Comments on HHS Proposed Rule on Patient Access to Test Results

November 14, 2011 Categories: Comments and Letters, Regulatory Issues


November 14, 2011


Centers for Medicare & Medicaid Services
Department of Health and Human Services
Room 445-G
Hubert H. Humphrey Building
200 Independence Avenue S.W.
Washington, DC 20201


RE:      BIN 0938-AQ38; CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports; Proposed Rule
Dear Sir or Madam,


The American Clinical Laboratory Association (“ACLA”) appreciates the opportunity to comment on the Department of Health and Human Services’ (“HHS’s”) Proposed Rule, “CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports.”1 ACLA is an association representing clinical laboratories throughout the country, including local, regional, and national laboratories. As providers of millions of clinical diagnostic laboratory services each year, ACLA member companies will be impacted directly by the proposed rule.


At the outset, we would like to remind HHS of laboratories’ unique position in the health care delivery system and how laboratories’ interaction with patients differs from that of most other health care providers. Laboratories often have no direct contact with a patient. Most often, a patient’s specimen is collected by the patient’s health care provider and forwarded to the laboratory for testing and analysis. Except for those occasions when the laboratory collects a specimen from a patient in a “patient service center,” the laboratory may have no interaction with the patient. The patient’s contact information and demographic information often are provided to the laboratory by the health care provider ordering the test, and sometimes that information is inaccurate or incomplete. Furthermore, laboratories usually do not have access to a patient’s medical chart and usually are unaware of the patient’s diagnosis, comorbidities, and medical history. In sum, laboratories are unusual because they may have very limited information about an individual patient and, usually, no direct relationship with a patient.


In general, ACLA supports HHS’s proposal to permit laboratories, upon a patient’s request, to provide the patient with access to completed test reports if the laboratory is able to verify that the test report belongs to the patient. ACLA appreciates that HHS’s approach is not overly prescriptive and that the Department recognizes the wide variation in laboratory settings and  interactions  with  patients.     We  also  appreciate  the  straightforward   statement  that  the proposed changes would preempt State laws to the contrary and the explanation of what “preemption” means in this context.


However, ACLA is very concerned about some issues  not  addressed  in the Proposed Rule, and it does not support retaining the existing provisions that provide for release of test reports to authorized persons unless the proposed rule is modified to address these issues. In particular, third-party access issues are completely ignored, and it is not clear whether a patient’s right of access to test results includes the patient’s right to have the test results shared with others who do not have independent access rights. Also, HHS should further clarify when a State law is “more stringent” in the context of providing access to laboratory test reports.


In addition, ACLA has concerns about some portions of HI-IS’s proposal. The implementation date, just 240 days after the Final Rule is to be published, is too soon for many laboratories to prepare to comply fully with the regulation. Another concern relates to the time frame in which covered entities are required to act on an individual’s request for access under the HIPAA Privacy Rule. Also, we are concerned about the impact of providing highly complex test results, such as genetic or molecular testing, directly to patients without some opportunity for interpretation of the results by a physician or a certified genetic counselor who is trained to understand and interpret the results. The foregoing are a few of the concerns ACLA discusses below in more detail.


A.        ACLA’s General Comments in Favor of the Proposed Rule

ACLA supports HHS’s proposal to permit CLIA-certified laboratories to provide patients with direct access to their test results. Currently, a laboratory may release test results only to “authorized persons,” the individual responsible for using the test results, and the referring lab (if applicable).2 We agree that, as many patients have become more active participants in decisions about their own health care, their expectations about accessing their own medical  information have outgrown the current CLIA regulation and the conforming provision of the HIPAA Privacy Rule.3 Physicians and other health care professionals still play a very important role in interpreting test results and in translating the results for patients, but it is no longer a given that a health care provider always must be a patient’s intermediary. Allowing patients direct access to test results is another step toward patients’ greater investment in their own health and health care.


We are pleased that HHS included an unequivocal statement in the preamble of the Proposed Rule that the conforming provision of the I-{IPAA Privacy Rule would preempt any contrary provision of State law. ACLA estimates that currently there are at least twenty states with statutes or regulations restricting a patient’s direct access to test results, either by requiring prior physician approval or by prohibiting direct access outright.4 Among these states are some of the most populous in the nation. We appreciate that HHS included in the preamble a discussion of what it means in this context for a State law to be “contrary”: if a HIPAA-covered entity would find it impossible to comply with both the State and Federal requirements, or the provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of CLIA or HIPAA.5 This is an important statement from 1-IHS, so that States understand that they should not take enforcement actions against laboratories pursuant to existing restrictions in State statutes and regulations, nor should they pass new laws that would restrict such access by patients. (We address compliance  with  “more  stringent”  State  laws, below in Section B.)


ACLA also agrees with HHS’s decision to design the rule so that “the CLIA regulations would not prescribe the mechanism by which patient requests for access would be submitted, processed, or responded to by the laboratories.”6 The HIPAA Privacy Rule already contains implementation specifications for access of individuals to PHI.7 That rule establishes a “floor” for complying with the patient access provisions, and it also recognizes the broad variety of covered entities and the diverse settings in which they operate. Among laboratory providers, there is a wide range of ways that they interact with patients, if they do at all. Some laboratories have direct interaction with patients when they draw specimens in a “patient service center;” however, many laboratories have no such face-to-face contact with patients who may later request direct access to their test records. Therefore, it is critical that each laboratory be able to determine the best way to accept, process, review, and act on patient requests, based on its own level of interaction with patients and work flow processes.


Because of the variability in levels of interaction between laboratories and patients, laboratories may face special challenges verifying an individual’s identity. ACLA is pleased that HHS specified in the preamble that if a laboratory is unable to authenticate that a test report belongs to a patient, it is under no obligation to provide access to the report.8 HHS correctly points out that some test orders come into a laboratory with only  an  anonymous  identifier, making it impossible to verify that the test belongs to a person requesting it. There are many other circumstances in which it would be impossible for a laboratory to  verify  a patient’s identity, such as when a test order is accompanied by incorrect contact or demographic information or when the test  order comes from  another  laboratory.  HHS  should acknowledge that there are several situations in which a laboratory will not be  able to  verify  a patient’s identity, and therefore there are situations other than just anonymous testing in which  a laboratory would not be obligated to provide patients with direct access to test reports.


B.        Issues Not Addressed in the Proposed Rule

ACLA asks that HHS clarify its position on some issues that were not addressed in the Proposed Rule.


1)   Third Party Access to Test Results. HHS correctly notes in the Proposed Rule that the “CLIA-based limitations that govern to whom a laboratory may issue a test report have become a point of concern.”9 However, these limitations have become a point of concern not only with respect to patient access to test results, but also with regard to third party access to those results. The CLIA regulations provide that test results must be released only to authorized persons and, if applicable, the individual responsible for using the test results and the laboratory that initially requested the     “Authorized person” means an individual authorized under State law to order tests or receive test results or both.” Just as a number of States have laws that prohibit a laboratory from releasing a test report directly to the patient or that prohibit the release without the ordering provider’s consent, a number of States have laws that prohibit a laboratory from releasing a test report directly to a third party other than the ordering provider, or that prohibit such a release without the ordering provider’s consent, even if the HIPAA Privacy Rule would otherwise permit the disclosure without patient authorization. By deferring to State law, the CLIA regulations enable States to impede the disclosure of test results by laboratories to other HIPAA covered entities and their business associates in the same way that the CLIA regulations enable States to impede the disclosure of test results by laboratories to patients.


The HIPAA Privacy Rule was promulgated for the purpose of furthering the purpose of the HIPAA statute, which was to enable, not to inhibit, the legitimate use and disclosure of PHI. As such, the HIPAA Privacy Rule generally permits, without patient authorization, the disclosure of PHI for treatment, payment, and health care operations purposes, as well as for certain other specific enumerated purposes (e.g., public health and health oversight activities). Laboratory test results are PHI. Therefore, in the absence of an applicable exception, a laboratory could disclose test results to other HIPAA covered entities and their business associates without the need for patient (or ordering provider) authorization, to the same extent that any other covered entity could disclose PHI that it generates, as long as the disclosure was for one of the permissible purposes under HIPAA. However, the HIPAA Privacy Rule does not pre-empt either other applicable Federal laws that are more stringent (such as CLIA), or State laws that are more stringent.


Most States either define “authorized person” narrowly, often including only the ordering provider or his designee, or fail to define authorized recipients of laboratory test results, in which case  most  labs  have  typically  defaulted  to  the  CLIA  provision  referencing   “the  individual responsible for using the test results.” Most have historically interpreted this to mean the ordering provider. Prior to the March 2010 revision of the CLIA interpretive guidelines, many labs interpreted the CLIA regulations to apply to both current and historical test results. In its March 2010 revision of the CLIA interpretive guidelines, CMS clarified that once a lab sends a test result to the authorized person, the lab’s CLJA responsibility has been fulfilled meaning, as far as CLIA is concerned, the lab could then send the historical results anywhere it wanted. However, the result of this interpretation is the same as it had been before. Whether  CLIA applies to historical results and defers to State law, or whether CLIA no longer  applies  to historical results, State law still ultimately determines the persons to whom a laboratory may release test results, and those laws are typically restrictive or prohibitive with respect to both patients and third parties.


We can offer numerous examples to illustrate the harmful effects of not fully addressing the third party access issue. A few follow:

  • In its discussion of the proposed rule on HIPAA claim attachments, CMS suggested that it could require labs to send test results to CMS and its contractors as claim attachments for  various  legitimate  purposes.    We pointed  out to CMS  at that time  that  CLIA regulations   and applicable State laws would prohibit such disclosures without authorization from the ordering providers, since neither CMS nor its contractors are identified in CLIA or State law as “authorized persons” to whom clinical laboratories can send test results. CMS has not subsequently refuted that position.
  • In a subsequent Medicare Chronic Care Improvement pilot, certain Medicare contractors sought test results from some clinical laboratories in an effort to help coordinate and improve  care  for  Medicare  patients  with  chronic  conditions  in  several  Stales  which prohibited labs from disclosing test results to anyone other than the ordering provider or his designee. In an attempt to assist Medicare contractors with this request, we sought an advisory opinion from the Office of the Attorney General of Florida regarding  its statutory and regulatory restrictions on lab result disclosure.  We received  a letter from the Florida Attorney General advising that such disclosures would be permitted for the limited purpose of this pilot; however, soon afterwards,  CMS issued a memorandum  to its contractors directing them to seek test results from ordering  providers  rather  than clinical laboratories, citing the CLIA  regulations and applicable  State laws prohibiting labs from providing the results directly to the contractors.
  • CMS suggested in its March 2010 revision of the CLIA interpretive guidelines that labs can send test results to third parties such as non-ordering treating providers and health information exchanges if the ordering provider designates such recipients in the original test requisition. However, such recipients most often are not identified until after the original test requisition has been sent; it would be virtually impossible for the ordering provider to know in advance of ordering the test all of the entities that may need the result in the future.
  • On a daily basis, labs are bombarded with requests for millions of historical test results by entities other than the individual or the ordering provider. Such requests are submitted, for example, by health information networks to make historical test results available for health information networks (e.g., for treatment purposes), as well as for peer-to-peer transmissions to entities who need large quantities of lab data for legitimate secondary uses (e.g., health plans and their business associates who need lab data for quality improvement, disease or case management, patient safety, or pay-for-performance initiatives). Health information networks, health plans and their business associates typically are not among the “authorized persons” identified in the CLIA regulations or applicable State laws as persons to whom labs can send test results, without authorization from the ordering provider.


Assuming the HJPAA Privacy Rule would otherwise permit the disclosure  without patient authorization, most labs interpret CLIA and applicable State law to permit the lab to transmit test results to a non-ordering third party if either the recipient is defined as an authorized person under State law or the ordering provider authorizes the disclosure. The rationale for this interpretation is that it would be unreasonable to interpret CLIA and State law to prohibit the lab from making such a disclosure if authorized by the ordering provider, where  the  ordering provider could make the very same disclosure to the same third party himself. However, while obtaining ordering provider  authorization  may not be difficult with respect to a single test result to be sent, for example, to a non-ordering treating provider, it is far more difficult in the context of making millions of historical test results available for health information networks (e.g., for treatment purposes) or for peer-to-peer transmissions to entities who need large quantities of lab data for secondary uses (e.g., health plans who need lab data for quality improvement, disease or case management, patient safety, or pay-for-performance initiatives). Labs have attempted to address the issue of documenting ordering provider authorization through contractual representations and warranties from  data recipients  that the ordering providers  associated  with the requested test results have authorized the requested disclosure, but this “workaround” is extremely inefficient and is not always effective.


The inefficiencies and inequities of the current regulatory framework governing  the release of laboratory test results to third parties cannot be overstated. We are aware of no other category of HIPAA covered entities whose disclosures of PHI are  similarly  restricted  with respect to the recipient of the disclosure. With the exception of certain highly sensitive  test results, the confidentiality of which is strictly regulated under State and Federal law (e.g., results relating to certain communicable diseases and drug and alcohol abuse), we see no reason why PHI in the form of a laboratory test result in the possession of a clinical laboratory should be treated any differently than other PHI in the possession of another HIPAA covered entity.  Once a test result other than those just mentioned reaches another HIPAA covered entity that is not a clinical laboratory, it can generally be further disclosed without regard to the recipient, so long as the disclosure is either for a permissible purpose under the HIPAA Privacy Rule or the individual authorizes the disclosure. However, obtaining  millions  of test results  for legitimate  purposes from tens of thousands of non-lab covered entities, which can generally be done today without worrying about CLIA or State laws governing test result disclosure, is exponentially more inefficient than obtaining those same results from a small handful of clinical laboratories.


Further, resolving this issue in the manner we propose would not compromise the privacy of test results. HIPAA covered entities are legally obligated to comply with both the HIPAA Privacy Rule and the HIPAA Security Rule with respect to any PHI they  receive,  use,  or disclose. Business associates are legally obligated to  comply with the terms of the business associate agreements they execute with covered entities, the terms of which are limited by the HIPAA Privacy Rule, and also are bound by the requirements of the HIPAA Security Rule for the protection of electronic PHI. Non-laboratory HIPAA covered entities already can send the same test results to third parties for the permissible purposes  under discussion here; the resolution we seek simply would create parity between clinical laboratories and other HIPAA covered  entities.


We have developed proposed amendments of the CLIA regulations that would resolve the third party access issue by simply expanding the list of “authorized persons” to whom labs can send test results to include covered entities and business associates as defined in the HIPAA Privacy Rule (see the Appendix to these comments for proposed regulatory text). These proposals would operate as a targeted pre-emption of State authorized person laws; States would continue to be permitted to define “authorized person,” so long as they do not exclude covered entities and business associates. We also stress that these changes would not be construed to permit disclosure of any type of test result when disclosure of that type of test is otherwise prohibited by State or Federal confidentiality laws (e.g., HIV results or results of drug and alcohol abuse tests).


The intent here is only to expand the list of permissible recipients of test results in a responsible manner, not to expand the purposes for which test results may be used or disclosed, which are already governed by HIPAA. Uses and disclosures prohibited by HIPAA without patient authorization would still require patient authorization under these amendments. However, disclosures to covered entities and business associates that would otherwise be permitted by HIPAA without patient authorization, but that are currently prohibited under CLIA and applicable State law without ordering provider authorization, would be permitted without ordering provider authorization under these CLIA amendments. The pre-emption of contrary State law by the amended CLIA regulation would effectively nullify the HIPAA Privacy Rule’s deferral to more stringent State law. As a result, appropriate disclosures of test results to third parties would be facilitated.


It is important to note that there is nothing in the CLIA statute, 42 U.S.C. § 263a, that would prevent the pre-emption of State laws contrary to the CLIA regulatory amendments we are seeking here. The CLIA statute provides, in pertinent part at 42 U.S.C. § 263a(p), as follows:


(p)  State laws.


(1)  Except as provided  in paragraph (2), nothing in this section shall be construed as affecting the power of any State to enact and enforce laws relating to the  matters covered by this section to the extent that such laws are not inconsistent with this section or with the regulations issued under this section.


(2) If a State enacts laws relating to matters covered by this section which provide for requirements equal to or more stringent than the requirements of this section or than the regulations issued under this section, the Secretary may exempt clinical laboratories in that State from compliance with this section.


This section of the CLIA statute simply provides that States are free to enact laws consistent with the CLIA statute and regulations, and that if a State enacts a more stringent requirement, the Secretary has the discretion to exempt, or not to exempt, clinical laboratories from the CLIA requirement. Amending the CLJA regulations to pre-empt more stringent State laws relating to the release of laboratory test results therefore would be entirely consistent with the provisions of the CLIA statute dealing with its relationship to State laws.


By eliminating the barriers to laboratory disclosures of test results to individuals, HHS has taken an important first step in recognizing that laboratory test results in the possession of a clinical laboratory are PHI just like any other PHI in the possession of another I-IIPAA covered entity, and therefore should be subject to the same regulatory framework regarding their disclosure. It would be totally inconsistent with that approach not to resolve the third  party access issue in the manner we are recommending.


2)     Patient Designation of Third Party Recipients: In addition, HHS should amend the language of the proposed rule to make it clear that a patient may request not only that the laboratory shares the test report with the patient, but also with other individuals or entities the patient authorizes to receive the test report. As proposed, the text of 42 C.F.R. § 1291(1) would read, “Upon a patient’s request, the laboratory may provide access to completed test reports that, using   the   laboratory’s   authentication   process,   can   be   identified   as   belonging    to that patient. Throughout the preamble of the Proposed Rule, HHS refers to “providing patients, upon request, with direct access to their laboratory test reports,” “provid[ing] an individual  with  access to his or her completed test reports,” and “improving individuals’ access to their health information.” However,  the  language proposed  for 42 C.F.R.  § 493.1291(1)  does not  specify the person  or persons to whom such access may be given it specifies only the person to whose request a laboratory would respond, We urge HHS to amend paragraph (1) to clarify that the laboratory must provide access to such individual, his personal representative, or any other party designated by the individual or his personal representative and that this rule would preempt any State law to the contrary that would limit recipients authorized by the individual to receive the information.


3)    Compliance with “more stringent” State law: We ask that HHS clarify what it means by a “more stringent State law” in this context. Although HIPAA rules preempt any contrary provision of state law, “more stringent” state laws are not preempted.’3 HIPAA defines a “more stringent” State law as one that “permits greater rights of access” to PHI than does the Privacy Rule.’4 We would like to know whether a law “permits greater rights of access” if it requires a laboratory to provide quicker access to test reports or if it specifies that a laboratory may ask only for certain forms of identification when verifying an individual’s identity, for example.


C.        ACLA’s Areas of Concern

While ACLA generally is supportive of HHS’s proposal for permitting laboratories to provide patients with direct access to their test reports, we have  concerns  about  the implementation  of the proposed changes.


1)  Compliance date is too soon: As proposed, HIPAA-covered laboratories would be required to comply with the revised provisions of CLIA and HIPAA no later than 180 days after the effective date of the Final Rule, which would be 60 days after its publication in the Federal Register (a total of 240 days after publication).  ACLA strongly disagrees with HI-IS’s estimate of the amount of time it will take for a laboratory to comply with the proposed changes, It will take far longer than the estimated two to nine hours for a laboratory to “identify the applicable legal obligations and to develop the processes and procedures for handing patient requests for access to test reports.” There are several reasons why compliance in such a short period of time will be difficult at best.


Some laboratories lack policies, protocols and mechanisms for responding to requests for access to test reports, for addressing follow-up questions from patients, or for providing patients with direct access to test reports. Such laboratories will have to establish new procedures and new software systems to accommodate the proposed changes. They also will have to develop policies and procedures for verifying an individual’s identity; as we described above, laboratories have unique challenges with verification because they often have no direct interaction with a patient and the contact information they get from a provider can be incomplete or incorrect. All laboratories also will have to develop and implement staff training so that their personnel understand what is and is not permitted.


Laboratories that currently serve patients in jurisdictions in which patient access to results is permitted and those in which they are not will have to ramp up their operational capabilities to respond to patient requests for access to results in numerous additional states, which may involve the necessity of significant and costly system upgrades. Additionally, laboratories are in the midst of implementing processes and systems to comply with, or to assist others in complying with, numerous other regulatory changes, such as the transition to lCD- 10 and “meaningful use” of electronic health records (EHRs), and it is unreasonable to place this additional burden on laboratories in such a short time frame.


Laboratories must have ample time to prepare to comply with the proposed changes, and ACLA suggests that the Secretary give laboratories at least one year after the  Final  Rule’s effective date to come into compliance.   The Secretary of Health and Human Services is required to provide covered entities at least 180 days to comply with modifications to HIPAA, but it is not prohibited  from providing  a  longer  compliance  period  after  the effective date.’5    A one year

compliance time frame should be sufficient for most laboratories to develop and implement new procedures to respond to patient  requests. In the interim, HHS should make it clear that laboratories will be required to continue to comply with applicable State law until the effective date of the Final Rule. Laboratories that can comply earlier may comply as of the effective date.


1)  30 day extension may not be sufficient: The HIPAA Privacy Rule generalLy requires a covered entity to act on an individual’s request for access to PHI within 30 days of receipt of the request, or if it is unable to act on a request, it may have one 30 day extension.16 This total of 60 days may not be sufficient for some laboratory tests. For instance, the results for a test for tuberculosis may not be available until eight weeks from the time the test is started until the test is complete and the results are available. 11115 should clarify that the covered entity has thirty days from the time of the request or test completion, whichever is later.


2)    Sensitivity of some laboratory test results: Some laboratory test results are quite sensitive and, without interpretation by or guidance from a medical professional, may cause an individual tremendous anxiety. One such example is genetic test results. These test results are very complex, and, typically, they are shared with a patient by a physician or genetic counselor specially trained to understand and interpret the results. ACLA member laboratories that conduct genetic tests oftentimes receive test request from other laboratories — not directly from ordering physicians — and the laboratories have no control over the timing of the patient’s physician receiving the results. Some ACLA laboratories are concerned about the prospect of a patient requesting and receiving genetic test results before the ordering physician receives the results, such that the patient may not have the benefit of a trained health care professional to assist him or her in understanding the implications of those results. In some cases, a patient’s representative requesting the results on a patient’s behalf (e.g., a sibling) also may be affected by the results. Receiving the results from a laboratory, instead of from the ordering physician, may mean that the patient’s representative suffers the same sort of anxiety.


Other test results are liable to cause the same sort of anxiety  in  an  individual  who receives them directly from a laboratory, without guidance and interpretation, rather than from a physician. Under the best circumstances, a cancer diagnosis can be devastating. Some cancers may be relatively benign or easily treatable, while others are aggressive and potentially lethal. Ideally, a physician would have an opportunity to review and interpret such a test  report  and share his or her interpretation with a patient, explaining the kind of cancer and the real risks, rather than a patient receiving that information in a vacuum.


The sensitivity of some laboratory test results is yet another reason why 30 days may not be a sufficient amount of time in which to act on an individual’s request for access to PHI contained in a test report. 11115 should consider giving laboratories the option of using up to two 30-day extensions (or one 60-day extension) when a licensed health care professional has determined, in the exercise of professional judgment, that the ordering physician should have additional time to receive and review the test report before the patient does, and that the additional time afforded by the extension would facilitate that. However, no laboratory would be required to delay acting on an individual’s request for access to P1-H for such tests, and the overwhelming majority of all requests would be acted upon within 30 days.

*        *        *        *        *


Thank you again for considering ACLA’s comments and suggestions on the Proposed Rule. We urge HHS to amend the Proposed Rule as it relates to Section 493.1291 of the CLIA regulations to read as set forth in the Appendix to these comments. 




Alan Mertz, President

American  Clinical Laboratory Association


See original PDF file here.

Print page / Save as PDF