Pathology/Lab Coding Alert

Stick with HIPAA, CLIA, HITECH direction.

It’s a wonder that anyone can keep up with all the compliance issues your lab faces, with new mandates for reporting test results to patients, and the need to integrate electronic records while maintaining control of privacy breaches. 

Look here for support: Review the following tidbits gleaned from various 2014 happenings to help you improve your lab’s compliance and avoid expensive Health Insurance Privacy and Accountability Act (HIPAA) penalties.

Tip 1: Retool for Altered of Rules

Depending on your locality and state rules, your lab may have been restricted in the past to reporting test results only to the ordering physician or the physician’s agent — but not anymore. Although only a few states’ clinical lab licensing laws even permitted labs to release test results directly to patients, those rules changed with the Patient’s Access to Test Reports final rule promulgated by CMS earlier this year. 

Under the CMS rule, revisions to the Clinical Laboratory Improvement Amendments (CLIA) and HIPAA require labs to give lab test results to the patient or a patient’s personal representative, upon request. That means your lab must rework protocols to comply with the rule while maintaining the integrity and security of the patient’s private health information. 

Importance: “The right to access personal health information is a cornerstone of the HIPAA Privacy Rule,” said former Health and Human Services Secretary Kathleen Sebelius in announcing the new CMS rule. “Information like lab results can empower patients to track their health progress, make decisions with their health care professionals, and adhere to important treatment plans.”

Resource: You can access the rule at www.federalregister.gov/articles/2014/02/06/2014-02280/clia-program-and-hipaa-privacy-rule-patients-access-to-test-reports. 

Tip 2: Refocus Goals

Many lab industry leaders see the Patient’s Access to Test Reports rule as an opportunity for labs to shift focus and become more proactive toward the realization of personalized medicine and positive patient outcomes.

For instance: Clinical Laboratory Management Association (CLMA) has expressed support for the rule as part of a move to a patient-centric healthcare system. In that spirit, CLMA, in association with The Dark Group and Orchard Software, is launching an initiative called “Increasing Clinical Effectiveness (ICE),” as a catalyst that helps lab administrators, pathologists, and medical laboratory scientists broaden the focus of their laboratory beyond operational efficiency to include measurable impact on positive patient outcomes, according to CLMA president Paul Epner in a recent Webinar introducing the program. 

Similarly: The American Society for Clinical Pathology (ASCP) proclaims strong support for the rule. In a letter commenting on the proposal before CMS issued the final rule, then-ASCP president C. Bruce Alexander, MD, FASCP stated, “Information is power, and giving patients access to their test results empowers those willing to be actively involved in the management of their health.” 

CMS also addressed ASCP concerns about labs interpreting test results for patients by clarifying that the final rule “does not require that laboratories interpret test results for patients. Patients merely have the right to inspect and receive a copy of their completed test reports and other individually identifiable health information maintained in a designated record set by a HIPAA-covered laboratory. Laboratories may continue to refer patients with questions about the test results back to their ordering or treating providers.”

Resources: You can read more about professional society comments at their Websites, such as www.clma.org/ICE and www.ascp.org/Newsroom/CLIA-Final-Rule-Grants-Patient-Access-to-Test-Results.html.

Tip 3: Assess HIPAA Breach Risk

Thanks to the Health Information Technology for Economic and Clinical Health (HITECH) Act, recent mandated reports provide many statistics about HIPAA compliance. Gleaning through the information, we’ve come up with key lessons to help your lab strengthen your HIPAA compliance.

Focus on theft prevention: Theft didn’t merely rank number one on the list of breach causes, it blew all other causes out of the water. Theft accounted for half of the breaches in both study years (50 percent in 2011 and 53 percent in 2012), according to a blog post from health law attorney Leah Roffman with Cooley.

“The statistics in both reports clearly show that the most breaches still come from ‘older’ sources of PHI, such as paper records, desktop computers, and network servers,” note attorneys Stephanie Willis and Dianne Bourque in an analysis for Mintz Levin Cohn Ferris Glovsky and Popeo, published in The National Law Review. But “in addition to updating and monitoring security protocols for older PHI sources, covered entities should address security problems with newer storage media,” according to Willis and Bourque.

Specifically, the breach report shows a large increase in the number of breaches involving laptops, say Willis and Bourque. “Because theft was the primary cause of breaches in 2009 to 2012, ensuring that laptops and other portable devices are secured in accordance with standards acceptable under HIPAA will become even more important as organizations adopt more ‘bring your own device’ policies to ensure the mobility and convenience of health care delivery.”

Monitor Business Associates (BAs): Although BAs accounted for only 26 percent of the breaches in the reporting period, these breaches affected 59.3 percent of the total individuals affected by all the breaches reported. And the large number of affected individuals in breaches involving BAs likely reflects the reality that BAs may house PHI for multiple covered entities, Willis and Bourque point out. “Based on these statistics, health care organizations must impose standards for using BAs and subcontractors,” Willis and Bourque urge. You must also ensure that your BAs and subcontractors understand their obligations under the HIPAA Privacy and Security Rules.

Plug small breaches: Although small breaches — those involving fewer than 500 individuals — may seem like a far cry from mega breaches affecting millions of people, they can still seriously hurt your organization. “The problem with small breaches for organizations is that they can occur more frequently than large ones,” warn Willis and Bourque. “The occurrence of repeated small breaches can be indicative of a systemic compliance problem, and may suggest to a regulator that the organization has not taken steps to identify and remedy the problem.”

That’s why it’s crucial for your organization to determine its breach risk profile, and identify and correct any compliance gaps, Willis and Bourque stress. “All covered entities should ensure that they account for the likelihood of small breaches as much as they do for large breaches when doing their security risk assessments.” 

Resource: For help with your risk assessment, check out the HHS Office of the National Coordinator’s Security Risk Assessment Tool for small and medium-sized health care providers at www.healthit.gov/security-risk-assessment.