- Texas CISO points to HITRUST and NSA guidance to boost cybersecurity
- GAO: Veterans finding VA care hard to access
- NIST: New guidance for strengthening hospital cybersecurity is coming
- Hackers hit two more hospitals with ransomware
- OCR unleashes second wave of HIPAA audits, but will it diminish patients' privacy and security expectations?
The Department of Health and Human Services (HHS) issued a final rule on Monday that enables laboratories to release results to a patient or a patient’s personal representative.
“Information like lab results can empower patients to track their health progress, make decisions with their health care professionals, and adhere to important treatment plans,” said Secretary Kathleen Sebelius in a prepared statement.
That right is also “a cornerstone of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule” Sebelius continued.
Amending the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations, the final rule eliminates the exception under HIPAA’s 1996 (HIPAA) Privacy Rule to an individual’s right to access his or her protected health information, when it is held by a CLIA-certified or CLIA-exempt laboratory.
While patients can continue to get access to their laboratory test reports from their doctors, these changes bring a new option for obtaining test reports directly from the laboratory while maintaining strong protections for patients’ privacy.
The final rule was issued jointly by three agencies within HHS: the Centers for Medicare & Medicaid Services (CMS), which is generally responsible for laboratory regulation under CLIA, the Centers for Disease Control and Prevention (CDC), which provides scientific and technical advice to CMS related to CLIA, and the Office for Civil Rights (OCR), which is responsible for enforcing the HIPAA Privacy Rule.
Under the HIPAA Privacy Rule, patients, patient’s designees and patient’s personal representatives can see or be given a copy of the patient’s protected health information, including an electronic copy, with limited exceptions.
In doing so, the patient or the personal representative may have to put their request in writing and pay for the cost of copying, mailing, or electronic media on which the information is provided, such as a CD or flash drive. In most cases, copies must be given to the patient within 30 days of his or her request.
"Patient engagement is essential to creating a healthcare system that delivers better health outcomes at lower costs," said Jon Cohen, M.D., senior vice president and chief medical officer at Quest Diagnostics. "HHS's final rule means millions of Americans who previously could not access their laboratory and other health care data from clinical laboratory companies like Quest can now do so without first requiring the approval of their healthcare provider. That's a huge win for patients who want to take responsibility for their healthcare and engage in a richer dialogue with their healthcare providers in the interest of making informed clinical decisions."