send information for TPO purposes of another covered entity, Weiser tells Eli.