User:Shawndouglas/sandbox/sublevel1
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a set of U.S. federal regulatory requirements that attempts to modernize the flow of healthcare information, stipulate how personally identifiable information (PII) (often referred to as "protected health information" or "PHI") maintained by healthcare providers and insurers should be protected from fraud and theft, and address limitations on healthcare insurance coverage in the U.S. HIPAA spans five sections or "titles," mandating health care information access, portability, privacy, and security, as well as stipulations on medical savings accounts, group health insurance requirements, and other tax- and legal-status-related issues.
Normally, HIPAA regulations would put strict requirements on how and when PII can be managed, used, shared, and stored. However, the COVID-19 pandemic has seen a relaxation of some of those requirements by the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR). The HHS is currently maintaining a list of announcements, notifications, guidance documents, bulletins, and other resources as they relate to HIPAA and the public health emergency. Important notes pulled from that information reveal[1]:
- Family, friends, and others identified by the patient as being involved in their care may receive PHI from a covered health care provider, particularly when they deem that sharing in the patient's best interest. Additionally, "[a] covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death."
- "Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency." This exercising of enforcement discretion will last until OCR provides a notice otherwise. Telehealth should optimally be performed in a private setting, whenever possible, using non-public facing communication technologies. Providers should opt to use the most secure services possible, "but will not be penalized for using less secure products in their effort to provide the most timely and accessible care possible to patients during the public health emergency."
- The OCR extended its enforcement discretion to include business associates of covered health care providers, allowing them to share PHI data "without risk of a HIPAA penalty." The OCR adds that "[s]ome HIPAA business associates have been unable to timely participate in these efforts [to ensure the health and safety of the public] because their BAAs do not expressly permit them to make such uses and disclosures of PHI." Like the enforcement discretion of telehealth provision by covered health care providers, the business associate must still make a good-faith effort in the "use or disclosure of the covered entity’s PHI" for public health and health oversight activities. Similarly, this exercising of enforcement discretion will last until OCR provides a notice otherwise.
- The OCR also extended its enforcement discretion to include covered health care providers and business associates operating community-based COVID-19 testing sites (CBTS)—"which includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public"—during the public health emergency. This enforcement discretion, however, "does not apply to covered health care providers or their business associates when such entities are performing non-CBTS related activities, including the handling of PHI outside of the operation of a CBTS."
- Additionally, the OCR extended its enforcement discretion to "covered health care providers or their business associates in connection with the good faith use of online or web-based scheduling applications ... for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency."
- "[T]he HIPAA Privacy Rule permits a covered entity to disclose the protected health information (PHI) of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities1 without the individual’s HIPAA authorization, in certain circumstances." OCR provides numerous examples, including: "when the disclosure is needed to provide treatment," "when such notification is required by law," when a public health authority must be notified "to prevent or control spread of disease," "when first responders may be at risk of infection," when preventing or lessening "a serious and imminent threat to the health and safety of a person or the public," and when responding to a law enforcement inquiring concerning a lawfully detained inmate or other individual.
- "The HIPAA Privacy Rule permits HIPAA covered entities (or their business associates on the covered entities’ behalf) to use or disclose PHI for treatment, payment, and health care operations, among other purposes, without an individual’s authorization." ICR provides more details in its guidance, noting however that reasonable effort must still be made to protect PHI, and that this does not apply to activities that constitute marketing.
- Similarly, the HIPAA Privacy Rule "permits covered entities or their business associates to disclose PHI to [a health information exchange (HIE)] for the HIE to report PHI to a [public health authority (PHA)] conducting public health activities" in a variety of circumstances. For more on those circumstances, see the December 2020 guidance].
- The public health emergency does not change restrictions on disclosing PHI to the media. This includes the prohibition of media crews in, for example, emergency departments where COVID-19 patients are being treated, as PHI is found everywhere in that setting. Only when every patient who is or will be in a potentially filmed area has signed a HIPAA authorization form can this be done.
CLIA
The Clinical Laboratory Improvement Amendments (CLIA) are a set of U.S. federal regulatory requirements applied to all non-research-based clinical laboratory testing performed on humans. These requirements are intended to further ensure a higher standard of quality in clinical laboratory testing, focusing in on improving the accuracy, reliability, and timeliness of tests. (The implications of these requirements on U.S. clinical labs and their ability to test for COVID-19 are discussed later, in the next section.)
CLIA uses seven different criteria to gauge and assign one of three complexity levels to laboratory devices and assays: high, moderate, and waived.[2][3] Additionally, CLIA mandates clinical laboratories handling specimens originating from the U.S. and its territories to apply for a CLIA certificate that is appropriate for the type of testing it performs. Labs using complex devices and assays would have to apply for a high complexity certificate, and so on. Waived tests are recognized as simple to perform with a low risk of erroneous results and include among others urinalysis for pregnancy and drugs of abuse, blood glucose and cholesterol tests, and fertility analysis.
Anything but waived testing requires meeting "the CLIA quality system standards, such as those for proficiency testing, quality control and assessment, and personnel requirements. The standards for moderate and high complexity testing differ only in the personnel requirements."[2] As the Centers for Medicare and Medicaid Services (CMS) points out in a frequently asked questions (FAQ) document—and as can be verified on the FDA's EUA page[4]—a huge majority of COVID-19 tests are only authorized for moderate or high complexity testing, and thus labs certified to do that sort of testing.[5] As of September 2021, only 14 of 260 FDA EUAed molecular diagnostic tests are approved to be performed in a CLIA-waived laboratory setting.[4]
CMS' FAQ, as well as their March 2020 guidance document, provides additional insight in regards CLIA and COVID-19[5][6]:
- CLIA regulations remain firmly in effect during the U.S.-declared public health emergency; a Section 1135 waiver, under the Social Security Act, that modifies or suspends CLIA requirements is not within the authorizing jurisdiction of the CLIA program. Additionally, CMS in general does not have the authority "to grant waivers or exceptions that are not established in statute or regulation."
- Laboratories choosing to use temporary testing sites for remotely (from home or another temporary location) viewing and reporting on cytology slides and images may do so if certain defined conditions are met. (Consult the memo for those defined conditions.)
- Proficiency testing (PT) is still required if a CLIA-certified lab is still performing testing and issuing patient results. However, should a PT provider need to postpone, suspend, or cancel a proficiency testing event, "[l]aboratories will not be penalized for lack of PT results ... so long as the cancelation is documented (including the notification from the PT program), and PT is conducted in a timely manner after the public health emergency ends. However, labs should consider performing their own self-assessment to ensure reliable testing."
- Alternate specimen collection devices (e.g., viral transport media, flocked nasopharyngeal swabs) used outside the manufacturer's instructions still require the establishment of performance specifications and assay validation prior to patient use. The FDA provides additional guidance on this topic.
- Laboratories performing laboratory developed tests (LDTs) are still required to be CLIA-certified and meet the requirements for high complexity testing. However, if the state government of such a laboratory has opted to take responsibility for authorizing an LDT (in order to expedite COVID-19 testing), then engagement with the FDA is not required.
- "CMS will temporarily exercise enforcement discretion under CLIA for the duration of the COVID-19 public health emergency for the use of authorized SARS-CoV-2 molecular and antigen POC tests on asymptomatic individuals outside of the test’s authorization."[7]
- As of May 2021[8], a CLIA specialty or subspecialty has not yet been assigned to COVID-19 testing authorized under the EUA pathway. Testing may be performed by laboratories based on intended use and by CMS specialty and subspecialty assigned to similar FDA-cleared or -approved tests with similar characteristics to the EUA being used.
References
- ↑ "HIPAA and COVID-19". Department of Health and Human Services. 11 May 2020. https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html. Retrieved 18 May 2020.
- ↑ 2.0 2.1 Centers for Disease Control and Prevention (6 August 2018). "Clinical Laboratory Improvement Amendments (CLIA): Test complexities". https://www.cdc.gov/clia/test-complexities.html. Retrieved 09 April 2020.
- ↑ "CLIA Categorizations". U.S. Food and Drug Administration. 25 February 2020. https://www.fda.gov/medical-devices/ivd-regulatory-assistance/clia-categorizations. Retrieved 09 April 2020.
- ↑ 4.0 4.1 "In Vitro Diagnostics EUAs". U.S. Food and Drug Administration. 20 August 2020. https://www.fda.gov/medical-devices/coronavirus-disease-2019-covid-19-emergency-use-authorizations-medical-devices/vitro-diagnostics-euas#individual-serological. Retrieved 23 August 2020.
- ↑ 5.0 5.1 Centers for Medicare and Medicaid Services (17 December 2020). "Frequently Asked Questions (FAQs), CLIA Guidance During the COVID-19 Emergency" (PDF). https://www.cms.gov/files/document/frequently-asked-questions-faqs-clia-guidance-during-covid-19-emergency-updated-12-17-2020.pdf. Retrieved 07 September 2021.
- ↑ Wright, D.R. (26 March 2020). "Clinical Laboratory Improvement Amendments (CLIA) Laboratory Guidance During COVID-19 Public Health Emergency" (PDF). Centers for Medicare and Medicaid Services. https://www.cms.gov/files/document/qso-20-21-clia.pdf-0. Retrieved 18 May 2020.
- ↑ "Updated CLIA SARS-CoV-2 Molecular and Antigen Point of Care Test Enforcement Discretion" (PDF). Centers for Medicare and Medicaid Services. 7 December 2020. https://www.cms.gov/files/document/clia-sars-cov-2-point-care-test-enforcement-discretion.pdf. Retrieved 07 September 2021.
- ↑ "CAP Responds to Your COVID-19 Questions". College of American Pathologists. 2021. https://www.cap.org/laboratory-improvement/news-and-updates/cap-responds-to-your-covid-19-questions. Retrieved 07 September 2021.