The Department of Health and Human Services (HHS) continues to tweak HIPAA privacy rules. Most recently HHS strengthened patients rights to lab report access by allowing laboratories to give completed report results directly to patients or their designated representatives. The new rule, which supersedes all state laws, goes into effect April 7, 2014 with laboratory compliance mandated by October 6, 2014.
In announcing the final rule amending both HIPAA and the Clinical Laboratory Improvement Amendments, HHS stated,
While patients can continue to get access to their laboratory test reports from their doctors, these changes give patients a new option to obtain their test reports directly from the laboratory while maintaining strong protections for patients privacy.
HIPAA-covered laboratories will need to develop procedures for processing test report requests directly from patients while taking precautions to protect patient privacy and document compliance with HIPAA rules. As with other healthcare providers subject to HIPAA compliance, documentation of every step in the compliance process is a necessary matter of self-protection should OCR ever conduct an audit.
To comply with the HIPAA rule, laboratories will need to create and document specific procedures that address how they and their employees will handle the following issues:
1. Receipt of lab report requests.
2. Identification authentication.
3. Test report retrieval.
4. Verification of how and where the report is to be delivered with secure procedures for mail, fax, email and electronic delivery.
5. Documentation of report issuance.
6. Revision of laboratory privacy notice to inform patients of their right to report access and procedures for requesting access.
As do other healthcare providers, laboratories may find MedConnectUSAs HIPAA-compliant telephone answering and secure messaging services valuable in managing patient report requests and issuing reports by secure phone, fax or text.