Close Server: KOPWWW05 | Not logged in

Welcome to Health Care POV | sign in | join
Press Start: Lead an Empowered Life as a Clinical Laboratorian

Answering Your Questions About Patients' Direct Access to Lab Results

Published April 5, 2014 11:48 AM by Glen McDaniel

Since my blog last month regarding to the HHS mandate that laboratories must grant patients access to their lab results on request, my mailbox has been inundated with comments and questions. A few questions were asked by more than one writer and so I thought I would seek direct guidance from HHS and answer the most commonly asked questions here.


Doesn’t this new requirement reverse HIPAA?


No, both CLIA and HIPAA regulations have been adjusted to accommodate these requirements. HIPAA privacy rules had always sought to protect how patient information was secured and protected, and  specify under what conditions such information could be disclosed.  In the final rule published by HHS in February, some restrictions were removed from both HIPAA privacy rules and CLIA regulations.


This is a very specific requirement and does not negate, reverse or cancel HIPAA. Maintaining the security and confidentiality of patient results are still very much in effect.


Labs will still need to verify the patient's identity before releasing results. In cases where results are requested by a patient’s “personal representative,” the lab must verify both the identity and authority of the patient’s legal designee.


Is there no concern for how much this will cost labs?


I am not sure about concern from the federal government, but CMS does estimate that about 23,000 labs will be affected. It recognizes that processes, infrastructure and equipment might all have to change. The agency estimates that labs will receive between 175,000 and 3.5 million patient requests annually and the cost of compliance might be as high as $59 million. Labs will be permitted to charge each patient  a reasonable fee for each request.


Will this apply to all labs including reference labs?


Good question. I suspect the reasoning for this question is that patients do not generally have a direct relationship with reference labs. For most reference labs the client is a referring entity like a hospital, physician etc.


CMS says the rule should be applied uniformly and applies to all laboratories. Their goal is to make it easier to access results, wherever tests are performed, so reference labs will not be exempt.


What about those states that prohibit release of results directly to patients?


As I alluded to in my earlier post, this rule supersedes state law restricting the release of results. About 13 states have some specific restriction on releasing results to patients directly. This rule voids that prohibition and labs must now release results to patients regardless of previous prohibition by state law.


Doesn’t this place a legal burden on laboratories being asked to explain test results?


The requirement is to provide the result to the patient within 30 days of receiving a request from the patient. The mandate is not to interpret the result or to explain the clinical significance to the patient. In many cases, the patient will have already discussed the result with their physician by the time the lab receives a request. Sometimes the patient just needs a valid copy for their records or to seek a second opinion.


Physician groups like the American Medical Association have opposed this rule on the basis that patients are not prepared to interpret their result and having free access without a doctor’s help might actually be more harmful than helpful.


HHS responded that this is based on the philosophy that the patient owns his or her own results, and the benefits of direct access far outweigh any theoretical risk. HHS also points out that the rule does not diminish the role of the provider in interpreting and explaining lab results to patients. Diagnoses and treatment will still be based on the full picture, not just a few lab results.


It is interesting to note that several studies have shown that providers fail to notify patients of abnormal results about 7 percent of the time. Some estimates are even higher.


 Direct access to one’s own results is designed to empower the patient, not to burden labs and not to minimize the role of physicians.


Thank you  Mr. McDaniel for all the useful information. This is the first place I saw any information about this new rule about providing patients with their results. Since then I have been reading up on it wherever I can find information. Thanks to Advance for always giving us the latest information.

Myriam B. April 18, 2014 9:17 PM
Chicago IL

Thank you for continuing to dialogue about this new ruling and to send it questions. I will answer as my knowledge and time allows.

This week, I received 3 more questions.

1.What kind of identification is required if the patient shows up at the lab?

Not surprisingly, the rule is long on requirements, but short on the specific "how" to adhere to the rule. Like a law, however, it is important to act to meet the spirit as well as the letter of the law.

Based on HIPAA regs the spirit of the law is that the lab makes every "reasonable effort" to verify the identity of the person making the request, so the lab could ask that the patient gives his full name (not simply answer to "is your name John Brown"?), social security number  or health record number and also provide a government issued ID with a picture. That would be both reasonable and secure.

2. What about electronic results. How do you verify identification?

There are a number of ways to do this. One method might be  having a patient set up an account at a portal using various pieces of information like medical record number, social security number, full name etc. These together provide what's generally called "positive identification." Those details would be the same information on the lab requisition hopefully. They would then select a username and password to log in to their account.

But there is a strong suggestion from security folks that the lab requires more than a username and password to log in to that portal where results are available. They should also use what's called knowledge based authentication per National Institute for Standards and Technology standards (NIST 1.5).

Authentication might require the patient answers a series of questions similar to those used by some bank and credit card online sites. The user might be prompted randomly or periodically to supply the correct (predetermined) answers to questions like : mother's maiden name, street I grew up on, my favorite sports team and so on.

3. In what form should results be provided?

I am guessing you mean electronic or paper. Well, that depends. If the patient does not specify then the lab can decide. If the patient presents in person with a positive ID as in question 1, then the lab can provide  a paper copy. You might also choose instead to provide an electronic copy within 30 days of the request.

There is a HIPAA requirement that if the patient requests an electronic copy, the lab is required to provide the result in electronic form. This can be by Internet (such as a medical portal) as in 2 above. The lab can also provide the results on a disc or via email. But in both of these case, the spirit of the law is that those formats (disc, digital device, email etc) would be encrypted to add further security.

The lab could also send an unencrypted email or text that says, "your results are available" and direct the user to the more secure Internet portal.

Glen McDaniel April 11, 2014 8:40 PM

leave a comment

To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the image, reload the page to generate a new one.

Enter the security code below:


About this Blog

Keep Me Updated