HIPAA Regulations for Laboratories
-
Confidentiality
-
All workers, including laboratory workers, must be trained on confidentiality procedures dealing with patient information. Mandatory training sessions must be documented and documents retained to verify compliance. Protected health information (PHI) must be disclosed when required by law within 30 days of a patient request, or to facilitate treatment, payment or health care operations, or when patient grants consent. Patient confidentiality also requires incorrect PHI to be corrected in a manner that does not reveal PHI. Disclosures of PHI must be recorded and maintained. Patients must be notified of their rights to privacy according to HIPAA regulations.
Protected Health Information (PHI)
-
According to HIPAA, health information is considered to be personally identifiable if it relates to a specifically identifiable individual. PHI in a laboratory may be test results, insurance claim information, disclosure of test results to a physician, physician office, or other consultations. PHI disclosure may be electronic, paper or oral. All PHI must be considered confidential and protected under HIPAA.
National Provider Identifier (NPI)
-
The HIPAA Administrative Simplification Standard created a unique identifier called a National Provider Identification (NPI). All covered health care providers, all health care plans and health care clearinghouses must use NPIs when performing administrative and financial transactions covered by HIPAA standards transactions. This includes laboratories that had not previously interacted with the public when disseminating PHI. The NPI is a 10-position, intelligence-free numeric identifier (10-digit number) that reveals no information about health care providers. No information is included in this number that reveals the state or specialty of the covered provider. The NPI replaces legacy provider identifiers in the HIPAA standards transactions.
Methods of Compliance
-
HIPAA requires laboratories to protect the confidentiality of laboratory tests when delivering the results to other entities. Three methods of delivery may be used when delivering PHI. Labs may assume physicians know compliance standards and will maintain strict confidentiality of PHI of their patients. This requires trust and is risky for the laboratory. Laboratories may choose to assume all responsibility for PHI from point of contact until delivery of information. A third method is to share responsibility for PHI. Labs may also establish a contract called a chain of trust agreement that essentially allows the lab to pass along responsibility for PHI to the physician who agrees to accept responsibility. Point of transfer agreements cover oral, physical delivery, electronic hard copy and Internet transactions.
Reminders
-
Clinical laboratory improvement amendments (CLIA) prevents disclosure of information to patients unless state laws allow disclosure to recipients other than physicians ordering tests. Be aware of potential conflict between HIPAA and state laws. Labs will be accountable to the more stringent applicable law. Disclosure of information to physicians is permitted, but labs must have policies that address authority and access to all health information. Laboratories must implement appropriate training programs for employees regarding appropriate security, administrative procedures and procedures to identify persons receiving PHI. Labs must be able to provide an audit trail showing all access to protected health information.
-