The American Recovery and Reinvestment Act of 2009 created the Health Information Technology Policy Committee to advise the federal government on matters such as these. Members of the “information exchange” work group of that committee heard testimony on lab issues from 16 scheduled witnesses and another half-dozen comments from the floor during a five-hour public hearing on Tuesday.
Panelist Joy Pritts is a privacy lawyer and an assistant research professor at the Health Policy Institute at Georgetown University. In her testimony, Pritts gave her opinion on the lay of the law on labs. She also presented preliminary results of her HHS-funded study of state laws on lab regulation and their impact of the electronic exchange of lab data.
Pritts explained that, typically, privacy issues involving electronic health information are governed at the federal level by the Health Insurance Portability and Accountability Act of 1996. HIPAA also gives patients a right of access to their own medical records—a right that was strengthened by the health information technology privacy provisions of the recently passed stimulus law.
However, HIPAA includes a “carve out” for certain test orders and results under labs covered by the Clinical Laboratory Improvement Act, or CLIA, Pritts said. Passed in 1988, CLIA covers thousands of hospital laboratories as well as thousands more commercial reference labs.
In contrast to HIPAA, many states take a far more paternalistic view regarding whether patients should have unfettered access to their own lab test results, Pritts explained. Labs, data-miners and health information exchanges also see the variability in state lab laws as a barrier to their operations.
In general, CLIA says lab results should be protected, but it allows the release of patient test results in a couple of ways.
One way permits a lab to release test results to the “individual responsible for using the test.” The phrase is not further defined under federal law, Pritts said, but is “generally understood to include the person who ordered the test.”
A way allows a lab to release patient test results to an “authorized person,” which is defined in the law as an “individual authorized under state law to order tests or receive tests, or both.” So, in effect, HIPAA hands off protection of lab data to CLIA, which defers in many cases to the states, according to Pritts.
Pritts reviewed the results of a survey she completed of the various state lab licensure laws, which are often intertwined with that state's physician licensure laws, in that some state limits on the practice of medicine include who can order lab tests.
Sixteen states allow the release of test results only to the person who requested the test or the requestor's designee, Pritts said. Another 26 states are silent on lab data release, so the CLIA rule on “the individual responsible for using the test” applies.
Angela Brice-Smith, the deputy director for the Medicaid and State Operations Survey and Certification Group at the CMS, testified that CLIA, itself, presents no barrier to the simultaneous movement of lab results to health information exchanges as well as to the physicians who ordered the tests.
To authorize sending lab data to their local health information exchanges, clinicians simply need to identify the exchange to which the lab test results are to be sent at the same time he or she submits the lab order, Brice-Smith said.
CLIA defers to state laws, “because of the diversity of laws on that subject,” Brice-Smith said.
One contentious issue, however, according to several witnesses, is the current policy that CLIA holds labs responsible for ensuring their data transmissions reach the “final report destination” intact, which typically means lab personnel must visually inspect the display of a lab test report on a physician's EHR.
These on-site verifications are time-consuming and may impede an expected rush by physicians to get lab interfaces built into the EHRs they are being subsidized to buy and “meaningfully use” under the stimulus law, according to Donald Horton, vice president, public policy and advocacy for Laboratory Corporation of America. Clinical labs have “no control” over modifications to a test result report made by EHR vendors in displaying the results on their systems. The same holds true for health information exchanges, he said. Horton said he favors releasing labs from the responsibility of ensuring that EHRs properly display their electronically transmitted results. He advocates this requirement be covered under the EHR system certification process that is a part of the stimulus act.
“In the current electronic health information exchange environment, ‘final report destination' has become a virtually meaningless term,” Horton said, since the exchanges themselves can modify what they end up transmitting to physicians and other providers. Labs' responsibilities should end once they ship the result in a standardized format to the provider or other intermediary, he said.
Work group member Dave Goetz, commissioner of the Tennessee Department of Finance and Administration, asked whether the CMS might waive its requirement that the view of lab systems results must be checked by labs at the user end, but Brice-Smith was noncommittal.
“Maybe some other party should address that concern,” she said. “We'll at least examine it in terms of its merit.”
Horton also testified that another provision of CLIA stands in the way of broader, secondary use of patient data. It involves data transfers in bulk that labs are willing to provide, absent fear of the law.
According to Horton, labs can accommodate the CLIA requirement that a lab obtain the consent of an ordering physician if, say, the lab is asked to send a single set of tests results to another healthcare provider. Obtaining permissions for very large data sets are another matter, according to Horton's written testimony, which he also read aloud at the work group meeting Tuesday.
The CLIA provision that individual end users of lab test results must authorize their release makes life for labs “far more difficult in the context of making millions of historical test results available for health information networks,” Horton said.
The same CLIA requirement for end-user authorizations limits labs from making “peer-to-peer transmissions to entities that need large quantities of lab data for secondary uses.” Those would include health plans, Horton said, “who need lab data for quality improvement, disease or case management, patient safety, or pay-for-performance initiatives.”
“Labs have attempted to address the issue of documenting ordering-provider authorization through contractual representations and warranties from data recipients,” Horton said, “but this ‘workaround' is extremely inefficient and is not always effective.”
Horton said the lab industry's trade group, the American Clinical Laboratory Association, or ACLA, has developed proposed amendments of both the CLIA statute and regulations.” These lab-desired regulatory changes would expand the list of “authorized persons” to whom labs can send test results. The expanded list would include all so-called “covered entities” and their “business associates” as defined under HIPAA.
“Our proposal would operate as a targeted pre-emption of state authorized person laws,” he said. “States would continue to be permitted to define “authorized person,” so long as they do not exclude covered entities and business associates.”
Under the stimulus act that created the HIT Policy Committee, Congress required that one person on the panel “have expertise in health information privacy and security.” The comptroller general appointed Deven McGraw to be that person. McGraw is the director of the Health Privacy Project at the Center for Democracy and Technology, a Washington, D.C.-based think tank. She also serves as co-chair of Tuesday's information exchange work group and is a member of another policy committee work group on “meaningful use” of IT.
McGraw she questioned Horton on the scope of the ACLA's proposed changes in the law and administrative rules.
Did he really mean, McGraw asked, that the labs want to be able to move data to “any covered entity? Any business associate?”
“Under HIPAA,” she said, “the definition of treatment is not just the individual you're treating. HIPAA said it could be any covered entity.”
Horton said, “I would agree, that is the effect of the language we propose.”
Why is it, Horton asked, that labs can send HIPAA-protected health information only “to a small subset” of potential data users when another covered entity that is not a lab can send data to any other covered group? All labs are seeking, he said, is “parity” with other covered organizations.
McGraw, however, said this broad authority of a covered group under HIPAA to send patient healthcare information to another covered organization “some would consider as a loophole.”
Regarding the lab industry's parity problem, McGraw said, “I'm disinclined to fix it by taking arguably what is an enormous loophole (and) allowing the lab companies to do the same.”
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.