HIPAA Laboratory Rules and HIPAA Lab Results

HIPAA laboratory rules are much like the regulations for any covered entity. Covered entities are required to conduct self-audits, develop remediation plans, implement HIPAA policies and procedures, train staff members, have signed business associate agreements, and have a method for incident response. More details on HIPAA laboratory rules, including HIPAA lab results requirements, are discussed.

HIPAA Lab Results

Under HIPAA, lab results are considered protected health information (PHI). As such, HIPAA laboratory rules require the implementation of safeguards to ensure the confidentiality, integrity, and availability of lab results.

Administrative Safeguards

Administrative safeguards require laboratories to conduct self-audits, develop remediation plans, implement HIPAA policies and procedures, train staff members, have signed business associate agreements, and develop a method for incident response and tracking.

Physical Safeguards

Physical safeguards require policies and procedures for physical facilities that identify individuals (workforce members, business associates, contractors, etc.) with authorized access to electronic information systems. They also create requirements for securing an organization’s physical location including installing locks and alarm systems to secure PHI. 

Technical Safeguards

Technical safeguards require policies and procedures preventing unauthorized alteration or destruction of electronic PHI. They also require the installation of firewalls, security patches, and antivirus to protect the organization’s endpoints (computers, tablets, mobile devices, network, etc).

HIPAA Lab Results and Amendments to HIPAA Laboratory Rules

In 2014, the Department of Health and Human Services (HHS) issued a Final Rule amending the Clinical Laboratory Improvement Amendments (CLIA). The amended rule requires laboratories to provide patients access to their lab results (the HIPAA right of access). Previous to the amendment, laboratories did not have to comply with the right of access standard. Instead patients had to request HIPAA lab results from their healthcare providers. However the amendment made it possible for patients to ask for their lab results directly from the laboratory.

The amendments also required laboratories to update their Notice of Privacy Practices (NPP) to account for the changes the CLIA amendment posed. Alice Leiter, policy counsel at the Center for Democracy & Technology stated, “HIPAA requires covered entities to promptly revise NPPs whenever there is a material change to any of their privacy practices, including those pertaining to individuals’ right to access their information.”

HIPAA Lab Results Delivery

Provided reasonable safeguards are in place to protect PHI, HIPAA lab results delivery is permitted by mail, fax, phone call, text message, or email. However, before communicating with patients through text or email, it is essential to warn patients of the potential risk associated with this type of communication. In addition, patients must consent to text and email communication before it is permitted to share lab results through these methods.

HIPAA Lab Results Over the Phone

Lab results are permitted to be shared over the phone with certain requirements. The lab must first provide its name and contact information, and ensure that they are speaking with an authorized party. it is permitted for laboratories to share HIPAA lab results over the phone to the patient’s healthcare provider. To share HIPAA lab results over the phone with patients, the patient must provide consent to receive phone communications. However, the FCC has noted that when a patient gives their phone number to a lab, that is considered consent, and it is permitted to share HIPAA lab results over the phone without written authorization from the patient.