Direct or indirect treatment provider? Know your obligations. Many labs may still be unsure about where they stand with Health Insurance Portability and Accountability Act privacy compliance. And to make things even more challenging, small provisions of the rule could make all the difference for clinical labs.
To stay on track, labs should note three key items, HIPAA experts advise:
1. Know your provider type. Of course, labs are covered entities under the rule because they are considered health care providers, notes Stephen Weiser, an attorney with Michael Best & Friedrich in Chicago. For labs, though, a further distinction may be necessary. Experts disagree about whether a laboratory may fall under the definition of "direct treatment provider," or whether they can be considered "indirect treatment providers."
A lab that interacts directly with patients should read HIPAA's definitions carefully and talk with its attorney in detail to determine if it's a direct treatment provider. If a lab never sees patients, then it likely falls squarely within the definition of an indirect treatment provider.
The number of laboratories that may qualify as direct treatment providers is very small, says Boston attorney Steve Bernstein with McDermott Will & Emery.
Indirect treatment providers are not required to obtain consent under any version of the rule.
All covered entities must have a notice of privacy practices under HIPAA, but indirect treatment providers are only required to provide that to patients upon request, instructs Bernstein.
2. Sort out what the lab must and must not tell a patient. Clinical labs may find themselves caught in a tangle of federal and state laws and regulations as they sort out their obligations under the HIPAA privacy rule.
That's because the privacy rule clearly states that the Clinical Laboratory Improvement Amendments preempt HIPAA on patient access to medical records, Weiser determines.
Covered entities other than laboratories must give patients access to their medical records, allow them to make copies, and allow them to request changes to the records.
CLIA still rules: HIPAA, though, acknowledges that CLIA instructs laboratories only to deliver test results to authorized persons as defined by state law. Federal regulators conceded that laboratories should continue to follow CLIA for patient access to test results.
Depending on the state and the test, laboratories may report results to a myriad of individuals, including the patient, or they may be allowed to report the results only to the individual who ordered the test.
Laboratories, though, must still provide patients with an accounting of protected health information (PHI) disclosures for purposes other than treatment, payment and health care operations (TPO), concludes Weiser. If the lab is disclosing results to someone other than a physician, it must have a way of tracking and accounting for those disclosures, he counsels.
Again, depending on the state, laboratories may be required by law to make disclosures other than for TPO. Just make sure you keep track of all non-TPO disclosures, insists Weiser.
In addition, laboratories must review their information policies and procedures to determine if any of their current disclosures are forbidden by HIPAA, says Gwen Hughes, professional practice manager for the American Health Information Management Association.
3. Determine which physicians have access. HIPAA doesn't clearly say whether laboratories can send information to specialists who treat the patient without authorization from the patient.
The rule only allows a covered entity to disclose PHI for its own TPO, but not for TPO of another covered entity.
If a specialist calls up and says, "I'm treating the patient, too, can you send me the results," under the current rules, the lab would need authorization before sending the results to that person, Bernstein concludes.