Some labs may scramble to provide patients with direct access to their test results
Interview by Steve Halasey
In February, the US Department of Health and Human Services (HHS) issued new rules, “CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports,” enabling patients and their designates to have direct access to the patient’s laboratory test reports.
Prior to publication of the revised rules, many states had laws that prohibited laboratories from releasing test results directly to patients. The new HHS rules pre-empt such state laws, and will now require laboratories to provide patients and their designates with access to the completed pathology and laboratory test reports belonging to the patient.
While patients can continue to get access to their laboratory test reports through their doctors, the new rules give patients the option to obtain their test reports directly from the laboratory, while also maintaining protections for patients’ privacy. To find out how labs expect to handle their obligations under the new rules, CLP spoke with Dina Hannah, vice president and director for HIPAA compliance and privacy at ARUP Laboratories, Salt Lake City.
CLP: HHS estimates that more than 23,000 labs in 39 states will be newly required to release test findings directly to patients. How big an undertaking will this be for the labs that are affected?
Dina Hannah: That’s probably going to depend on the type of laboratory—for instance, whether the lab is part of a hospital system or is an independent laboratory. Labs that are part of a hospital system can rely on it to process and print out their reports, whereas independent laboratories will likely need to come up with their own processes. Labs in states that allow direct distribution of test results to patients may have already developed those processes.
CLP: You mention the differences between in-hospital and independent labs. Are there any particular variables that may be strong predictors of how various types of labs will fare in his regard?
Hannah: The short answer is that it really depends on the particular laboratory. If the lab is in a hospital, it would be pretty easy to go through the institution’s medical records department to fulfill requests.
Labs that are outside that realm would have to develop methods for complying with the rules. For instance, they would have to figure out how to authenticate the individual who is requesting the information—to make sure that they can distinguish this John Smith from some other John Smith who might be in the lab’s system. They will also need to verify that the person making the records request is actually authorized to do so. They will have to decide what kind of identifiers to require—whether it might be a birth date or a medical record number, or something else. When patients’ designates are involved, it might even be necessary to require notarized authorization to make a records request, and that would certainly add to the procedures that most labs now follow.
In the past, we’ve had the problem that a person calls up and says, “this is so-and-so, and I’d like to request a copy of my test results.” But based on a phone call, we have no way of knowing or verifying who the caller is. Moreover, because we’re a reference laboratory that performs testing for patients in all 50 states, we can’t reasonably expect requesters to come to our facility and provide their photo ID.
So we are thinking that we’ll need to have a notarized request process of some sort. The process will probably also need to require some key elements that we can trace back into our own system. I’m not sure how a patient will know all those elements, but the rule says that we must take reasonable steps to authenticate the requester, and it seems reasonable for a lab to provide these data elements. Of course, those will be things we work out as we develop the process.
CLP: HHS estimates that the cost for all new labs to provide test results to patients will be about $63 million in the first year. Will labs be able to sustain these new costs under the restrictions placed on what they can bill for the service?
Hannah: No. Even if we say that we’re going to bill fully what the rule says we can bill—which is basically just the cost of labor and supplies for copying and mailing the report, totaling perhaps $3—there is no way that we could develop a cost-effective billing system to collect $3 to cover a patient’s request. Because we don’t see patients for any other reason, we have no way to share the costs of such a billing system.
But the major cost to us is going to be in actually retrieving the requested records. Oftentimes, as in this case, a rule estimates that document retrieval will take 10 to 30 minutes. But in our experience retrieving records for legal requests—which I assume will be similar—it can take much longer than that. The lab may need to look at records in several systems, or even retrieve hard copies from off-site storage. That’s where the bulk of our cost is going to be.
When we send requesters their test results, we can include a note that says, “please remit to us three dollars.” But I wouldn’t guess that we’re going to get any of that back.
So no, labs are not going to be able to sustain these costs. They will do what labs always do—they just figure it out.
Some of this could depend on whether a patient is really likely to come to the laboratory in order to retrieve their test results. Patients might do so for labs connected with sample collection or patient care centers, because they are already familiar with those locations. Some of those facilities may have systems and online patient portals that are already developed, depending on how big their system is.
In our case, I doubt we’ll get a lot of requests. Patients would have to be pretty savvy even to know that their tests came to us.
CLP: The new regulations don’t require labs to interpret test results for their patients, but what will labs need to do to ensure that the information they provide is clear to the recipients? Do labs have a potential liability in this regard?
Hannah: Because the rule specifically states that we are required to provide a record to a patient, with very few exceptions, I think our liability is very low. Our greater liability may lie in making sure that we send the correct test results.
The rule says that we’re not required to, but that we can encourage the patient to contact their healthcare provider to get an explanation of their test results. To mitigate any potential risk in this area, I’m guessing that we’ll probably see a lot of labs including such a statement on a cover letter.
CLP: Does ARUP already have in place a program for providing test results directly to patients where it has been permitted to do so? Will any changes be made to the program in light of the new rules?
Hannah: ARUP has not developed any processes for releasing test results to patients, because Utah is not a state that has permitted us to do that. Instead, we’ve always referred the patient back to their healthcare provider. So being able to provide those results directly to patients will be a brand new experience for us.
I’m hoping to dovetail the new processes into our current medical records request processes, which are in place mostly to satisfy requests made for legal purposes. We’ll probably need to change those processes by adding procedures for authenticating the patient or other requester prior to providing the test results.
CLP: How important are the new HSS rules for engaging consumers in improving their own healthcare?
Hannah: It probably will improve healthcare for those consumers who have to go to the laboratory to get their test results, because that’s typically indicative of a situation where communication or dialog with the patient’s healthcare provider has broken down for some reason.
In the past, when we’ve gotten requests for results that we’ve already sent back to the healthcare provider, the requesters have been somewhat frantic, because, for whatever reason, their healthcare provider did not want to work with them anymore. In cases like this, the new rule makes it a little easier for the patient to see what’s on their report, and to take it to their new healthcare provider. It might be a little easier for them to do so. Previously, the best we could say was, “tell us who your new healthcare provider is and we’ll send them the report.”
In more normal circumstances, I would think that the typical consumer—if they really wanted their healthcare record—would go to their healthcare provider to get the complete record, not just the lab results.
CLP: Do you see the new rules as being supportive of the growth of personalized medicine?
Hannah: Perhaps. Under the new rules, there are very few exceptions that would prevent a patient from accessing their test results. But these results are records just like any others. Perhaps that view of the rules would be more applicable in states where a patient could go and order their own type of testing. But that’s not something that is legal in Utah.
CLP: Will more-direct relations between labs and consumers lead to a better understanding of clinical laboratory medicine—and perhaps even public sympathy for better test coverage and payment?
Hannah: No. I don’t think this change will improve consumers’ understanding of what it takes for a laboratory to come up with their test results. Most consumers will still equate laboratory medicine with the care center where they go get their blood drawn, which is the same place they’ll get their results from. I don’t think it’s going to give them any more insight.
If someone comes to us to ask for results, I don’t think that they’re all of a sudden going to understand why we need a $500,000 piece of equipment to run those results for them. Nor will they have a better sense of the education required for an individual to perform and interpret tests, or the role of all those physicians behind the scenes. I think consumers will continue to see their test results as just numbers on paper.
Steve Halasey is the chief editor of CLP.