Laboratory-developed tests (LDTs) and HIPAA compliance

Laboratory-developed tests are in vitro diagnostic tests designed, manufactured, and used within a single laboratory. Unlike commercially distributed test kits, LDTs are developed by individual laboratories to address specific clinical needs or to provide testing capabilities that may not be available through commercial sources. These tests range from simple modifications of FDA-cleared assays to complex genomic or proteomic analyses.

Emma L. Kurnat-Thoma explains this in Patient Safety and Healthcare Quality of U.S. Laboratory Developed Tests (LDTs) in the AI/ML Era of Precision Medicine, stating: "Most genetic/genomic tests are LDTs, a category of IVD that are designed, produced and utilized within a single laboratory, and proceed to market without independent analysis and verification of the information provided." 

The role of LDTs in healthcare is to:

• Provide diagnostic solutions for rare diseases
• Facilitate personalized medicine approaches
• Enable response to emerging health threats
• Advance innovative diagnostic methodologies
• Address clinical needs where commercial tests are unavailable

The HIPAA regulations

HIPAA establishes national standards for protecting sensitive patient health information. For laboratories performing LDTs, three primary rules within HIPAA drive compliance requirements:

1. The Privacy Rule: Governs the use and disclosure of PHI, establishing patients' rights regarding their health information
2. The Security Rule: Sets standards for protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards
3. The Breach Notification Rule: Requires notification procedures following unauthorized disclosures of unsecured PHI

According to Kurnat-Thoma, "In the era of AI/ML applications, LDTs are used in more sophisticated and complex ways involving multi-component assay kits, sequencing systems, software, algorithms, and complex, sensitive instrumentation with little transparency or accountability for quality, particularly in the form of adverse events and safety information." 

Any laboratory that qualifies as a HIPAA covered entity (by conducting covered electronic transactions) or business associate must comply with these regulations when developing, validating, and implementing LDTs.

Patient access rights and LDT results

An aspect of HIPAA compliance for laboratories performing LDTs involves patient access to test results. Since the 2014 amendment to both CLIA regulations and the HIPAA Privacy Rule, patients have gained expanded rights to directly access their laboratory test results.

As specified in the Patients' Access to Test Reports final rule: "This final rule amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to specify that, upon the request of a patient (or the patient's personal representative), laboratories subject to CLIA may provide the patient, the patient's personal representative, or a person designated by the patient, as applicable, with copies of completed test reports that, using the laboratory's authentication process, can be identified as belonging to that patient."

This regulatory change eliminated previous barriers that often prevented patients from accessing their LDT results directly from laboratories. Now, HIPAA-covered laboratories must have systems in place to:

• Authenticate patient identity before releasing results
• Provide test reports in the format requested by the patient when feasible
• Transmit results to third parties when designated by the patient
• Respond to access requests within 30 days (with limited extensions possible)

HIPAA security considerations for LDT data

LDTs often generate large amounts of sensitive data, whether sequencing information, biomarker measurements, or other clinical parameters. Protecting this data requires security measures aligned with HIPAA's Security Rule requirements.

Kurnat-Thoma affirms this by stating, "Every year, approximately 70% of U.S. medical decisions depend on a total of 14 billion laboratory tests across 330,000 CLIA-certified laboratories." 

Risk assessment and management

Laboratories must conduct regular risk assessments specific to their LDT operations. These assessments should identify where and how LDT data is:

• Generated
• Processed
• Stored
• Transmitted
• Archived

For each stage, appropriate security controls must be implemented based on the risk level identified.

Learn more: How to perform a risk assessment

Technical safeguards for LDT data

Technical safeguards for protecting LDT data include:

• Access controls: Implementing strong authentication and authorization mechanisms for systems processing LDT data
• Audit controls: Maintaining detailed logs of who accesses LDT results and when
• Integrity controls: Ensuring LDT data cannot be improperly altered
• Transmission security: Encrypting LDT data when transmitted electronically
• Authentication: Verifying that individuals accessing LDT information are properly identified

Physical safeguards

Physical security measures are equally important and should include:

• Restricted access to laboratory areas where LDT testing occurs
• Controlled access to servers and workstations containing LDT data
• Appropriate disposal procedures for physical media containing LDT information
• Workstation use policies that prevent unauthorized viewing of LDT results

Learn more: What are administrative, physical and technical safeguards?

De-identification considerations for LDT data

Laboratories utilize de-identified patient data from previous LDTs for research or to improve test performance. Under HIPAA, de-identification can follow either:

• Expert determination method: A qualified expert determines that the risk of re-identification is very small, or
• Safe harbor method: Removal of 18 specific identifiers

According to Privacy Challenges and Research Opportunities for Genomic Data Sharing, complete de-identification of genetic LTDs presents challenges because "Individual's germline genomic data provide information that can uniquely identify individuals and tend to remain relatively static over the course of life, providing excellent biometric information (i.e., genomic 'fingerprint')." 

Furthermore, "Traditional privacy models designed for health data provide limited protection for genomic data. An attacker may learn sensitive information about a target individual by exploiting the dependency between genomic data and other publicly available information such as: family name, demographic data, and observable features (e.g., eyes and hair color)." This is why laboratories must carefully consider privacy implications when repurposing genetic LDT data for research or validation purposes.

Minimum necessary standard and LDTs

The HIPAA Privacy Rule's minimum necessary standard requires covered entities to limit uses, disclosures, and requests for PHI to the minimum necessary to accomplish the intended purpose. For LDTs, this means laboratories should:

• Develop clear policies about who needs access to specific components of LDT data
• Limit access to identified patient information during test development and validation when possible
• Structure workflows to minimize unnecessary exposure of PHI
• Train personnel on proper handling of PHI during LDT processes

Learn more: How to determine the minimum necessary information

Business associate relationships in LDT development

Many laboratories collaborate with external partners when developing LDTs, including:

• Software developers for bioinformatics pipelines
• Cloud service providers for data storage
• Consultants for specialized expertise
• Reference laboratories for confirmatory testing

When these partners have access to PHI from LDTs, they typically qualify as business associates under HIPAA, requiring:

• Formal business associate agreements (BAAs)
• Assurances of HIPAA compliance from the partner
• Clear delineation of responsibilities for protecting LDT data
• Documentation of data security practices

Learn more: What does it mean to be a business associate?

Documentation requirements

HIPAA compliance for LDTs must be thoroughly documented. Documentation includes:

• Policies and procedures: Detailed protocols for handling PHI throughout the LDT lifecycle
• Risk analyses: Documentation of security risks specific to LDT operations
• Training records: Evidence that personnel are trained on privacy and security requirements
• Authorization forms: Templates for patient authorization when required
• Breach response plan: Protocols specific to potential breaches of LDT data
• Business associate agreements: Contracts with all external entities handling LDT data

Learn more: The different types of HIPAA forms

Intersection with CLIA requirements

While HIPAA governs privacy and security, CLIA regulations focus on laboratory quality standards. For LDTs, As outlined in the Regulatory Knowledge Guide for Laboratory Developed Tests, these regulatory frameworks intersect in several important ways:

• Test result reporting: Both regulations address how results are reported and to whom
• Record retention: Both establish requirements for maintaining documentation
• Quality systems: Both emphasize systematic approaches to quality management
• Personnel requirements: Both address staff qualifications and training

Best practices for HIPAA compliance in LDT operations

Laboratories can enhance their HIPAA compliance for LDTs by following these best practices:

1. Incorporate privacy and security considerations from the earliest stages of LDT development
2. Control access to LDT data based on specific job functions
3. Create specialized training for all personnel involved in LDT operations
4. Develop formal governance structures for LDT data management
5. Proactively assess HIPAA compliance for LDT operations

FAQs

What qualifies a laboratory as a HIPAA-covered entity when developing LDTs?

A laboratory becomes a HIPAA-covered entity if it conducts electronic transactions like billing health plans for services.

Can a laboratory performing LDTs also be a business associate under HIPAA?

Yes, if it handles PHI on behalf of another covered entity, it can act as a business associate.

Can test development data be shared with third-party researchers under HIPAA?

Only if the data is de-identified or if researchers have proper authorization and data use agreements in place.

What are the biggest HIPAA risks when handling genomic LDT data?

The biggest risks include re-identification of de-identified data and exposure of sensitive genetic markers.