Thursday, October 15, 2009

A Consensus Letter to the Office of Civil Rights and the Centers for Medicare and Medicaid Services

A Consensus Letter to the Office of Civil Rights and the Centers for Medicare and Medicaid Services on the Need for Expanding the Rights of Individuals to Access their Test Results

October 20, 2009

To: Georgina Verdugo Director, Office of Civil Rights
US Department of Health and Human Services
To: Charlene Frizzera Acting Administrator, CMS
US Department of Health and Human Services
CC: Dr. David Blumenthal, National Coordinator for Health IT Dear Director Verdugo and Administrator Frizzera,

In 2003 the Office of Civil Rights enacted regulations pursuant to the Health Information Portability and Accountability Act (HIPAA) that gave individuals the right to access their protected health information. Section 164.524 of the Privacy Rule gave individuals a right to obtain a copy of protected health information, and the HITECH Act of 2009 broadened this right by providing that individuals can obtain a copy of their electronic record information in electronic format. This access right supports the intent of HIPAA to grant consumers greater knowledge and control over their information and is in line with the recent trend of consumers gaining secure online access to their own health data through Personal Health Records (PHRs).

Unfortunately, however, Section 164.524 of the Privacy Rule also included a provision, subsection (a)(iii)(A), which created an exception from this access right for protected health information maintained by a covered entity that is subject to the Clinical Laboratory Improvements Amendments of 1988 (CLIA), which includes test results from labs. In addition, regulations issued under 42 C.F.R. § 493.1291 issued by the Centers for Medicare and Medicaid Services (CMS), provide that test results must be released only to authorized persons and, if applicable, the individual responsible for using the test results. “Authorized person” is defined under 42 C.F.R. § 493.2 as “an individual authorized under state law to order tests or receive test results, or both.” Few states expressly authorize labs to release test results directly to patients. This regulatory framework has resulted in a complex tapestry of regulations that prevent individuals from gaining direct access to a copy of their test results in all but those few states. In essence, the combination of the HIPAA Privacy Rule, the CMS rule, and state laws has put test results in a uniquely restricted category compared to other protected health information and has impaired patients’ ability to see, save, share, and use their own test results.

We believe that it is time for this disparate treatment of test results to be changed. We believe that test results should be treated the same as other protected health information. And while we recognize that even with this change some state-specific medical privacy laws may still restrict patient access to test results, it is time to remove the substantial federal obstacles to patients’ access to test results. This is an important first step toward giving patients meaningful access to their health information so that they can better coordinate their care, realize cost savings, and track and improve their health over time.

Our recommendation is simply to make the following two changes:

(1) Remove subsection (a)(iii)(A) from 45 C.F.R. § 164.524. This change eliminates the disparate treatment of lab test results compared to other protected health information under HIPAA.

(2) Change 42 C.F.R. 493.1291(f) to the following: “Test results must be released only to (a) authorized persons, (b) if applicable, the individual responsible for using the test results and the laboratory that initially requested the test, and (c) upon request, the test subject.” This change clarifies that individuals can receive their results upon request.

First and foremost, this change is unlikely to cause harm. The greatest perceived risk with such a change is that patients would receive abnormal test results directly from a lab without any context or interpretation, resulting in emotional harm. But under Section 164.524 of the HIPAA Privacy Rule, covered entities/providers generally have up to 30 days to respond to an individual’s request for their information. While we recognize that in an era of electronic data 30 days is a very long time and eventually the 30 day rule should be reconsidered, this should afford ample opportunity for providers to consult with patients on test results, and it provides for a great deal of flexibility for how and when providers or labs might disclose test results. A lab might choose to release routine test results within a few days, for example, while delaying the results of more sensitive tests to allow more time for patient-provider consultation. Some health systems are already taking this approach. Kaiser Permanente has shown that delivering lab test results online directly to consumers in a timely fashion improves their patient relationships. [Silvestre A, et al, Health Affairs 28, no. 2 (2009): 334–344].

Second, this change could help remedy some harm which is already occurring in our health system. Approximately 7% of clinically significant test results – test results that would have a potential impact on the patient’s care – are not ever reported to patients, potentially delaying important treatment decisions and causing harm. [Casalino L. et al, Archives of Internal Medicine, June 22, 2009]. Giving greater access to consumers would help reduce the number of test results “lost to the ether.”

Third, practical impediments to the availability of test results at the time they are needed often results in lab tests being needlessly repeated, causing wasteful expenditures that are unacceptable at a time when policymakers are striving to bend the cost curve downward. Such redundancy is estimated to comprise over 14% of lab and radiology test orders and related costs [Kaelber, D. et al; The Value of Personal Health Records. Center for Information Technology Leadership; 2008]. If patients can get and maintain their own test results and make them directly available to providers when needed, they can help prevent unnecessary duplication of tests.

Finally, there is tremendous growth in useful health management applications and services that individuals could take advantage of if they had direct access to their test results. This potential explosion in improved patient self-management using these tools and services could be an important part of the transformation of our health care system.

It’s time to make these changes to help improve care and encourage greater consumer involvement in their health and health care. We feel that the two common-sense recommendations for changes to the federal regulations listed above are the best starting point, with the understanding that additional work will be necessary to address the complex tapestry of other state restrictions on patient access to and control of their own information. It’s time to make this change. A 1988 statute should not govern information access in 2009. Patients need and deserve the right to have meaningful, timely, and convenient access to all their health information, including their test results.

[To join email with your name and or affiliation and you will be added to the list until October 20]


Dr. Phil Marshall, WebMD

Dr. Daniel Sands, Harvard Medical School

Jamie Heywood, PatientsLikeMe

Dr. David Kibbe, The Kibbe Group, LLC

Nate McLemore, Microsoft

Adam Bosworth, Keas

Dave deBronkart, E-patients

Dr. Roni Zeiger, Google

Colin Evans, Dossia

No comments:

Post a Comment