Share this article on:
The deadline for compliance following the introduction of the new HIPAA Privacy Rule is October 6, 2014. Hospitals with on-site laboratories subject to the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) as well as laboratories covered by HIPAA must adapt policies and procedures to take the new legislation changes into account.
The change provides patients with improved access to their medical data. The changes have now been finalized by the HHS Office for Civil Rights and the Centers for Disease Control and Prevention and Centers for Medicare & Medicaid Service, which amended CLIA regulations earlier this year.
Laboratories are currently permitted to provide medical test results directly to patients, provided that it can be established that the results of the tests belong to patient in question. Results can also be released to patients’ nominated representatives. The change to HIPPA privacy laws from October 6 mean that laboratories are now required to provide PHI to patients upon request and that patients have full access rights. Any non-HIPAA covered entity is also permitted to release patient data and PHI to a patient or nominated representative, although they are not required to do so by law.
State laws may prevent the release of information, although since the new Privacy Rule preempts state laws, CLIA labs must comply with the new HIPAA Privacy Rule and not state legislation (unless they are not governed by HIPAA regulations in which case, state laws and prohibitions still apply). Under the new Privacy Rule laboratories must provide results within 30 days, although if State laws require results to be provided faster, the state time limit will apply. The changes to HIPAA have been made to improve patient access to data and if more stringent State legislation provides better patient data access rights it is the State legislation which must be followed.
In order to remain compliant in light of the impending changes, laboratories are required to update their policies and procedures with respect to patient access rights to lab test results. Notices of Privacy Practices must also be updated as the new rule constitutes a material change. Patients must also be made aware of their new access rights together and information should be provided to tell them how their new rights can be exercised.
Since hospital laboratories operate under hospital policies it is expected that no administration issues will arise as the New Security Rule. Changes should have already been implemented into hospital policies and procedures, although it is recommended that hospitals review their procedures in light of the recent change to ensure that access to PHI by patients is not prohibited.
CLIA laboratories covered by HIPAA should also provide additional training to staff to ensure they are aware of the changes to the regulations and be advised how patient data access requests should be handled.