Monday, September 19, 2011

The CLIA/HIPAA NPRM - Patients’ Access to Test Reports

Can you access your lab test results directly via a non-tethered Personal Health Record like Microsoft Healthvault?

The Clinical Laboratory Improvement Amendments of 1988 (CLIA) requires that the ordering clinician receive the lab and then release it to the patient.  HIPAA medical record access provisions excluded laboratories.

The September 14 Federal Register Notice of Proposed Rulemaking entitled CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports aims to change that:

"While individuals can obtain test results through the ordering provider, we believe that the advent of certain health reform concepts (for example, individualized medicine and an individual’s active involvement in his or her own health care) would be best served by revisiting the CLIA limitations on the disclosure of laboratory test results…

Therefore, in an effort to increase direct patient access rights, we are proposing that, upon a patient’s request, CLIA regulations would allow laboratories to provide direct patient access to completed test reports that, using the laboratory’s authentication processes, the laboratory can identify as belonging to that patient. "

Also, the HIPAA exemptions for laboratories would be removed

"In addition, this proposed rule would also amend the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to provide individuals the right to receive their test reports directly from laboratories by removing the exceptions for CLIA-certified laboratories and CLIA-exempt laboratories from the provision that provides individuals with the right of access to their protected health information."

I believe this is a great NPRM and it's endorsed by many lab stakeholders including Quest.

On September 28, the HIT Standards Committee will discuss the content, vocabulary and transport standards that will enable HIEs to transmit labs to any stakeholder.   With standards like HL7 2.51 for lab, LOINC, and Direct, a new generation of applications will be empowered as the NPRM becomes a final rule.

1 comment:

T. Pham said...

This does mean more technical security requirements and closer attention to authentication for user access, if it means consumers will be directly accessing their information...