“We have been concerned that the interpretation of CLIA has stood in the way of easy information exchange,” Blumenthal said at the HIMSS conference.
The new CMS interpretation, he said, clarifies that “patient access to records is permissible unless specifically prohibited by a state.”
Specifically, in the 18-page guidance, the CMS revised the Survey Procedures and Interpretive Guidelines for Laboratories and Laboratory Services in appendix C of the state operations manual.
The CMS guidance addresses four categories in the manual:
The electronic transmission of lab results to the “authorized” individual and others designated by the authorized person to receive the information.
Inclusion of data from EHRs under existing retention requirements.
Additional considerations labs need to take into account when using health information technology in the exchange of lab data.
Managing corrected reports for an EHR.
The revisions were effective immediately.
The CMS will host what it is describing as “an all-state call” for CLIA surveyors, state Medicaid staff and IT leaders “in the near future” to respond to questions about the guidelines. The call date has been set tentatively for April 6, but details have not been firmed up, CMS spokesman Joe Kuchler said.
A cogent explanation of the complex interplay between federal and state laws involving lab test orders and results came last year from Joy Pritts, now the chief privacy officer at the ONC. At the time of her testimony, however, Pritts, a lawyer, was a research associate professor at the Health Policy Institute at Georgetown University.
Pritts explained the interrelationships between the Health Insurance Portability and Accountability Act of 1996, CLIA and various state laws regulating labs, professional licensure and patient privacy and record access rights during a presentation at the Oct. 20 meeting of the information exchange work group of the Health IT Policy Committee.
Much of federal healthcare privacy law flows out of HIPAA, which provides patients the right to obtain copies of their own medical records, a right that was strengthened by the American Recovery and Reinvestment Act of 2009, also known as the stimulus law, Pritts said.
However, according to Pritts, HIPAA includes a “carve out” for certain orders and results from the approximately 200,000 U.S. labs covered by CLIA.
CLIA provides that test results “must be released only to authorized persons and, if applicable, the individual responsible for using the test results and the laboratory that initially requested the test,” the last restriction referring to one lab forwarding a request for a test to another lab and the reverse flow of lab test results that would follow.
Under CLIA, according to Pritts, an authorized person is defined as “an individual authorized under state law to order tests or receive test results or both.” According to Pritts, “HHS has indicated … if a state does not define the term ‘authorized person,' the person permitted to receive the test results is the person who ordered the test.”
Pritts found that 16 states “expressly permit or require” lab results to be released “only to the healthcare provider or person who requested the test, or to their agent or designee.”
Another eight states allow release of test results to the person who ordered the test, is authorized to use or receive the test results, or is responsible for using or receiving test results. Two more states allow labs to release test information to persons authorized to use test results. Some state laws allow release of lab results only to practitioners licensed in their states, according to Pritts' research.
In addition, the laws in 26 states are silent on who may receive lab test results, throwing control back to CLIA, which under an HHS interpretation of the HIPAA privacy rule means that in those states, the person authorized to receive test results is the person who ordered the test.
Pritts concluded that “under conservative interpretations” of HIPAA, CLIA and state laws, test results can be released directly only to the provider or the person who ordered the test in as many as 42 states.
Because HIPAA defers to CLIA and the states, “whether patients are able to directly access laboratory test results (or direct where those results may be sent) is largely determined under state law.” That has implications for patients with personal health-record systems and also presents potential adverse business challenges to vendors such as Microsoft Corp., Google and Dossia, which offer PHRs that are not “tethered” to, or extensions of, a provider's EHR; IT systems often developed by competing vendors; or by the providers themselves.
“The emergence of personal health records as a potential vehicle for exchanging personal health information raises the issue of how patients will be able to populate these records,” Pritts wrote.
Most state lab laws do not expressly permit or require labs to release test results directly to patients (or their PHRs), according to Pritts. And while six states either permit or require the release of lab results to patients without provider authorization, seven states “expressly provide that test results may be released to a patient only with the authorization of the person who ordered the tests.”
Pritts concluded, “It is clearly time to re-examine these restrictions in light of developing health information exchange.”
Next: What the CMS guidance does and does not change
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.