Can you keep a secret?

What are the common threads that will have to be considered in every method of communicating information about a patient?

• Although there has been some dispute, lab results do fulfill the definition for Protected Health Information (PHI). When talking about patients and their individual tests or test results, it doesnt get any more PHI.
• Labs are directed to make reasonable efforts to limit communications to the minimum amount necessary to accomplish the intention of the communication. Nonetheless, this minimum necessary directive does not apply when communicating to another healthcare provider for treatment, payment or when communicating to the individuals themselves.
• CLIA limits disclosure of lab results to the people ordering tests, unless state law allows disclosure to patients, as well. Clearly, the most stringent of the two CLIA or state law will apply. It is the labs responsibility to determine whether state law is contrary to or more stringent than HIPAA, and if so, adhere accordingly.
• In every method of electronic communication, laboratory staff should document a single point in time when all ownership of the information, and its subsequent privacy, belongs to another party. It should be noted this is a liability issue. (See
  Figure 1 for point of transfer analysis.) 

A review of communication methods

Verbal communication. This specifically refers to conversations between labs and physicians offices, and applies to phone calls (regular and cell phones), pagers, voice mail and the answering machine. It includes calls made to a lab from physicians offices to schedule lab work, calls made to request results and messages that must be left. It also includes labs calls to physicians to report results, or to ask for clarification on an order, and includes any messages. 

The good news is that laboratorians are very private about the lab tests they conduct and the results that pass through their protective realm. Widespread HIPAAnic has made this even less of a problem. Nonetheless, there are some questions which have to be asked to make certain an unauthorized disclosure hasnt occurred. Any time there is a verbal communication, there is a risk. Because of this, it is crucial to have a method for confirming the identity of the person on the other end of the line. This brings to mind other issues. How will the integrity of the message be verified? What if there was a language barrier and the message wasnt clearly understood? If a message is left on an answering machine, how will confirmation of receipt (by the right person) be documented? The greatest risk with all verbal communication is that there is an unclear point of transfer.

Some procedures can be established to facilitate an improved likelihood that verbal communication remains private. These include setting up caller ID, as well as documenting privacy pass codes with each office. Another procedure would be to institute a mandatory call back when the identity of the other person is unclear. Strict adherence to established policies will be crucial, and the possibility for human error is implicit.

Physical delivery. This applies to the use of couriers and mail for the delivery of specimens and results. Neither of these methods of communication will disappear as a result of HIPAA, but steps need to be taken to ensure patient privacy is maintained. 

Courier. Creation of HIPAA-compliant policies and then training in those policies will be critical with the use of couriers. If the courier is a third-party service, the training each employee undergoes undoubtedly comes from the courier company. When the courier service is acting on behalf of the lab, its employees will need to follow lab-mandated policies and procedures, in which they are trained and monitored by the lab, and must be well documented in the courier agreement.

In addition to the training of couriers, visual access to results must be limited. Envelopes used for delivery should be sealed before they are given to the courier, and then documented that they are received unopened by an authorized physicians employee, signifying a successful receipt of the results. This may be the only option to confirm a point of transfer.

Mail.
From the labs perspective, provisions are needed to ensure the lab results are addressed to the right person not only that the right result is going to the right office, but that there is confirmation that the addressee is the appropriate person to receive lab results in the first place. Ensuring that the physician demographic database is up to date will be critical.

From a legal perspective, both the United States Postal Service and United Parcel Service are considered to be conduits, but it is not clear who will own problems. If the service delivers to the wrong address, it is unclear which party is at fault. Is it the service for not fulfilling its duty, or the lab for not overseeing the process and acknowledging receipt of the report?

As a final concern, in most offices, all mail is delivered to the front office, where an administrative person routinely opens the mail, then forwards it to the physician. Until a lab can confidently say the lab results have effectively been transferred in ownership to the physicians office, these are issues the lab will want to consider. Ultimately, unless some acknowledgement of receipt can be documented, the point of transfer is unclear.

Electronic hard copy results to remote teleprinter/fax. Teleprinters and faxes, two methods of producing an electronic hard copy of the lab result, are each defined as a point-to-point connection, which makes them reasonably secure without encryption. Keep in mind, however, that encryption is addressed fully in the security regulations of HIPAA, which remain in the draft mode as this is written. Because of this, there is a chance that some aspect of that component will be altered. If desired, encryption is still possible on most devices, although it will increase the cost of the equipment, and it will be more difficult to incorporate on a fax machine. 

Message authentication is another issue to consider with electronic hard copy, which is the ability to confirm that the message sent is the same message that has been received, and that its been received in its entirety. Unfortunately, authenticating the message can be difficult on fax machines for numerous reasons. Most faxes used for remote reporting today are owned by the physician. In order to provide message authentication, some level of error correction will need to be employed. Unfortunately, most faxes do not default to an error-correction mode, which puts the fax in jeopardy for delivering inaccurate or perhaps incomplete data. 

Error-correction settings are inherent to teleprinters; however, the lab must ensure that only authorized persons receive reports and have access to health information. To accomplish this, a lockbox can be established to which a code or key is required to access the encrypted report. Finally, a lab could preprogram verified client dial-out numbers into its laboratory information system to ensure that only authorized people receive results. Once any of these electronic signals has been received, a lab could argue that responsibility for privacy of the patients health information has been successfully transferred to the physician at that point.

Orders and results. These applications refer to the software and associated systems that provide remote ordering and result reporting. There are two types of architectures available with these applications:

• Thick-client systems where the patient data is stored locally.
• Thin-client systems where patient data is stored on a remote or centrally located server.

There are also two types of hosting models available with these systems:

• Owned self-hosted/maintained.
• Application service provider (ASP).

Note that the inclusion of an ASP into the equation will provide a lab with a level of outsourcing for many of the network operations necessary for its deployment; however, a third party will now assume the responsibility for the point of transfer to the physician. Use of an ASP then becomes a matter of inserting another link into the established chain of trust. (See
Figure 2 for an illustration of the point of transfer when an ASP is involved.) 

These applications should adhere to the clinical transaction and code set requirements when finalized and to the privacy and security standards as applicable. They must provide access controls; built-in audit trails providing a means for tracking PHI access; physical security of the data at rest; confirm message integrity ensuring the data is valid; encryption when deployed over public networks; and network controls. 

Conclusion and recommendations

Ultimately, all delivery methods have vulnerabilities that should be addressed in order to ensure the privacy of lab results. It is important to remember that HIPAA remains more about processes than products. The following is a brief summary of the authors recommendations:

• Oral and physical methods will be the most challenging, because they leave the most room for human error. 
• Electronic solutions, by their nature, are better suited, keeping in mind that as technical controls increase, the risk of human error will be diminished. 
• Access controls can provide a positive acknowledgement of transfer of ownership.
• Point(s) of transfer should be included in every Business Associate and Chain of Trust Agreement.

Note: Clinical laboratory employees involved in the communication of PHI should take part in the tear-out privacy checkup. 

Nancy J. Ham is president and chief operating officer of ProxyMed Inc., a provider of healthcare connectivity services based in Fort Lauderdale, FL.
Jeffrey F. Boothe is a partner in the Washington, D.C. office of Holland and Knight LLP. Mr. Boothe represented the Clinical Laboratory Management Association (CLMA) as part of the Negotiated Rulemaking Committee, aiding in the formation of the HIPAA regulations. He has also represented clients on matters involving Medicare reimbursement, federal healthcare fraud and abuse, medical device coverage and reimbursement, and data privacy and data security. He is a member of the American Health Lawyers Association and the District of Columbia Bar Association. 

References and recommended reading:

1. Centers for Medicare & Medicaid Services (CMS). Available at
www.cms.gov/hipaa/hipaa2/default.asp

2. Office of the Assistant Secretary for Planning & Evaluation Administrative Simplification. Available at
http://aspe.os.dhhs.gov/admnsimp/

3. Department of Health and Human Services (DHHS) Office of Civil Rights. Available at
www.hhs.gov/ocr/hipaa/

4. Clinical Laboratory Management Association. Available at
www.clma.orgpubmain.cfm?section=rellinks

5. AHIMA Health Information and Management Association. Available at
www.ahima.org

6. AMC General Policy and Management Guidelines. Available at
www.aamc.org/members/gir/gasp/generalcategories.pdf

7. AMC HIPAA Privacy Guidelines. Available at
www.aamc.org/members/gir/gasp/privacycategories.pdf

8. Associate of Medical Colleges. Available at
www.aamc.org/advocacy/hipaa/start.htm

9. DHHS Privacy Quiz. Available at
www.regreform.hhs.gov/HIPAAQUIZ_0204171/sld001.htm

HIPAA Privacy Checkup

Privacy checkup Verbal communication

• When calling a physicians office about a lab result, how do we know we have the right person on the other end of the line?
• What if they call us?
• When there are language barriers, how do we confirm the message is delivered/understood?
• How do we document our conversations about lab results?
• What policies are in place for phone vs. casual personal conversation?
• Can we clearly identify the point when the privacy of a patients verbal lab result belongs to the physician? What is that point?

Privacy checkup Couriers

• How do we limit visual access to specimen information?
• How do we train couriers on their responsibility to patient privacy?
• Do/should our couriers sign agreements?
• If couriers are outsourced, are they our responsibility/liability?
• How do we ensure that results actually get delivered?
• How do we document compliance with policy?
• Can we clearly identify the point when the privacy of a patients couriered lab result belongs to the physician? What is that point?

Privacy checkup Mail

• How do we confirm we are sending information to the right office and address?
• How do we know that the person opening the mail is an authorized representative of the physician?
• How often do we audit records? Both physician and patient databases?
• Whose fault is it if the mail is delivered incorrectly?
• How do we cover liability if mail is delivered incorrectly?
• Can we clearly identify the point when the privacy of a patients mailed lab result belongs to the physician? What is that point?

Privacy checkup Electronic hard copy

• Do we need/have encryption?
• How do we authenticate a fax message, or make certain that the entire message has been delivered free of errors?
• How do we enroll/certify fax/printer numbers?
• How do we confirm that the right people read lab reports once they have printed out on the fax machine or the printer?
• Who is responsible for the location of fax/printer in the physicians office?
• Can we clearly identify the point when the privacy of a fax or printer lab result belongs to the physician? What is that point?
• Does the answer change if the equipment is owned by the lab or by the physician?

Privacy check up Applications for orders and results

• Where does the order/result data reside, and have we documented who is responsible for maintaining that privacy?
• How do we protect against inadvertent abuse?
• Is the ASP also a clearinghouse? What does that mean?
• What are the boundaries of responsibility to business partners and clients?

                                                             January 2003: Vol. 35, No. 1