Even before the government's push for electronic healthcare records, labs dealt with shifting demands from regulators and physicians for how and when results should be delivered. Now, they will need to gear up quickly to comply with patient requests for records beginning October 6, owing to a new rule issued by the Department of Health and Human Services (HHS). When HHS first proposed this regulation in 2012, the discussion centered on whether patients should even be trusted to handle their own lab reports. While still a concern for many, the debates on what if will now need to turn to serious questions of how, as the time has come for careful planning to ensure compliance. The final rule makes changes to both the Clinical Laboratory Improvement Amendments (CLIA) and the Health Insurance Portability and Accountability Act (HIPAA) that had exempted labs from the requirement to share records with patients upon request.

As labs consider how they will interact with patients under the final rule, they will need to strike the right balance between allowing access and protecting privacy, according to Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology. "There is no question that this will pose a real, but surmountable challenge for labs," McGraw said. "They need to put the right processes in place so that they're only releasing lab data to the right people. But if they set the bar too high, and make it really hard for people to get their data, then they run the risk of being in violation of the rules for not providing patients with the new rights they now have under law. "McGraw chairs the privacy and security tiger team and co-chairs the information exchange workgroup, both under the Office of the National Coordinator for Health Information Technology (ONC) Health IT Policy Committee.

The Biggest Hurdle: Authentication

Labs should already be familiar with HIPAA compliance when it comes to maintaining the security of patients' protected health information. Any lab that electronically transmits any health information, even claims, already is a HIPAA-covered entity. The new challenge will be authenticating that a patient is who he or she claims to be when making a request for lab information. This will be especially tricky since labs usually receive their information about who a patient is from another party, such as a physician's office. "An ongoing concern we have as secondary providers is making sure we get results only to the person who should get them," said JoAnne Glisson, senior vice president of the American Clinical Laboratory Association.

Looking for guidance or standards on how to authenticate a patient in HIPAA or CLIA? These regulations offer little help. HIPAA requires that a covered entity "take reasonable and appropriate steps to verify the identity of the individual making a request for access," but does not elaborate on the particulars.
In the simplest scenario, a patient could walk into a physical location and produce a government-issued photo ID. This is what Spokane, Wash.-based reference lab PAML does in two states where it operates that already have laws allowing direct patient access to lab results, Washington and Montana. "So far there have been only a very small number of these requests, and since we have physical facilities such as collection stations, we ask patients to present at one of these locations to request lab reports," said PAML, LLC President and CEO Francisco R. Velázquez, MD, SM. "At this point we are waiting to see how prevalent these requests become before we invest in a different system. Right now we want to ensure that we are providing this information to the right individual, so we are very conscious of protecting the identity of our patients and that their information is never in the wrong hands."

Some large commercial labs have already invested in portals or other systems so patients can see their lab reports online, or even on their mobile phones. However, their success will not be easy to replicate for smaller independent labs because the process for remote authentication is much more complicated. In his role as chair of the privacy and security tiger team of the Health IT Policy Committee, McGraw heard testimony from one large commercial lab that operated in a state allowing direct access. This lab had opted to use a third-party service to authenticate patient identity.

"This is an area where labs have to start from scratch," McGraw said. "But it is a necessary hump that labs are going to have to get over, because once this rule goes into effect, if a patient asks for his data, the lab can't say no. It's now a right. Yet none of the authentication protocols are prescribed under HIPAA. The admonitions under HIPAA are: don't breach data."

The Engaged Patient
Some Patients Are Ready to Take Charge
When Kathleen Sebelius, secretary of the Department of Health and Human Services (HHS), announced the final rule allowing direct patient access to lab results, she emphasized that “information like lab results can empower patients to track their health progress, make decisions with their healthcare professionals, and adhere to important treatment plans.”

However, when HHS issued the draft rule in 2012, many professional groups like the American Academy of Family Physicians came out against it, saying that the agency was overlooking unintended consequences and possible harms to patients.

“The main comment from the draft regulation was, are all patients going to be able to assimilate this information? And the answer to that is, it depends,” noted Francisco R. Velázquez, MD, SM, President and CEO of PAML, LLC, a reference lab based in Spokane, Wash. “There is a continuum of knowledge and of desire for information among patients. If you look at generational differences, our parents and grandparents, the greatest generation or traditionalists, did not even ask a question of the doctor. But the baby boomers are more assertive and ask questions, and then members of Generation X and the millennials are not only interested, but they feel it’s their right to know exactly what’s going on and to share that information as they so desire.”

AACC has long supported patient empowerment and health literacy through LabTestsOnline.org, an online tool that enables patients to learn more about why laboratory tests are performed and how the results are used in their care. According to Lab Tests Online Executive Producer George Linzer, the website has become more important as web-savvy patients increasingly seek to take control of their own healthcare.

“Lab Tests Online was originally created in 2001, when there was a big push for direct access testing (DAT). It was important for many of our stakeholders, I think, that those patients using DAT services had a resource where they could get trusted information about their tests,” Linzer said. “Now, with the expanded rights for all patients to get their results directly, the value of Lab Tests Online has grown by an order of magnitude.”

The content on Lab Tests Online is geared for what Linzer called the “motivated health information seeker,” and aims for the 11th or 12th grade reading level. After user surveys indicated that site visitors preferred even more detail, the site was revised to be more comprehensive. “Everything we’ve seen in terms of survey data confirms what we learned from studies we performed before launching the site: the online healthcare information seeker tends to be better educated than average and willing to extend himself or herself in order to understand what is happening to him or a loved one,” Linzer said. “When you think about it, it should come as no surprise that people who are experiencing a health crisis are motivated enough to open their minds to learn everything they can about their situation in order to gain some relief for their anxiety and even a sense of control over what is happening to them.”

Deciding on a Standard

Although HIPAA does not spell out how providers should authenticate patients before turning over information, labs can borrow standards from other disciplines. According to McGraw, one of the best standards for information security comes from the National Institute for Standards and Technology (NIST). Government agencies use published NIST personal identity verification standards, with level 1 being the lowest and level 4 for high-risk government secrets. Level 1 merely requires a username and password. Level 2 and beyond require a cryptographic token.

For the lab's purposes, McGraw recommends, as a minimum, what she called NIST 1.5, which goes beyond a simple username and password and uses knowledge-based proofing, such as security questions a bank might request of customers when they are setting up an online account. Another way to improve security is using out-of-band confirmation, such as a letter sent to a known public address for a person that registers for an online account.

Under HIPAA, labs must also provide patients with an electronic copy of their records if requested. This electronic copy need not arrive over the Internet, but can take the form of a disc or other digital media, according to Linn Freedman, a partner in the Nixon Peabody law firm. "The bottom line is, if they ask for it electronically, labs have to give it to them in electronic form," Freedman said. "If patients want it printed, then you give them a printed copy. But the patient has the right to get it in the form that the patient requests. Once you give the report to the individual, what they do with that is their responsibility, but I highly recommend that if you give information in an electronic form, like a disc, that you do it in an encrypted way or in encrypted email." Freedman currently serves as general counsel to the Rhode Island Quality Institute, and formerly was an assistant attorney general and deputy chief of the Civil Division of the Attorney General's Office for the State of Rhode Island.

Authentication can also be a challenge if someone other than the patient requests information from the lab. HIPAA allows a patient to designate an "authorized representative" to do so, but does not offer much guidance. Freedman recommends labs look to their state laws on this issue. "Most healthcare entities actually follow their state law when it comes to what is the definition of an authorized representative, because state law is usually much more specific than HIPAA," she said.

Another area where Freedman recommends labs make sure they follow their state law is when dealing with sensitive results, such as for HIV or cancer. HIPAA does allow providers to limit disclosure of this kind of information. A denial of access is permissible when a "licensed healthcare professional, in the exercise of professional judgment, determines that the requested access is reasonably likely to endanger the life or physical safety of, or cause substantial harm to, the individual or another person." Many state laws go beyond this broad statement to designate special treatment for HIV, genetic testing, and other sensitive information, Freedman noted.

Freedman warned that labs should not try to draft policies and procedures on their own. "Most independent labs are not prepared for this at all. They'll really need an attorney," She said. "That way, they have that stamp of approval that they're in compliance."

Policies, procedures, and training are all critical, Velázquez emphasized. "Training your staff is critical, because these requests can require a lot of steps, from filling out paperwork to documenting everything in the patient's health record," he said. "We've also made sure that we can go back and see who has made a request and when a report was printed, for example. But the IT issues are really not the difficult part here. The hard part is the human component, making sure there are not gaps in your procedures. That's why we regularly audit our processes."

Can't Patients Go Somewhere Else?

With the government's push for electronic healthcare records (EHR), some laboratorians might expect that this rule is too little, too late, as patients already might be accessing their lab results electronically from some providers. Such a system is required under stage 2 of the government's EHR meaningful use guidelines. But there are still plenty of gaps, Velázquez noted. "We have a number of health system partners who have patient portals and the patients have access to information via their physicians," he said. "But it's not a universal process, and not everyone has the secure systems to do that." In addition, the government has already extended the deadline to meet stage 2 meaningful use requirements through 2016.

Significant numbers of physician offices, in particular, lag behind on EHR implementation, or are in earlier stages of the program that don't require the ability to send lab results to patients, according to McGraw. "I think some labs might want to get out in front on this and make it as easy as possible for patients in these cases."

Importantly, just because a health system or physician has an electronic portal or some other means to transmit results, it does not mean the lab is off the hook. Patients have a right to request directly from the lab, whether or not there might be some other venue for access via a physician or health system. If labs offer information about such a third-party portal, they need to be careful, according to Freedman.

"The danger with referring patients to a portal is documentation," Freedman said. "The lab needs to document that they provided the report to the patient. Also, the Office of Civil Rights,―the agency responsible for enforcing this law,―wants to make sure that patients can get access to their records easily. Requiring the patient to sign up for a portal if they have not already could be considered too difficult. It could be an option, but I would suggest that option only for patients already signed up for a portal."

Hospital labs should also be careful, even though the hospital itself is the covered entity that is responsible for patient record requests. "Hospitals will already have policies and procedures for responding to patient requests for their healthcare information, so in a sense it will be just extending this to the lab," Freedman said. "The difficulty in the hospital setting is that people can go straight to the lab, so hospital labs do need to operationalize it and be able to document that the patient requested access, that they got proper authentication, and then be able to incorporate that into the electronic medical record."

Hospital labs might want to go even further and create a process for offering lab reports on their own, in partnership with the medical records department, Freedman said. "I would caution hospital labs not just to punt these patients to the medical records department. I think that is not within the spirit of this rule," she said. "I would recommend that the laboratories themselves understand the rule and provide access to the patients from the lab side of things and then coordinate with medical records."

Burden, or Opportunity?

Even though requests to his lab from patients have only trickled in, Velázquez emphasized that going forward, dealing directly with patients could benefit the lab community. "I think this will be a cultural transformation and also a procedural transformation for labs that have not done it before," he said. "I think it is a very important role for the lab to play, to offer consumers information that allows them to be more engaged in their own wellness, health, and disease management."

McGraw believes that labs ought to take the chance to collaborate with forward-thinking patients, physicians, and health systems which embrace the idea of more informed patients. "I think there is an opportunity for clinical labs to create relationships with the patients that they ultimately serve," she said. "And while there were a number of physician organizations that came out against this rule because they were concerned that patients would not be able to put the lab information into context, there will be plenty of physicians who may be supportive of this, and I think labs have an opportunity to create partnerships with them."

Labs should look for physician clients who themselves are going through the process of establishing portals or other accounts to share information with patients, McGraw suggested. That way, patients might be able to sign up for a portal that allows electronic communication to the physician and the lab at the same time.

"I think the best reaction that I would hope for from this final rule is that labs and other providers see it as an opportunity to improve care for patients, as opposed to a burden or an unwarranted intrusion on physician practice," McGraw said. "An educated patient is much more likely to get better, to follow medical advice for chronic conditions, and we should expect patients to be partners in their healthcare, if not fully engaged and managing their healthcare. Patients are not clinicians, but they know a whole lot about what's important to their own lives. And since so much of healthcare occurs outside of the physician's office or hospital, if we really want to move the needle on healthcare reform, we need to look at patients as the lynchpin."