Laboratory-developed tests are in vitro diagnostic tests designed, manufactured, and used within a single laboratory. Unlike commercially distributed test kits, LDTs are developed by individual laboratories to address specific clinical needs or to provide testing capabilities that may not be available through commercial sources. These tests range from simple modifications of FDA-cleared assays to complex genomic or proteomic analyses.
Emma L. Kurnat-Thoma explains this in Patient Safety and Healthcare Quality of U.S. Laboratory Developed Tests (LDTs) in the AI/ML Era of Precision Medicine, stating: "Most genetic/genomic tests are LDTs, a category of IVD that are designed, produced and utilized within a single laboratory, and proceed to market without independent analysis and verification of the information provided."
The role of LDTs in healthcare is to:
HIPAA establishes national standards for protecting sensitive patient health information. For laboratories performing LDTs, three primary rules within HIPAA drive compliance requirements:
According to Kurnat-Thoma, "In the era of AI/ML applications, LDTs are used in more sophisticated and complex ways involving multi-component assay kits, sequencing systems, software, algorithms, and complex, sensitive instrumentation with little transparency or accountability for quality, particularly in the form of adverse events and safety information."
Any laboratory that qualifies as a HIPAA covered entity (by conducting covered electronic transactions) or business associate must comply with these regulations when developing, validating, and implementing LDTs.
An aspect of HIPAA compliance for laboratories performing LDTs involves patient access to test results. Since the 2014 amendment to both CLIA regulations and the HIPAA Privacy Rule, patients have gained expanded rights to directly access their laboratory test results.
As specified in the Patients' Access to Test Reports final rule: "This final rule amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to specify that, upon the request of a patient (or the patient's personal representative), laboratories subject to CLIA may provide the patient, the patient's personal representative, or a person designated by the patient, as applicable, with copies of completed test reports that, using the laboratory's authentication process, can be identified as belonging to that patient."
This regulatory change eliminated previous barriers that often prevented patients from accessing their LDT results directly from laboratories. Now, HIPAA-covered laboratories must have systems in place to:
LDTs often generate large amounts of sensitive data, whether sequencing information, biomarker measurements, or other clinical parameters. Protecting this data requires security measures aligned with HIPAA's Security Rule requirements.
Kurnat-Thoma affirms this by stating, "Every year, approximately 70% of U.S. medical decisions depend on a total of 14 billion laboratory tests across 330,000 CLIA-certified laboratories."
Laboratories must conduct regular risk assessments specific to their LDT operations. These assessments should identify where and how LDT data is:
For each stage, appropriate security controls must be implemented based on the risk level identified.
Learn more: How to perform a risk assessment
Technical safeguards for protecting LDT data include:
Physical security measures are equally important and should include:
Learn more: What are administrative, physical and technical safeguards?
Laboratories utilize de-identified patient data from previous LDTs for research or to improve test performance. Under HIPAA, de-identification can follow either:
According to Privacy Challenges and Research Opportunities for Genomic Data Sharing, complete de-identification of genetic LTDs presents challenges because "Individual's germline genomic data provide information that can uniquely identify individuals and tend to remain relatively static over the course of life, providing excellent biometric information (i.e., genomic 'fingerprint')."
Furthermore, "Traditional privacy models designed for health data provide limited protection for genomic data. An attacker may learn sensitive information about a target individual by exploiting the dependency between genomic data and other publicly available information such as: family name, demographic data, and observable features (e.g., eyes and hair color)." This is why laboratories must carefully consider privacy implications when repurposing genetic LDT data for research or validation purposes.
The HIPAA Privacy Rule's minimum necessary standard requires covered entities to limit uses, disclosures, and requests for PHI to the minimum necessary to accomplish the intended purpose. For LDTs, this means laboratories should:
Learn more: How to determine the minimum necessary information
Many laboratories collaborate with external partners when developing LDTs, including:
When these partners have access to PHI from LDTs, they typically qualify as business associates under HIPAA, requiring:
Learn more: What does it mean to be a business associate?
HIPAA compliance for LDTs must be thoroughly documented. Documentation includes:
Learn more: The different types of HIPAA forms
While HIPAA governs privacy and security, CLIA regulations focus on laboratory quality standards. For LDTs, As outlined in the Regulatory Knowledge Guide for Laboratory Developed Tests, these regulatory frameworks intersect in several important ways:
Laboratories can enhance their HIPAA compliance for LDTs by following these best practices:
A laboratory becomes a HIPAA-covered entity if it conducts electronic transactions like billing health plans for services.
Yes, if it handles PHI on behalf of another covered entity, it can act as a business associate.
Only if the data is de-identified or if researchers have proper authorization and data use agreements in place.
The biggest risks include re-identification of de-identified data and exposure of sensitive genetic markers.