• E-mail
• Print
• RSS

Under the final privacy rule, what are our duties, as a clinical laboratory, in regards to providing a notice of our privacy practices to individuals?

HIPAA Weekly Advisor, September 28, 2002

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: Under the final privacy rule, what are our duties, as a clinical laboratory, in regards to providing a notice of our privacy practices to individuals?

A: As a clinical lab, you are required to have a notice of privacy practices. If a clinical laboratory has only an indirect treatment relationship with a patient, however, the lab is only required to produce the notice upon request by any person. If the lab does have direct treatment relationships with patients, it must comply with the distribution requirements for covered health care providers.

An indirect treatment relationship is defined as a relationship between a patient and a provider in which the provider delivers health care to the patient based on the orders of another provider. The provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual.

Individuals do not have a right of access to protected health information held by clinical laboratories if the Clinical Laboratory Improvement Act (CLIA) prohibits such access. CLIA states that clinical laboratories may provide clinical laboratory test records and reports only to "authorized persons," as defined primarily by state law. The individual who is the subject of the information is often not defined as an authorized person under state law. If a state does not define the term, federal law defines it as the person who ordered the test, which is generally the health care provider.

When an individual is not an authorized person, this restriction effectively prohibits the clinical laboratory from providing an individual access to this information. HHS note, however, that if state law includes the individual as an authorized person, access must be provided and that individuals have the right of access to this information if it is maintained by a covered health care provider, clearinghouse, or health plan that is not subject to CLIA.

Individuals do not have access to protected health information held by certain research laboratories that are exempt from the CLIA regulations. The CLIA regulations specifically exempt the components or functions of "research laboratories that test human specimens but do not report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients." Therefore, these laboratories, or the relevant components of them, are exempted from the access requirements of this regulation.

Note that this exception applies to laboratories that are exempt from CLIA and does not apply to any entity that is simply not covered by CLIA.

Editor's note: Brought to you by attorneys Marty Baxter and Gretchen McBeath at Bricker and Eckler, LLP (http://www.bricker.com) and The Quality Management Consulting Group, Ltd. (http://www.qmcg.com). E-mail: mbaxter@bricker.com or gmcbeath@bricker.com.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive