CLIA Program and HIPAA Privacy: Patients' Access to Test Reports
This Proposed Rule document was issued by the Centers for Medicare Medicaid Services (CMS)
For related information, Open Docket Folder
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare & Medicaid Services
42 CFR Part 493
Office of the Secretary
45 CFR Part 164
CLIA Program and HIPAA Privacy Rule; Patients' Access to Test Reports
Centers for Medicare & Medicaid Services (CMS), HHS; Centers for Disease Control and Prevention (CDC), HHS; Office for Civil Rights (OCR), HHS.
This proposed rule would amend the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to specify that, upon a patient's request, the laboratory may provide access to completed test reports that, using the laboratory's authentication process, can be identified as belonging to that patient. Subject to conforming amendments, the proposed rule would retain the existing provisions that provide for release of test reports to authorized persons and, if applicable, the individuals (or their personal representative) responsible for using the test reports and, in the case of reference laboratories, the laboratory that initially requested the test. In addition, this proposed rule would also amend the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to provide individuals the right to receive their test reports directly from laboratories by removing the exceptions for CLIA-certified laboratories and CLIA-exempt laboratories from the provision that provides individuals with the right of access to their protected health information.
To be assured consideration, comments must be received at one of the addresses provided below, no later than 5 p.m. on November 14, 2011.
In commenting, please refer to file code CMS-2319-P. Because of staff and resource limitations, we cannot accept comments by facsimile (FAX) transmission.
You may submit comments in one of four ways (please choose only one of the ways listed):
1. Electronically. You may submit electronic comments on this regulationto http://www.regulations.gov. Follow the “Submit a comment” instructions.
2. By regular mail. You may mail written comments to the following address ONLY: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-2319-P,P.O. Box 8010, Baltimore, MD 21244-8010.
Please allow sufficient time for mailed comments to be received before the close of the comment period.
3. By express or overnight mail. You may send written comments to the following address ONLY: Centers for Medicare & Medicaid Services, Department of Health and Human Services, Attention: CMS-2319-P, Mail Stop C4-26-05, 7500 Security Boulevard, Baltimore, MD 21244-1850.
4. By hand or courier. Alternatively, you may deliver (by hand or courier) your written comments ONLY to the following addresses prior to the close of the comment period:
a. For delivery in Washington, DC—Centers for Medicare & Medicaid Services, Department of Health and Human Services, Room 445-G, Hubert H. Humphrey Building, 200 Independence Avenue, SW., Washington, DC 20201.
(Because access to the interior of the Hubert H. Humphrey Building is not readily available to persons without Federal government identification, commenters are encouraged to leave their comments in the CMS drop slots located in the main lobby of the building. A stamp-in clock is available for persons wishing to retain a proof of filing by stamping in and retaining an extra copy of the comments being filed.)
b. For delivery in Baltimore, MD—Centers for Medicare & Medicaid Services, Department of Health and Human Services, 7500 Security Boulevard, Baltimore, MD 21244-1850.
If you intend to deliver your comments to the Baltimore address, please call telephone number (410) 786-9994 in advance to schedule your arrival with one of our staff members.
Comments erroneously mailed to the addresses indicated as appropriate for hand or courier delivery may be delayed and received after the comment period.
Submission of comments on paperwork requirements. You may submit comments on this document's paperwork requirements by following the instructions at the end of the “Collection of Information Requirements” section in this document.
For information on viewing public comments, see the beginning of theSUPPLEMENTARY INFORMATIONsection.
For Further Information Contact
For CLIA regulations:
Nancy Anderson, CDC, (404) 498-2280.
Judith Yost, CMS, (410) 786-3531.
For HIPAA Privacy Rule:
Andra Wicks, OCR, (202) 205-2292.
Inspection of Public Comments: All comments received before the close of the comment period are available for viewing by the public, including any personally identifiable or confidential business information that is included in a comment. We post all comments received before the close of the comment period on the following Web site as soon as possible after they have been received: http://www.regulations.gov. Follow the search instructions on that Web site to view public comments.
Comments received timely will also be available for public inspection as they are received, generally beginning approximately 3 weeks after publication of a document, at the headquarters of the Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, Maryland 21244, Monday through Friday of each week from 8:30 a.m. to 4 p.m. To schedule an appointment to view public comments, phone 1-800-743-3951.
The Clinical Laboratory Improvement Amendments of 1988 (CLIA) were enacted to establish quality standards for certain laboratory testing. These standards ensure the accuracy, reliability and timeliness of patient test results, regardless of where the test is performed. The standards are based on the complexity of the laboratory test method; the more complicated the test, the more stringent the requirements for the laboratory.
CLIA established three categories of testing based on complexity level. In increasing order of complexity, these categories are waived complexity, moderate complexity which includes the subcategory of provider-performed microscopy (PPM), and high complexity. Laboratories must hold a CLIA certificate for the most complex form of CLIA-regulated testing that they perform.
CLIA covers all phases of laboratory testing, including the reporting out of test results. The CLIA-based limitations that govern to whom a laboratory may issue a test report have become a point of concern. The requirements for a laboratory test report are set forth in 42 CFR 493.1291.
Under the current regulations at § 493.1291(f), CLIA limits a laboratory's disclosure of laboratory test results to three categories of individuals: the “authorized person,” the person responsible for using the test results in the treatment context, and, in the case of reference laboratories, the referring lab. Authorized person is defined in § 493.2 as the individual authorized under State law to order or receive test results, or both. In States that do not provide for individual access to the individual's test results, the individual must receive his or her results through the ordering provider.
While individuals can obtain test results through the ordering provider, we believe that the advent of certain health reform concepts (for example, individualized medicine and an individual's active involvement in his or her own health care) would be best served by revisiting the CLIA limitations on the disclosure of laboratory test results.
Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (The Recovery Act), which was enacted on February 17, 2009, incorporated the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HITECH created a Federal advisory committee known as the Health Information Technology (HIT) Policy Committee. The HIT Policy Committee has broad representation from major health care constituencies and provides recommendations to the Office of the National Coordinator for Health Information Technology (ONC) on issues relating to the implementation of an interoperable, nationwide health information infrastructure. Among other efforts, the HIT Policy Committee has sought to identify barriers to the adoption and use of health information technology. According to the HIT Policy Committee, CLIA regulations are perceived by some stakeholders as imposing barriers to the exchange of health information. These stakeholders include large- and medium-sized laboratories, some public health laboratories, electronic health record (EHR) system vendors, health policy experts, health information exchange organizations (HIOs) and healthcare providers who believe that the individual's access to his or her own records is impeded, preventing patients from a more active role in their personal health care decisions.
CLIA staff worked with the Office of the National Coordinator for Health IT (ONC), and the CMS Office of E-Health Standards and Services (OESS) toensure an individual's direct access to his or her own medical records through laboratories.
The collaborating offices believe the provision of direct patient access to laboratory test reports would support the commitments and goals of the Secretary of HHS and the CMS Administrator regarding the widespread adoption of EHRs by 2014.
Therefore, in an effort to increase direct patient access rights, we are proposing that, upon a patient's request, CLIA regulations would allow laboratories to provide direct patient access to completed test reports that, using the laboratory's authentication processes, the laboratory can identify as belonging to that patient. We propose to retain the other categories of individuals who are eligible to receive test reports from laboratories, namely the individuals responsible for using the test reports, and, in the case of a reference laboratory, the laboratory that initially requested the test. We also propose certain conforming amendments to the existing regulations. CMS solicits comments from stakeholders regarding the potential impact of this change on improving patients' access to their laboratory results.
B. HIPAA Statute and Privacy Rule
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Title II, subtitle F—Administrative Simplification, Public Law 104-191, 110 Stat., 2021, provided for the establishment of national standards to protect the privacy and security of personal health information. The Administrative Simplification provisions of HIPAA apply to three types of entities, which are known as “covered entities”: health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses.
A laboratory, as a health care provider, is only a covered entity if it conducts electronic transactions (for example, electronic submission of health care claims). The list of HIPAA transactions applicable to providers are:
If a laboratory does not conduct any of the above transactions electronically (either because it does not conduct the transactions at all or because it does so via paper), then it is not subject to the HIPAA Privacy Rule. If a laboratory conducts a single transaction electronically, then it becomes a covered entity and is subject to the Privacy Rule with respect to all protected health information that it creates or maintains (that is, the application of the Privacy Rule is not limited to the individuals or records associated with an electronic transaction).
Pursuant to HIPAA, on December 28, 2000, the Department published a final rule in theFederal Register(65 FR 82462) entitled “Standards for Privacy of Individually Identifiable Health Information, known as the “Privacy Rule,” which was amended on August 14, 2002 (67 FR 53182). The Privacy Rule at 45 CFR 164.524 provides individuals with a general right of access to inspect and obtain a copy of protected health information about the individual in a designated record set maintained by or for a covered entity. A “designated record set” is defined at § 164.501 as a group of records maintained by or for a covered entity that is comprised of the medical records and billing records about individuals maintained by or for a covered health care provider; the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or used, in whole or in part, by or for the covered entity to make decisions about individuals.
The definition of “designated record set” also clarifies that the term “record” means “any item, collection, or grouping of information that includes protected health information and is maintained, collected, used or disseminated by or for a covered entity.” Laboratory test reports maintained by or for a laboratory that is a covered entity fall within the definition of designated record set since they are medical records about individuals.
The right of access under § 164.524 extends not only to individuals, but also to individuals' personal representatives. The rules governing who may act as a personal representative under the Privacy Rule are set forth at § 164.502(g).
While individuals (and personal representatives) generally have the right to inspect and obtain a copy of their protected health information in a designated record set, the Privacy Rule includes a set of exceptions related to CLIA. The right of access under § 164.524 of the Privacy Rule does not apply to: protected health information maintained by a covered entity that is—(1) Subject to CLIA to the extent the provision of access to the individual would be prohibited by law; or (2) exempt from CLIA.
These exceptions at § 164.524(a)(1)(iii) were included in the Privacy Rule because the Department wanted to avoid a conflict with the CLIA requirements that limited patient access to test reports (65 FR 82485). These exceptions only cover test reports at CLIA and CLIA-exempt laboratories; the individual has a right to access the test reports when held by any other type of covered entity (for example, a hospital or treating physician).
Because CMS is proposing to amend the CLIA regulations to allow CLIA-certified laboratories to provide patients with direct access to their test reports, there is no longer a need for the exceptions at § 164.524 for CLIA and CLIA-exempt laboratories. Unless these exceptions are removed from the Privacy Rule, they would serve as a barrier to individuals' right of access to test reports. Failure to eliminate these barriers would be inconsistent with the CMS proposal and the goals of HHS to improve individuals' electronic access to their health information and have widespread adoption of EHRs by 2014. Accordingly, HHS is proposing to remove the exceptions for CLIA and CLIA-exempt laboratories from the right of access at § 164.524.
II. Provisions of the Proposed Regulations
A. Proposed Changes to the CLIA Regulations (42 CFR 493.1291)
This rule proposes revisions to § 493.1291 to provide patients, upon request, with direct access to their laboratory test reports. To do so we are proposing to add § 493.1291(l) to specify that, upon a patient's request, the laboratory may provide an individual with access to his or her completed test reports that, using the laboratory's authentication processes, can be identified as belonging to that patient. In using “may,” however, we would highlight the importance of reading the proposed CLIA provisions in concert with the applicable HIPAA provisions. As described in section IIB below, HIPAA generally requires covered entities to give patients access to their records. One exception to this general mandate is a provision that exempts entities subject to CLIA where a law bars disclosure. If finalized, the proposed HIPAA amendments will remove this exception, and covered entity laboratories will be required to provide patients with access to test reports. While a more detailed HIPAA preemption analysis is found in section IIB below, we note that the CLIA “may”plus the HIPAA “must” would result in a “must disclose” for laboratories that are HIPAA covered entities.
We also note that, as proposed, the CLIA regulations would not spell out the mechanism by which patient requests for access would be submitted, processed, or responded to by the laboratories. In providing this latitude, we intend to allow patients and their personal representatives' access to patient test reports in accordance with the requirements of the HIPAA Privacy Rule.
Subject to conforming amendments, we propose to retain the existing requirements at § 493.1291(f) that otherwise limit the release of test reports to authorized persons and, if applicable, the individuals (or their personal representatives) responsible for using the test reports and, in the case of a reference laboratory, the laboratory that initially requested the test.
B. Proposed Changes to the Privacy Rule (45 CFR 164.524)
The Department also proposes to amend the Privacy Rule at § 164.524 to remove the exceptions that relate to CLIA and affect an individual's right of access. This proposal would align the Privacy Rule with CMS' proposed changes and the Department's goal of improving individuals' access to their health information.
As a result of this proposal, HIPAA covered entities that are laboratories subject to CLIA would have the same obligations as other types of covered health care providers with respect to providing individuals with access to their protected health information in accordance with § 164.524. Similarly, HIPAA covered entities that are CLIA-exempt laboratories (as the term is defined at 42 CFR 493.2) would no longer be excepted from HIPAA's right of access under § 164.524(a)(1)(iii)(B). As with other covered entities, HIPAA covered laboratories would be required to provide access to the individual or the individual's personal representative.
The current HIPAA Privacy Rule requires covered entities to provide an individual with access to protected health information in the form or format requested by the individual, if it is readily producible in such form or format. The Privacy Rule permits covered entities to charge a reasonable, cost-based fee to provide individuals with copies of their protected health information. The fee may include only the cost of copying (including supplies and labor) and postage, if the patient requests that the copy be mailed. If the patient has agreed to receive a summary or explanation of his or her protected health information, the covered entity may also charge a fee for preparation of the summary or explanation. The fee may not include costs associated with searching for and retrieving the requested information.
On July 14, 2010, the Department issued a proposed rule to implement most of the privacy and security provisions of the HITECH Act, which included provisions to strengthen an individual's right to receive an electronic copy of his or her protected health information, where such information is maintained electronically in one or more designated record sets. Specifically, the proposed rule would require in such cases that the covered entity provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible in such form and format, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual. Additionally, the Department proposed changes to address and clarify the fees associated with the provision of electronic access. The Department proposed to allow reasonable cost-based fees reflecting the costs of labor for creating the electronic copy of the information and of supplies, such as CDs, if the individual requests that the electronic copy be provided on portable media. HIPAA covered laboratories would be required to comply with the Privacy Rule's provisions regarding form of access provided and fees, as they exist currently and then are ultimately modified by a final rule implementing the HITECH Act. With respect to the provision of electronic access, covered entities that have electronic reporting capabilities are expected to provide the individual with a machine readable or other electronic copy of the individual's protected health information. (The individual always retains the right to request and receive a paper copy, if desired.) The Department considers machine readable data to mean digital information stored in a standard format enabling the information to be processed and analyzed by computer. For example, this would include providing the individual with an electronic copy of the protected health information in the format of MS Word or Excel, text, HTML, or text-based PDF, among other formats. We request comment on the ability of laboratories to provide electronic copies of protected health information in machine readable or other electronic formats.
Under our proposal, § 164.524 would preempt any contrary provisions of State law. HIPAA, at section 1178 of the Social Security Act (the Act), provides that the administrative simplification regulations (“the HIPAA Rules”) preempt any contrary provisions of State law. A provision of State law is “contrary” to a provision of the HIPAA Rules if a covered entity would find it impossible to comply with both the State and Federal requirements; or the provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section 254 of Public Law 104-191, as applicable.
Pursuant to section 264(c)(2) of HIPAA, the HIPAA Privacy Rule includes an exception from this general preemption if “the provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.” With respect to a State law pertaining to an individual's right to access his or her protected health information, a State law is more stringent than the Privacy Rule if the State law “permits greater rights of access or amendment, as applicable” (§ 160.202).
A number of States have laws that prohibit a laboratory from releasing a test report directly to the patient or that prohibit the release without the ordering provider's consent. If adopted, the proposed changes to § 164.524 would preempt any contrary State laws that prohibit the HIPAA-covered laboratory from directly providing access to the individual.
We note that covered entities, including CLIA and CLIA-exempt laboratories under our proposal, must satisfy the verification requirement of § 164.514(h) before providing an individual with access. This requirement is consistent with the proposed change to the CLIA requirements, which would allow a laboratory to provide patients with access to test reports when the laboratory can authenticate that the test report pertains to the patient. We recognize that a laboratory may receive a test order with only an anonymous identifier and thus may be unable to identify the individual who is the subject of the test report. It is not our intent to discourage such anonymous testing. In this case, the laboratory that receives a request for access from an individual but cannot verify that the requesting individual is the subject of a test report is under no obligation to provide access.
We propose that, if finalized, HIPAA-covered laboratories would be required to comply with the revised § 164.524 by no later than 180 days after the effective date of the final rule. The effective date of the final rule would be 60 days after publication in theFederal Register, so laboratories would have a total of 240 days after publication of the final rule to come into compliance. This compliance period is consistent with section 1175(b)(2) of the Act, which provides that the Department must provide covered entities with at least 180 days to come into compliance with modifications to standards under the HIPAA Rules. This compliance period also is consistent with our proposed changes to § 160.105 found in the July 14, 2010 proposed rule (75 FR 40868). That proposal would establish at § 160.105 a 180-day compliance period for future modifications to the HIPAA Rules, unless otherwise specifically provided.
III. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995, we are required to provide 60-day notice in theFederal Registerand solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995 requires that we solicit comment on the following issues:
We are soliciting public comment on each of these issues for the information collection requirements (ICRs) in the proposals for 42 CFR 493.1291.
Except as provided in § 493.1291(l), test reports must be released only to authorized persons and, if applicable, the individuals (or their personal representative) responsible for using the test reports and, in the case of a reference laboratory, the laboratory that initially requested the test. Under § 493.1291(l), the laboratory may, upon request by the patient, provide access to the patient's test reports that the laboratory can identify as belonging to that patient. The CLIA regulations would not require that CLIA-certified laboratories provide this access—rather, the entities would be allowed to provide for access. We note, however, that CLIA-certified laboratories generally are covered entities under the HIPAA Privacy Rule. That rule also provides for patients' access to their records. CLIA-certified laboratories will need to ensure that their practices conform to CLIA and HIPAA requirements.
We have prepared the Paperwork Reduction Act and the Regulatory Impact Analysis that represents the costs and benefits of the proposed rule based on analysis of identified variables and data sources needed for this proposed change. We identified known data elements (Table 1) and made assumptions on elements where a source could not be identified (Table 2). Our assumptions are based on internal discussions and consultation with two reference laboratories. We request comments on the assumptions used and analyses provided.
We determined that the impacted CLIA-certified laboratories can be broken down into four categories: laboratories in States and territories where there is no law regarding who can receive test reports (N = 26), laboratories in States and territories where test reports can only be given to the provider (N = 13), laboratories in States and territories that allow test reports to go directly to the patient through some means or mechanism (N = 9), and laboratories in States and territories that allow the test reports to go to the patient with provider approval (N = 7) (see Table 3 for a list of states and territories by category). Of these four categories, we believe that laboratories in the 39 States and territories where there is either no law regarding receipt of test reports or where reports can only go to the provider would be affected by the proposals contained in this rulemaking. Laboratories in the remaining categories would most likely have existing procedures in place to respond to patient requests for test reports, whereas the laboratories in the first two categories would most likely not have procedures in place and would have to develop mechanisms for handling these requests and providing access.
The CMS Online Survey, Certification, and Reporting (OSCAR) database indicates that there are a total of 22,671 laboratories which provide approximately 6.1 billion tests annually (see Table 4) in the 39 States and territories impacted by this rule. We assume Certificate of Waiver laboratories and Certificate of PPM laboratories would not be impacted because the tests are usually performed in these sites during a patient's visit. We assume that the physician or health practitioner would inform the patient of those results during the visit, and we anticipate that the patient would ask that person with whom they interacted as opposed to the laboratory, if they have reason to seek copies of the test report in the future. We request public comments on the potential impact of this rule on Certificate of Waiver and Certificate of PPM laboratories.
If the proposals contained in this rule are finalized, most of these 22,671 laboratories will need to develop processes and procedures to provide direct patient access to test reports. However, we recognize that some of these 22,671 laboratories may not be covered entities under HIPAA (because they do not conduct covered health care transactions electronically, for example, filing electronic claims for payment) and therefore would not be required to provide direct patient access. We do not have information on the number of laboratories that are not covered entities under HIPAA and invite comment on this issue.
We assume that the development of the mechanisms to provide patient access to laboratory test reports would be a one-time burden and that each laboratory would develop its own unique policies and procedures to address patient access or adopt mechanisms/procedures developed by consultants or associations representing laboratories. We assume a one-time burden of 2-9 hours to identify the applicable legal obligations and to develop the processes and procedures for handling patient requests for access to test reports. While we provide a range of burden estimates in this proposed rule, for purposes of OMB review and approval we will submit burden estimates based on 9 hours. We also assume an hourly rate for a management level employee to be $50.06 (see Table 1).
The range of costs for laboratories to develop the necessary processes and procedures for handling patient requests would be:
2 hours × $50.06 per hour = $100.12 per laboratory × 22, 671 laboratories = $2,269,821
9 hours × $50.06 per hour = $450.54 per laboratory × 22, 671 laboratories = $10,214,192
The burden associated with responding to test report requests is dependent upon the total number of test reports that exist in affected laboratories, the percent of the results that would be requested and the cost of producing these reports for those individuals who ask for direct access.
Laboratory test reports are commonly understood to contain multiple test results with many laboratory tests being ordered as panels of tests. Each laboratory may have their own unique test report panels which may contain anywhere from 1 to 20 individual test results.
Using a range of 10 to 20 test results in a test report, we estimated the annual number of test reports that may be requested to be:
6,108,678,992 tests per year/20 tests per report = 305,433,950 test reports/year
6,108,678,992 tests per year/10 tests per report = 610,867,899 test reports/year
We are unaware of any data that would provide a reasonable estimate for the number of patients who wouldrequest test reports from laboratories if they are available. We are soliciting public comments in order to better estimate the number of patient requests a laboratory might receive. We assume a range of 1 in 2,000 patients (0.05%) to 1 in 200 patients (0.50%) would request direct access to his or her test report.
Using these figures the range of the number of patient requests per year would be:
305,433,950 test reports per year × .0005 = 152,717 patient requests per year
610,867,899 test reports per year × .005 = 3,054,339 patient requests per year
The processing of a patient request for a test report generally covers steps from actual receipt of the patient's request to the delivery of the report and documentation of the delivery. Requests for laboratory results are usually handled by staff that is not management level. Due to the lack of data that indicates the amount of time it takes for staff to process a test report request, we assume a range of 10 to 30 minutes to handle a request from start to finish. We also assume an hourly rate for a clerical level employee to be $30.09 (see Table 1)).
Using these figures, we calculated the range of costs to produce one test report:
$30.09 per hour/60 minutes per hour = $0.50/minute
$0.50 per minute × 10 minutes = $5.00
$.50 per minute × 30 minutes = $15.00
We then multiplied this range by the range of the anticipated number of patient requests to obtain a range of costs to provide the patient requests per year:
152,717 patient requests per year × $5.00 = $763,585
3,054,339 patient request per year × $15.00 = $45,815,092
We then added the cost to develop the processes and procedures for handling patient requests to the cost to provide the test reports to obtain the range of the total costs to laboratories to provide patients with his or her test report upon request in 2011:
$2,269,821 cost to develop process + $763,585 cost to provide test reports = $3,033,405
$10,214,192 cost to develop process + $45,815,092 cost to provide test reports = $56,029,285 annual cost (undiscounted 2010 dollars)
We have provided an analysis of burden based on available information and certain assumptions. We request comments from laboratories that currently provide direct access to test reports for patients as to how they handle these requests (for example, through a Web portal, fax, hard-copy, with or without fees, etc) and the extent to which patient requests impact business operations. The Department solicits comments additionally on best practices in the direct provision of patients' laboratory results. We also request comment on the burdens associated with providing electronic formats as requested by individuals, machine readable or otherwise.
To obtain copies of the supporting statement and any related forms for the proposed paperwork collections referenced above, access CMS' Web site address at http://www.cms.hhs.gov/PaperworkReductionActof1995, or E-mail your request, including your address, phone number, OMB number, and CMS document identifier, to Paperwork@cms.hhs.gov, or call the Reports Clearance Office on (410) 786-1326.
If you comment on these information collection and recordkeeping estimates, please do either of the following:
1. Submit your comments electronically as specified in theADDRESSESsection of this proposed rule; or
2. Submit your comments to the Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: CMS Desk Officer, CMS-2319-P, Fax: (202) 395-6974; or E-mail: OIRA_submission@omb.eop.gov.
IV. Response to Comments
Because of the large number of public comments we normally receive onFederal Registerdocuments, we are not able to acknowledge or respond to them individually. We will consider all comments we receive by the date and time specified in theDATESsection of this preamble, and, when we proceed with a subsequent document, we will respond to the comments in the preamble to that document.
V. Regulatory Impact Analysis
A. Overall Impact
We have examined the impacts of this rule as required by Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), Executive Order 13563 on Improving Regulation and Regulatory Review (February 2, 2011), the Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354), section 1102(b) of the Social Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 (March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 1999), and the Congressional Review Act (5 U.S.C. 804(2)).
Executive Orders 13563 and 12866 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This rule has been designated a “significant regulatory action” although not economically significant, under section 3(f) of Executive Order 12866. Accordingly, the rule has been reviewed by the Office of Management and Budget.
Laboratories regulated under CLIA that do not currently provide patients with an opportunity to receive, upon request, a copy of their laboratory test report (defined in CLIA regulations at § 493.1291) would be affected by this proposed rule. According to CMS OSCAR database accessed on July 8, 2010, there are 214,875 laboratories in the United States that are subject to CLIA. OSCAR is a data network maintained by CMS in cooperation withthe State surveying agencies and accrediting organizations that provides a compilation of all the data elements collected during inspection surveys conducted at laboratories for the purpose of certification for participation in the Medicare and Medicaid programs. Of the total CLIA-certified laboratories identified in the OSCAR database, we believe approximately 192,204, or 90 percent, of these would not be impacted by this change because they perform testing either under a Certificate of Waiver or Certificate of Provider Performed Microscopy (PPM) or they are located in States that already allow the laboratory to provide patient access to test reports, either directly or with provider approval. Removing the step in which the provider grants permission to the laboratory should not pose an additional impact on the laboratory, as we believe these laboratories already have processes in place to provide patients access to test reports once that permission is received.
We expect that 22,671 laboratories located in the 39 states and territories identified in Table 3 as having no State law or a State law that provides test reports only to the provider would be impacted by the changes outlines in this proposed rule.
We believe that, if finalized, this proposed rule would not constitute an economically significant rule because we estimate the range of overall annual costs that would be expended by the affected laboratories would be less than $100 million for 2011.
The RFA requires agencies to analyze options for regulatory relief of small entities, if a rule has a significant impact on a substantial number of small entities. For purposes of the RFA, we assume that the great majority of medical laboratories are small entities, either by virtue of being nonprofit organizations or by meeting the SBA definition of a small business by having revenues of less than $13.5 million in any 1 year. We believe at least 83 percent of medical laboratories qualify as small entities based on their nonprofit status as reported in the American Hospital Association Fast Fact Sheet updated June 24, 2010 (http://www.aha.org/aha/resource-center/Statistics-and-Studies/Fast_Facts_Nov_11_2009.pdf.)
Other options for regulatory relief of small businesses as discussed in section E of this proposed rule, were determined not to be feasible and therefore these options were not analyzed for this proposed rule. We believe any alternative to allowing the laboratory to provide patient access to test reports would be counterproductive to HHS efforts to provide patient-centered healthcare. We are unaware of any instances in which the changes included in this proposed rule would affect health care entities operated by small government jurisdictions. We are requesting public comments in this area, particularly from laboratories in state health departments (including Newborn screening), prisons, school clinics or state universities that would be impacted, to assist us in making this determination in the final rule.
Section 1102(b) of the Social Security Act also requires us to prepare a regulatory impact analysis if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. This analysis must conform to the provisions of section 603 of the RFA. For purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a metropolitan statistical area and has fewer than 100 beds. We do not expect this proposed rule would have a significant impact on small rural hospitals. The proposed rule would only apply to laboratories. If a small rural hospital were to operate its laboratory such that it would have to adopt means of complying with these proposed provisions, we anticipate that it would require minimal effort to put policies and procedures in place to respond to patient requests to the laboratory as we expect that the cahospital would already have procedures in place for responding to patient access requests for hospital records under the HIPAA Privacy Rule. We believe that these existing policies and procedures should be easy to translate for use in direct access requests to hospital-operated laboratories. Therefore, the Secretary has determined that this proposed rule, if finalized, would not have a significant impact on the operations of a substantial number of small rural hospitals.
Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending in any 1 year of $100 million in 1995 dollars, updated annually for inflation. In 2011, that threshold is approximately $136 million. We do not anticipate this proposed rule would impose an unfunded mandate on states, tribal governments, or the private sector of more than $136 million annually. We request comments from States, tribal governments, and the private sector on this assumption.
Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirements and costs on state and local governments, preempts State law, or otherwise has Federalism implications.
The proposed changes to the CLIA regulations at § 493.1291 would not have a substantial direct effect on State and local governments, preempt State law, or otherwise have a Federalism implication and there is no change in the distribution of power and responsibilities among the various levels of government. We believe that this change is compatible with existing State law for 35 States and territories as shown in Table 6. Of the 35, we believe that nine already allow the laboratory to release test reports directly to the patient. In 26 States and territories, we believe that the licensing statutes and regulations are silent with respect to who is authorized to receive laboratory test reports. If finalized, the CLIA regulations will allow laboratories in these States and territories to provide, upon a patient's request, direct access to the patient's identifiable test reports.
The Federalism implications of the Privacy Rule were assessed as required by Executive Order 13132 and published as part of the preamble to the final rule on December 28, 2000 (65 FR 82462, 82797). Regarding preemption, though the proposed changes to the Privacy Rule will preempt a number of State laws (see Table 6, below), this preemption of State law is consistent with the preemption provision of the HIPAA statute. The preamble to the final Privacy Rule explains that the HIPAA statute dictates the relationship between State law and Privacy Rule requirements, and the rule's preemption provisions do not raise Federalism issues.
We do not believe that this rule would impose substantial direct compliance costs on State and local governments that are not required by statute. We do not believe that a significant number of laboratories affected by these proposals are operated by State or local governments. Therefore, the proposed modifications in these areas would not cause additional costs to State and local governments.
In considering the principles in and requirements of Executive Order 13132, the Department has determined that this proposed modification to the Privacy Rule will not significantly affect the rights, roles and responsibilities of the States.
B. Anticipated Effects
The current CLIA regulations and related laws of the States and territories pose potential barriers to the laboratory exchange of health care information (test reports) directly with the patient. These proposed regulatory changes would amend § 493.1291(f) and add § 493.1291(l) to the CLIA regulations and also amend § 164.524 of the Privacy Rule. These changes are being made in support of HHS' efforts toward achieving patient-centered and health IT-enabled healthcare and would allow patients direct access to their laboratory test reports from a laboratory without having to go to their healthcare provider to obtain this information.
This proposed rule includes changes that, if finalized, would impact laboratories in 39 States and territories (Table 3) where State law does not permit the laboratory to provide test reports directly to the patient. For the laboratories in the remaining 16 States and territories where the laboratory is allowed to provide the test report to the patient either directly or after provider approval, there is no impact based on this proposed rule.
Although data are not available to calculate the estimated costs and benefits that would result from these proposed regulatory changes, we are providing an analysis of the potential impact based upon available information and certain assumptions. We assume that the costs and benefits of the change to the HIPAA Privacy Rule would not be separate from the costs and benefits associated with the changes to the CLIA regulations. We request comments on how laboratories would handle patient requests for laboratory test reports and the associated costs. These proposed regulatory changes, if finalized, are anticipated to have the following associated costs and benefits:
1. Quantifiable Impacts
We assume that, if this proposed rule is finalized, laboratories that are issued a CLIA Certificate of Registration, Certificate of Compliance, or Certificate of Accreditation in the 39 States and territories identified in Table 3 will be allowed to provide patients with a copy of their test report upon request. The OSCAR database includes 22,671 laboratories in the 39 States and territories that would be impacted by this proposed change and the corresponding number of annual tests in these laboratories is approximately 6.1 billion as shown in Table 4. Data are not available for estimating the number of test results reported per test report. However, it is common knowledge that the majority of test reports contain multiple test results. Tests are frequently ordered as panels of individual tests. For example, according to 2008 CMS reimbursement data, three of the four most frequently ordered tests in the Medicare outpatient setting are panels of multiple individual tests, some of which may contain up to 20 tests. As part of a medical encounter, frequently more than one panel is ordered per patient, and a test report could contain a large number of individual test results. Therefore, for the purposes of this analysis, an assumed range of 10 to 20 is used to represent the average number of test results per test report. Applying this range to the total number of annual tests (6,108,678,992) from Table 4, the estimated number of total annual test reports ranges from a low of 305,433,950 to a high of 610,867,899.
There are no data available to estimate the proportion of test reports that would be requested by patients from the laboratories impacted by these proposed provisions once this rule is finalized. We welcome data pertaining to the number of test reports requested fromlaboratories that are already providing test reports upon request so that we would be better able to provide a more accurate estimate in the final rule. For the purposes of this analysis, we assume that many patients would still prefer to obtain their laboratory result information from their healthcare provider, who would also be able to provide interpretation of the test results, and thus an assumed range of from 1 in 2,000 (0.05 percent) to 1 in 200 (0.50 percent) is used to represent the proportion of test reports requested. Applying this range to the number of estimated annual test reports (305,433,950 to 610,867,899) yields an estimated annual number patient requests ranging from 152,717 to 3,054,339.
Processing a request for a test report, either manually or electronically, would require completion of the following steps: (1) Receipt of the request from the patient; (2) authentication of the identification of the patient; (3) retrieval of test reports; (4) verification of how and where the patient wants the test report to be delivered and provision of the report by mail, fax, e-mail or other electronic means; and (5) documentation of test report issuance. We estimated the total time to process each test report request to be in the range of 10 minutes to 30 minutes. This estimate for a range of total time includes estimates for a range of time for each of the five steps listed above. The time needed to complete each step is dependent on the capabilities of the laboratory, such as whether manual or automated processes are available, and the desired method of communication of test reports to the individual patient as listed in step 5. We welcome comments based on data from laboratories that already provide test reports to patients upon request. We also request comment on the burdens associated with providing electronic formats as requested by individuals, machine readable or otherwise.
To determine the cost of processing test reports we used an hourly rate for a clerical level employee of $30.09 (see Table 1) and determined the costs to process one test report to be $5.00 if it took 10 minutes and $15.00 if it took 30 minutes. We multiplied the range for the number of patient requests, 152,717 to 3,054,339 by $5.00 and $15.00. The estimated annual cost to process all test report requests in 2011 ranges from $763,585 to $45,815,092.
The analysis also assumed each of the estimated 22,671 laboratories to be impacted by this rule (Table 3) would need to develop and implement a policy and process to receive and respond to patient requests as discussed above. To estimate the initial, one-time development cost, it is assumed to require laboratory management staff time ranging from a low of 2 hours to a high of 9 hours per laboratory. To convert the number of hours to an estimated cost per laboratory, we applied the rate of $50.06 (see Table 1) to the assumed 2 to 9 hour time range yields an estimated cost per laboratory ranging from $100.12 to $450.54, which when applied to the estimated 22,671 laboratories impacted results in a total estimated one-time development cost ranging from $2,269,821 to $10,214,192.
Table 7 shows the total estimated range of annual costs for the proposed change in undiscounted 2010 dollars and discounted at 3 percent and 7 percent to translate expected benefits or costs in any given future year into present value terms. To calculate the total estimated costs in 2011, we added the cost to develop the necessary policies and processes (which would only be applicable in the first year) and the cost of responding to test report requests. These costs total between $3 million and $56 million for 2011. As subsequent years would only entail the costs associated with processing requests, we simply took the 2011 values for the cost of responding to test reports and applied the same inflation factor used in Table 1 for the hourly rate calculations. The resulting values can be found in Table 7.
Laboratories would be able to offset some of these costs pursuant to § 164.524(c)(4) of the HIPAA Privacy Rule, which permits covered entities to impose on the patient a reasonable, cost-based fee for providing access to their health information, including the cost of supplies for and labor of copying the requested information.
2. Non-Quantifiable Impacts
The burden in this proposed rule would be primarily on laboratories to provide the laboratory test reports when requested by the patient; however, there may be some impacts on the healthcare provider's office. If the patient does not know where the provider sent the test, the provider may need to provide laboratory contact information to the patient so they may request the test report. We assume that notification of the laboratory name and contact information could be provided in as little as 30 seconds; however there are no data to confirm this and we thus request comment on the issue. We also note that since the provider may need to provide an interpretation of the test results, the provider may give the patient a copy of the test report rather than referring the patient to the laboratory for the information.
Although we cannot quantify the impact on patients, we believe that it would be positive in light of findings from studies that focused on patient receipt of test results from the provider. We found several studies where greater than 90 percent of patients stated they preferred being notified of all test results, both normal and abnormal (1. Baldwin et al. Patient preferences for notification of normal laboratory test results: a report from the ASIPS Collaborative. BMC Fam Practice 2005;6:11; 2. Booker et al. Patient notification and follow-up of abnormal test results. Arch Intern Med 1996; 327-331; 3. Grimes et al. Patient preferences and physician practices for laboratory test result notification. JABFM 2009:22:6:670-676; and 4. Meza JP and Webster DS. Patient preferences for laboratory test result notification. Am J Manag Care 2000; 6:1297-300). These same studies reported, for both the healthcare provider and patient, the preferred method for receiving normal test results was the U.S. mail and direct phone contact from the provider was the preferred method for abnormal test results. These preferences may have changed in the last 5 years given the increase in the use of electronic communications. Advantages reported in these studies for the patient having direct access to the test report include reduced workload for the healthcare provider's office, reduced chance of a patient not being informed of a laboratory test result, and reduced numbers of patients who fail to seek appropriate medical care.
E. Alternatives Considered
The proposed changes to the CLIA regulations and the HIPAA Privacy Rule are being proposed in support of the Department's efforts toward achieving patient-centered health care. Several alternatives were considered before selecting the approach in this proposed rule to provide access to laboratory test reports upon a patient's request. One alternative would have been to leave the regulations as written without making any changes. However, this option would leave in place the restrictions on patients' direct access to their laboratory test results and would therefore impede the goal of promoting patient-centered health care. Another alternative would have been to revise the definition of “authorized person” under CLIA to specifically include a patient as an authorized person. This alternative was not considered feasible because the definition of “authorized person” in the CLIA regulations also permits individuals to order tests, and it defers to State law for authorization. A last alternative considered would have been to require the laboratory to automatically provide each test report directly to each patient rather than the permissive approach to provide patients access to their reports upon request. However, this alternative would have had the potential of significantly increasing the cost for laboratories since 100 percent of the 300 million to 500 million test reports issued annually would need to be provided to the patients. As discussed earlier in this regulatory impact analysis, we welcome comments and the submission of data and information on the costs and benefits of implementation of this proposed change so that we can conduct a more robust assessment of the alternatives comparing incremental costs and benefits for the final rule.
F. Accounting Statement and Table
We have prepared the following accounting statement showing the classification of the expenditures associated with the provisions of this proposed rule.
We estimated the cost to laboratories to provide patients with a copy of their test reports upon request and determined it would cost between $3 million and $56 million in 2011. These costs would diminish in subsequent years. In addition laboratory provision of test reports to patients may provideinformation that could benefit the patient by reducing the chance of the patient not being informed of a laboratory test result, reducing the number of patients lost to follow-up, and benefiting health care providers by reducing their workload in providing laboratory test reports.
In accordance with the provisions of Executive Order 12866, this regulation was reviewed by the Office of Management and Budget.
List of Subjects
42 CFR Part 493
Administrative practice and procedure, Grant programs—health, Health facilities, Laboratories, Medicaid, Medicare, Penalties, Reporting and recordkeeping requirements.
45 CFR Part 164
Administrative practice and procedure, Computer technology, Electronic information system, Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health records, Hospitals, Medicaid, Medical research, Medicare, Privacy, Reporting and recordkeeping requirements, Security.
For the reasons set forth in the preamble, the Centers for Medicare & Medicaid Services proposes to amend 42 CFR part 493, and the Department proposes to amend 45 CFR Subtitle A, Subchapter C, part 164, as set forth below:
Title 42—Public Health
Part 493 Laboratory Requirements
1. The authority citation for part 493 continues to read as follows:
Section 353 of the Public Health Service Act, secs. 1102, 1861(e), the sentence following sections 1861(s)(11) through 1861(16) of the Social Security Act (42 U.S.C. 263a, 1302, 1395x(e), the sentence following 1395x(s)(11) through 1395x(s)(16)).
Subpart K Quality System for Nonwaived Testing
2. Section 493.1291 is amended by—
A. Revising paragraph (f).
B. Adding a new paragraph (l).
The revision and addition read as follows:
Standard: Test report.
* * * * *
(f) Except as provided in paragraph (l) of this section, test results must be released only to authorized persons and, if applicable, the individuals (or their personal representative) responsible for using the test results and the laboratory that initially requested the test.
* * * * *
(l) Upon a patient's request, the laboratory may provide access to completed test reports that, using the laboratory's authentication process, can be identified as belonging to that patient.
Title 45—Public Welfare
Part 164 Security and Privacy
3. The authority citation for part 164 continues to read as follows:
42 U.S.C. 1320d-1320d-8; sec. 264, Pub. Law 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); secs. 13400-13402, Pub. Law 111-5, 123 Stat. 258-263.
4. Section 164.524 is amended by revising paragraphs (a)(1)(i) and (ii) and removing paragraph (a)(1)(iii) to read as follows:
Access of individuals to protected health information.
(a) (1) * * *
(i) Psychotherapy notes; and
(ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
* * * * *
Dated: April 1, 2011.
Thomas R. Frieden,
Director, Centers for Disease Control and Prevention, Administrator, Agency for Toxic Substances and Disease Registry.
Dated: August 12, 2011.
Donald M. Berwick,
Administrator, Centers for Medicare & Medicaid Services.
Dated: September 7, 2011.
Director, Office for Civil Rights.
Dated: September 7, 2011.
Secretary, Department of Health and Human Services.
[FR Doc. 2011-23525 Filed 9-12-11; 11:15 am]
BILLING CODE 4120-01-P
No documents available.
| || |
Comment Period Closed
Nov 14 2011, at 11:59 PM ET
Show More Details
Date Posted: Sep 14, 2011
RIN: Not Assigned
CFR: 42 CFR Part 493
Federal Register Number: 2011-23525
Dear Secretery Sebelius, I am writing in support of Proposed Rule CMS-2319-P which will expand the rights of individuals to obtain their health information by...
Dear Secretary Sebelius I have tested my genotype in American labs and feel the need to comment on the impending decision regarding access to lab results of...
Access to health care information should be allowed for individuals and not through "gate keepers" such as doctors. Why should people have to pay to see the...
This document is contained in
Related Dockets: None
Related RINs: None
Related Documents: None
* This count refers to the total comment/submissions received on this document, as of 11:59 PM yesterday. Note: Agencies review all submissions, however some agencies may choose to redact, or withhold, certain submissions (or portions thereof) such as those containing private or proprietary information, inappropriate language, or duplicate/near duplicate examples of a mass-mail campaign. This can result in discrepancies between this count and those displayed when conducting searches on the Public Submission document type. For specific information about an agency’s public submission policy, refer to its website or the Federal Register document.
Document text and images courtesy of the