The federal government recently proposed two initiatives that have the potential to increase patient engagement and awareness of their own health care. First, the Office of the National Coordinator for Health Information Technology (ONC) of the Department of Health and Human Service’s (HHS) released its Personal Health Record (PHR) Model Privacy Notice, which ONC hopes will give patients/consumers an increased awareness of PHR vendors’ privacy, security and data sharing practices. Second, the Centers for Medicare & Medicaid Services (CMS) and other HHS agencies issued proposed rules that would allow patients direct access to laboratory test results.

PHR Model Privacy Notice Template

Personal health records (PHR) include web-based health information technology that individuals may use to take ownership of their own health care. A PHR generally is defined as an electronic record of an individual’s identifiable health information that can be drawn from multiple sources and that is managed, shared and controlled by, or primarily for, the individual. The idea is to provide an individual with one place to access and manage all of his or her own health care information.

Some PHRs are offered by “covered entities” (typically, health care providers) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Conversely, some PHRs are offered directly to consumers by third party technology vendors. If the PHR is offered by a HIPAA covered entity, the requirements of HIPAA’s Privacy Rule apply. The Privacy Rule includes standards for the use and disclosure of protected health information (PHI) and patient access to PHI, among other requirements. If the PHR is offered by a third party vendor, however, then the health information maintained with the PHR is not protected by the Privacy Rule. Rather, the privacy and security of such PHR is determined by the privacy and security practices of the PHR vendor, subject to the requirements of other federal and state law.

Because of the variability of types of PHRs, ONC issued a PHR Model Privacy Notice Template (Template). The intent of the Template is to create a standardized format that PHR vendors may use to inform consumers about their privacy and security policies and data sharing practices. The Template is set up to ask the PHR entities a series of yes/no questions relating to its privacy and security practices. Based on the answers to the questions, the Template will generate a standard, yet entity specific, PHR Privacy Notice. The Template is now available for public use at the following link: http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=3770.

The Template highlights, in a uniform manner, the privacy and security policies of a PHR vendor. It is not meant to be a substitute for the actual comprehensive privacy and security policies needed by PHR vendors or otherwise establish privacy or data sharing practices.

ONC also clarified that use of the Template is not required by PHR vendors. Nonetheless, ONC emphasized that the Template was developed based on consumer testing of key issues that individuals care about, in language that individuals understand. ONC is encouraging PHR vendors to use the Template to build greater trust in PHRs, as well as to promote competition on privacy and security policies that are more consumer-protective.

Proposed Rule for Direct Patient Access to Laboratory Test Results

On Sept. 14, 2011, HHS issued a Notice of Proposed Rule Making (NPRM) to amend the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to permit patients direct access to laboratory test results. Specifically, in order to increase patient access rights, the NPRM would amend the Privacy Rule and CLIA regulations to require laboratories, upon request by a patient, to provide access to completed test reports that the laboratories, using their own authentication processes, can identify as belonging to the requesting patient.

Under current CLIA regulations, patients in states that do not have laws that authorize individual access to test results must request and receive lab test results through their health care providers. Currently, 39 states either allow test reports to be given only to the provider or have no law on who can receive test reports. In states silent on the issue, labs will not send results directly to patients; instead, patients must receive their results through their ordering providers. The NPRM would amend CLIA to permit direct individual access to the test results, preempting state law.

Comments on the proposed amendment to the HIPAA Privacy Rule and CLIA are being accepted by HHS until Nov. 14, 2011. The NPRM is available at: http://www.gpo.gov/fdsys/pkg/FR-2011-09-14/html/2011-23525.htm

Under HIPAA’s Privacy Rule, individuals generally have the right to access, inspect, and obtain copies of their own health care records, but there is a specific exception relating to laboratory test results. Specifically, the right to access PHI under the Privacy Rule does not apply to test reports at CLIA laboratories (at least with respect to those states that do not specifically authorize individual access under CLIA) or to CLIA-exempt laboratories. The original purpose of this exception was to make the Privacy Rule consistent with CLIA regulations.

In the NPRM, HHS proposes to remove this exception from the Privacy Rule in order to provide individuals the right to access and obtain their test reports directly from laboratories. Furthermore, the proposed rule would preempt any contrary state laws that prohibit a HIPAA-covered laboratory from directly providing laboratory test result access to the individual. If the NPRM is enacted as proposed, CLIA entities would be subject to the same Privacy Rule obligations as other types of health care providers with respect to providing individuals access to their PHI.

One potential issue under the proposed changes to the CLIA regulations is that the proposed change only specifies that “patients” may obtain laboratory test results; the NPRM does not explicitly include personal representatives of the patient. The Privacy Rule, however, applies both to patients and their personal representatives. Thus, while HHS comments in the NPRM that a patient’s personal representatives would have the right to access laboratory results directly, the language of the NPRM with respect to the revised CLIA regulations is not explicit, which may cause confusion. Other challenges for laboratories may be with regard to authentication of a patient’s identity, as well as the cost of compliance with the NPRM.