CLIA, HIPAA and other laws regulate POLs


Possibly one of the most common and important reasons a Clinical Laboratory uses an LIS is to help it stay compliant with applicable regulations. In the United States these include both state and federal, with CLIA and HIPAA chief amongst the latter. States can apply to the Centers for Medicare and Medicaid Services (CMS) for CLIA exemption status, which may be granted if CMS determines that the state regulations are equivalent. In that case, labs need only comply with the state regulation and not each separately.[1]

Labs may fall under any of a number of other regulatory standards and/or organizations, including CAP, COLA, HCFA, JCAHO, CLSI and others.


CLIA Logo.gif

The Clinical Laboratory Improvement Amendments (CLIA) of 1988 is a United States federal statute and regulatory standards program that applies to all clinical laboratory testing performed on humans in the United States, except clinical trials and basic research.[1]


On December 5, 1967, the U.S. enacted Public Law 90-174, which included in Section 5 the "Clinical Laboratories Improvement Act of 1967." CLIA '67 set regulations on the licensing of clinical laboratories and the movement of samples in and out of them across state lines. Laboratories would be eligible for a full, partial, or exempt CLIA-67 license, depending on the laboratory's conducted tests.[2]

However, by the mid-1980s the relevancy of CLIA '67 to a vastly changed procedural and technological clinical laboratory landscape began to be questioned. The Office of the Assistant Secretary for Health for Planning and Evaluation (ASPE) of the U.S. Department of Health and Human Services commissioned a study to assess the effectiveness of federal regulations affecting clinical laboratories and their goal of protecting the public health. On April 8, 1986, the Final Report on Assessment of Clinical Laboratory Regulations by Michael L. Kenney and Don P. Greenberg was submitted to the ASPE.[3]

The analysis found that many federal regulations are technically obsolescent and many may be operationally unnecessary as a result of changing laboratory technology and changed federal reimbursement policies. Among changes recommended by the HHS-funded analysis are: (a) the regulatory classification system based upon physical location of laboratories is no longer appropriate and should be replaced with a classification system reflecting laboratory functions; (b) a single, uniform set of federal regulations should be developed that covers all civilian laboratories receiving federal reimbursement or operating in interstate commerce; (c) a revised federal regulatory system should emphasize measures of performance such as personnel and inspection requirements; and (d) clinical laboratory regulations should be based upon objective data to the maximum extent possible.[3]

On August 5, 1988, a new set of proposed regulations were put forth by the Health Care Financing Administration as Medicare, Medicaid and CLIA Programs; Revision of the Clinical Laboratory Regulations for the Medicare, Medicaid, and Clinical Laboratories Improvement Act of 1967 Programs. The proposal aspired "to remove outdated, obsolete and redundant requirements, make provision for new technologies, place increased reliance on outcome measures of performance, and emphasize the responsibilities and duties of personnel rather than the formal credentialing requirements and detailed personnel standards in existing regulations."[4] This ultimately led to the proposal becoming law on October 31, 1988 under Public Law 100-578 as the Clinical Laboratory Improvement Amendments of 1988.[5]

Regulations for implementing CLIA continued to be developed afterwards, with the Department of Health and Human Services considering thousands of comments to the proposed regulations. The final regulations were published February 28, 1992, set to be effective on September 1 of the same year. The new CLIA '88 put into place regulations concerning test complexity, certification, proficiency testing, patient test management, personnel requirements, quality assurance, and other processes in the clinical laboratory.[6] However, phase-in effective dates were extended on several occasions afterwards: on December 6, 1994 in the Federal Register (59 FR 62606), May 12, 1997 in the Federal Register (62 FR 25855), October 14, 1998 in the Federal Register (63 FR 55031), and December 29, 2000 in the Federal Register (65 FR 82941).[7]

On January 24, 2003, the Centers for Medicare and Medicaid Services submitted their final rule (68 FR 3639), effective April 24, 2003, affecting QC requirements for laboratories and qualification requirements for lab directors. The final rule also made revisions to 42 CFR 493, including the renaming, reorganizing, and consolidation of similar requirements into one section, the deletion of duplicate requirements, and the rewording of the requirements to better clarify their original intent. It also addressed requirements regarding the entire testing process, making those requirement better correlate with the workflow of a lab specimen in the laboratory, from acquisition to reporting of results, including the subdivision of testing into pre-analytic, analytic, and post-analytic phases.[7][8]

In the fall of 2019, the Centers for Disease Control and Prevention's Director of Laboratory Systems Reynolds Salerno requested comments from its Clinical Laboratory Improvement Advisory Committee (CLIAC), as well as from the public, in regards to how CLIA regulations should be revised. “It’s a dramatic step for the government to ask the laboratory community how to revise the CLIA regulations,” Salerno told Dark Daily.[9] During the November CLIAC meeting, attendees reviewed CLIAC's 23 recommendations it had made prior (April 2019) in regards to updates to CLIA, grouped into CLIA personnel requirement changes, nontraditional test workflow (big data- and machine learning-driven) changes, and changes related to next-generation sequencing testing, workflows, and best practices.[10][11]

CLIA program

The CLIA program sets standards and issues certificates for clinical laboratory testing. CLIA defines a clinical laboratory as any facility which performs laboratory testing on specimens derived from humans for the purpose of providing information for:

  • diagnosis, prevention, or treatment of disease or impairment.
  • health assessments.

The CLIA program is designed to ensure the accuracy, reliability, and timeliness of test results regardless of where the test was performed. Each specific laboratory system, assay, and examination is graded for level of complexity by assigning scores of "1," "2," or "3" for each of seven criteria. A test scored as a "1" is the lowest level of complexity, while a test scored "3" indicates the highest level. A score of "2" is assigned when the characteristics for a particular test are ranked primarily between low- and high-level in description.[12]

The seven criteria for categorization are:

  1. Knowledge
  2. Training and experience
  3. Reagents and materials preparation
  4. Characteristics of operational steps
  5. Calibration, quality control, and proficiency testing materials
  6. Test system troubleshooting and equipment maintenance
  7. Interpretation and judgment

The Centers for Medicare and Medicaid Services (CMS) has the primary responsibility for the operation of the CLIA program. Within CMS, the program is implemented by the Center for Medicaid and State Operations, Survey and Certification Group, and the Division of Laboratory Services.

The CLIA Program is funded by user fees collected from over 265,000 laboratories[13], most located in the United States.[14]

CLIA waived tests

Under CLIA, tests and test systems that meet risk, error, and complexity requirements are issued a CLIA certificate of waiver.[15][14] In its 2017 document Administrative Procedures for CLIA Categorization - Guidance for Industry and Food and Drug Administration Staff, the U.S. Food and Drug Administration (FDA) advises its staff that a medical testing device originally rated moderately complex could receive a waiver "if the device is simple to use and the sponsor demonstrates in studies conducted at the intended use sites that the test is accurate and poses an insignificant risk of erroneous results."[16]

While a waived test is deemed to have an acceptably low level of risk, the Centers for Disease Control and Prevention (CDC) reminds administrators and recipients of such tests that no test is 100 percent safe[15]:

Although CLIA requires that waived tests must be simple and have a low risk for erroneous results, this does not mean that waived tests are completely error-proof. Errors can occur anywhere in the testing process, particularly when the manufacturer's instructions are not followed and when testing personnel are not familiar with all aspects of the test system. Some waived tests have potential for serious health impacts if performed incorrectly... To decrease the risk of erroneous results, the test needs to be performed correctly, by trained personnel and in an environment where good laboratory practices are followed.

In November 2007, the CLIA waiver provisions were revised by the United States Congress to make it clear that tests approved by the FDA for home use automatically qualify for CLIA waiver.[17]

List of tests

A list of tests categorized by the FDA as waived since 2000 can be found at the FDA website. As of April 2020, the list includes slightly more than 2,000 unique approved CLIA-waived test devices.

See also

Further reading

External links


A couple elements of this article are reused from the Wikipedia article.


  1. "Clinical Laboratory Improvement Amendments (CLIA)". Centers for Medicare and Medicaid Services. 26 March 2020. Retrieved 15 April 2020. 
  2. "Public Law 90-174" (PDF). United States Statutes at Large, Volume 81. 1967. Retrieved 15 April 2020. 
  3. 3.0 3.1 Kenney, M.L. (1987). "Quality Assurance in Changing Times: Proposals for Reform and Research in the Clinical Laboratory Field". Clinical Chemistry 33 (2): 328–36. doi:10.1093/clinchem/33.2.328. PMID 3542302. 
  4. Singer, Donald C.; Upton, Ronald P. (1993). "Appendix F: Proposed Revision of the Clinical Laboratory Regulations for Medicare, Medicaid, and Clinical Laboratories Improvement Act of 1967 - Department of Health and Human Services: Health Care Financing Administration". Guidelines for Laboratory Quality Auditing. CRC Press. pp. 273–402. ISBN 9780824787844. 
  5. "Public Law 100-578" (PDF). United States Statutes at Large, Volume 102. 1988. Retrieved 15 April 2020. 
  6. "Regulations for Implementing the Clinical Laboratory Improvement Amendments of 1988: A Summary". Morbidity and Mortality Weekly Report 41 (RR-2): 1–17. 28 February 1992. PMID 1538689. Retrieved 15 April 2020. 
  7. 7.0 7.1 "Medicare, Medicaid, and CLIA Programs; Laboratory Requirements Relating to Quality Systems and Certain Personnel Qualifications; Final Rule". Federal Register 68 (16): 3639–3714. 24 January 2003. PMID 12545998. Retrieved 15 April 2020. 
  8. "Clinical Laboratory Improvement Act (CLIA) - Legislative History". New Mexico Department of Health. Archived from the original on 09 March 2014. Retrieved 15 April 2020. 
  9. Burns, J. (16 October 2019). "Federal Advisory Committee Seeks Public Comments on Revising CLIA Regulations, says Keynote Speaker at 13th Annual Lab Quality Confab in Atlanta". Dark Daily. Retrieved 15 April 2020. 
  10. Clinical Laboratory Improvement Advisory Committee (07 November 2019). "CLIAC Summary Report November 6–7, 2019, Atlanta, Georgia" (PDF). Centers for Disease Control and Prevention. Retrieved 15 April 2020. 
  11. Clinical Laboratory Improvement Advisory Committee (01 October 2019). "Clinical Laboratory Improvement Advisory Committee (CLIAC) Recommendations Table" (PDF). Centers for Disease Control and Prevention. Retrieved 15 April 2020. 
  12. "CLIA Categorizations". U.S. Food and Drug Administration. 25 February 2020. Retrieved 15 April 2020. 
  13. "CLIA Update – October 2019 - Laboratories by Type of Facility" (PDF). Centers for Medicare and Medicaid Services. October 2019. Retrieved 15 April 2020. 
  14. 14.0 14.1 "CLIA Program and Medicare Laboratory Services" (PDF). Centers for Medicare and Medicaid Services. October 2018. Retrieved 15 April 2020. 
  15. 15.0 15.1 "Waived Tests". Centers for Disease Control and Prevention. 16 December 2019. Retrieved 15 April 2020. 
  16. "Administrative Procedures for CLIA Categorization - Guidance for Industry and Food and Drug Administration Staff". U.S. Food and Drug Administration. October 2017. Retrieved 15 April 2020. 
  17. "IVD Regulatory Assistance - CLIA Waivers". U.S. Food and Drug Administration. 19 June 2009. Archived from the original on 02 February 2020. Retrieved 15 April 2020. 


This article is reused from [1].


HIPAA Screenshot.png

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by the United States Congress and signed by President Bill Clinton in 1996. Its intended purpose was "to improve portability and continuity of health insurance coverage in the group and individual markets; to combat waste, fraud, and abuse in health insurance and health care delivery; to promote the use of medical savings accounts; to improve access to long-term care services and coverage; [and] to simplify the administration of health insurance."[1]



In 1994, U.S. President Bill Clinton attempted to overhaul the national health care system but didn't receive the support he needed. In 1995, Senators Nancy Kassebaum (R-KS) and Edward Kennedy (D-MA) introduced a comparatively pared down proposal called the Health Insurance Reform Act of 1995 (S 11028), later referred to informally as the Kassebaum/Kennedy Bill. The proposal called for health insurance portability for employees, medical savings accounts, increased deductibility of health insurance for the self-employed, and tax breaks for long-term care insurance.[2][3] The legislation successfully made it out of the Senate Labor and Human Resources Committee on August 2, 1995[4], only to be stalled "because of opposition from conservative senators who shared industry concerns over the group-to-individual portability provisions."[2]

With desire to get some sort of health care reform legislation passed, Clinton referenced the stalled bill in his January 1996 State of the Union address on several occasions. Though some feared the ploy by Clinton would ultimately sink the bill, it inevitably resulted in bipartisan cooperation so no one side could take credit for the bill.[4] On February 7, 1996, the two parties agreed to further discuss the legislation in the House and Senate. This resulted in several events: the House of Representatives created an alternative bill (HR 3103) that drew on characteristics of S 11028, passing on March 28; the Senate passed a version of the original S 11028 on April 23 but without controversial attachments like medical savings accounts. However, differences between the House and Senate bills caused problems. "The House bill, for example, included provisions allowing for medical savings accounts, a limit on monetary damages in medical malpractice lawsuits and a reduction in states' authority to regulate health insurance purchasing pools created by small businesses."[2] Additionally, a provision on mental health coverage was found on the Senate bill that was omitted from the House version. It took several weeks of debating to make concessions on these topics.

A Republican-led compromise was offered on June 10, however debate raged on. It wasn't until a July 25 compromise between Kennedy and Ways and Means Committee Chairman Bill Archer (R-TX) on medical savings accounts that momentum shifted. Provisions on mental illness and medical malpractice were eventually dropped from the proposal on July 31, with both House and Senate agreeing on the final version on August 1 and August 2 respectively.[2] On August 21, 1996, the legislation was signed into law by President Clinton and codified as Public Law 104-191, the Health Insurance Portability and Accountability Act of 1996 (HIPAA).[5][1]


The administrative simplification provisions in HIPAA meant more work had to be done in regards to the legislation. The U.S. Department of Health and Human Services (HHS) began work on the HIPAA Privacy Rule in 1999, "which set out detailed regulations regarding the types of uses and disclosures of personally identifiable health information that are permitted by the covered entities."[6] However, large volumes of comments and Executive branch changes in 2000 slowed the process down.[6] Several more years of corrections and requests for comments followed, culminating in the release of the Final Rule on August 14, 2002 as 45 CFR Part 160 and Subparts A and E of Part 164.[7] Most health plans were expected to be in compliance by April 14, 2003, though some exceptions existed.

Despite the Privacy Rule, many still argued that the legislation wasn't suitable enough to prevent mishandling of personal health information and that it was impeding research.[6] These concerns mixed with few incidents of enforcement in the first few years after the 2003 compliance date prompted additional review by the HHS.[8] On February 16, 2006, HHS issued the Final Rule regarding HIPAA enforcement, to be effective March 16, 2006.[9]

Additional updates to the enforcement rule came with the Health Information Technology for Economic and Clinical Health Act (HITECH) Act, enacted on February 17, 2009. The Act added "several provisions that strengthen the civil and criminal enforcement of the HIPAA rules" by adding categories of violations and tier levels of penalty amounts.[9] HIPAA and the HITECH statutes were further revised in January 2013 (effective March 26, 2013) "to strengthen the privacy and security protection for individuals’ health information," update the Breach Notification Rule, "strengthen the privacy protections for genetic information," and revise other portions of HIPAA rules "to improve their workability and effectiveness."[10]


HIPAA is divided into five titles, each with their own subtitles[1]:

Title I: Health Care Access, Portability, and Renewability

Subtitle A - Group Market Rules
Subtitle B - Individual Market Rules
Subtitle C - General and Miscellaneous Provisions

Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform

Subtitle A - Fraud and Abuse Control Program
Subtitle B - Revisions to Current Sanctions for Fraud and Abuse
Subtitle C - Data Collection
Subtitle D - Civil Monetary Penalties
Subtitle E - Revisions to Criminal Law
Subtitle F - Administrative Simplification
Subtitle G - Duplication and Coordination of Medicare-Related Plans

Title III: Tax-Related Health Provisions

Subtitle A - Medical Savings Accounts
Subtitle B - Increase in Deduction for Health Insurance Costs of Self-Employed Individuals
Subtitle C - Long-Term Care Services and Contracts
Subtitle D - Treatment of Accelerated Death Benefits
Subtitle E - State Insurance Pools
Subtitle F - Organizations Subject to Section 833
Subtitle G - IRA Distributions to the Unemployed
Subtitle H - Organ and Tissue Donation Information Included With Income Tax Refund Payments

Title IV: Application and Enforcement of Group Health Plan Requirements

Subtitle A - Application and Enforcement of Group Health Plan Requirements
Subtitle B - Clarification of Certain Continuation Coverage Requirements

Title V: Revenue Offsets

Subtitle A - Company-Owned Life Insurance
Subtitle B - Treatment of Individuals Who Lose United States Citizenship
Subtitle C - Repeal of Financial Institution Transition Rule to Interest Allocation Rules


Title I of HIPAA contains three subtitles that protect health insurance coverage for workers and their families when they change or lose their jobs.

Title II of HIPAA contains seven subtitles. One of the most important for expanding HIPAA is Subtitle F, the Administrative Simplification (AS) provisions, requiring the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title II also addresses the security and privacy of health data, with the intent of improving the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.

Title III of HIPAA modifies the Internal Revenue Code (IRC) to revise available tax deductions for health insurance, clarify how pre-tax money could be applied health payments, and regulate long-term care services and how they're contracted. Other tax-related issues like IRA distribution and organ donor tax refund payments are covered by this title, in total spread out over eight subtitles.

Title IV of HIPAA modifies both the IRC and the Public Health Service Act (PHSA) to describe requirements for and enforcement of how group health plans could legally manage and cover patients' pre-existing conditions as well as their continuation of coverage. This information is supplied over two subtitles.

Title V of HIPAA contains three subtitles that amend the IRC concerning miscellaneous issues such as interest deductions on loans related to company-owned life insurance, how individuals who lose their U.S. citizenship shall be treated tax-wise, and the removal of certain limitations on interest allocation.


On February 16, 2006, HHS issued the Final Rule regarding HIPAA enforcement. It became effective on March 16, 2006. The Enforcement Rule set civil money penalties for violating HIPAA rules and established procedures for investigations and hearings for HIPAA violations. Before the enforcement rule, the deterrent effects of the legislation seemed negligible, with few prosecutions for violations.[8] Enforcement operations were ratcheted up further with the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, which greatly increased the financial penalties that could be applied to entities in non-compliance.[11]

By the end of 2014, the U.S. Department of Health and Human Resources (HHS) reported investigating 106,522 HIPAA complaints against national pharmacy chains, major health care centers, insurance groups, hospital chains and other small providers since April 2003. The HHS reported 23,314 of those cases had been resolved by requiring changes in privacy practice or by corrective action. 10,566 cases were investigated and found that HIPAA was followed correctly. Another 68,412 cases were found to be ineligible for enforcement because, for example, a violation occurred before HIPAA became effective, a case was withdrawn by the pursuer, or an activity did not actually violate the rules.[12]

According to the HHS, the most commonly investigated compliance issue, by order of frequency, have been[12]:

  1. incorrectly used or revealed protected health information (PHI);
  2. insufficient protection mechanisms for PHI;
  3. insufficient mechanisms for patients to access their PHI;
  4. insufficient administrative protections and tools for managing electronic PHI; and
  5. usage and disclosure of more PHI than minimally necessary.

The HHS also stated the entities most likely to be responsible for infractions, by order of frequency, have been[12]:

  1. private practices;
  2. general hospitals;
  3. outpatient facilities;
  4. pharmacies; and
  5. health plans (group health plans and health insurance issuers).

Assessed impact

The enactment of HIPAA caused major changes in the way physicians and medical centers operate. The complex legalities and potentially stiff penalties associated with HIPAA, as well as the increase in paperwork and the cost of its implementation, were causes for concern among physicians and medical centers. Many of those concerns were expressed in an August 2006 paper published in the journal Annals of Internal Medicine.[13] It mentioned a University of Michigan study that demonstrated how the implementation of the HIPAA Privacy rule resulted in a drop from 96 percent to 34 percent in the proportion of follow-up surveys completed by study patients being followed after a heart attack.[14]

By 2013, views on the impact of HIPAA were mixed. Leon Rodriguez, director of the HHS' Office for Civil Rights said of HIPAA:

Whereas many thought HIPAA would "bankrupt" healthcare, shut down research, and otherwise paralyze the industry, instead the industry has learned the benefits of the transaction and code set standards through the ease of electronic transactions. And the balance of the [HIPAA] Privacy and Security protections have paved the way to real benefits for consumers through greater access to quality care.[11]

In an article for the Houston Chronicle, writer and business consultant Lisa Dorward stated the following for patients requesting personal health information:

Direct cost to patients is minimal; health care institutions can charge the patient only for copying and postage costs for delivery of the documents. On the other hand, costs to health care providers are high and can strain already overburdened budgets. Some clinics and hospitals have had to reconstruct or remodel existing registration areas to comply with HIPAA's privacy regulations.[15]

Writing for the Loyola Consumer Law Review, attorney and legal writer Anna Colvert wrote:

Generally, HIPAA is considered a step in the right direction regarding patient privacy, and it has resulted in more descriptive and detailed privacy policies; however, it has not improved the online privacy practices of these organizations. While HIPAA is a solid foundation in protecting patients’ healthcare information there is more work to be done..."[16]

A May 2013 Computerworld reported on a survey conducted by the Ponemon Institute that found 51 percent of respondents believed "HIPAA compliance requirements can be a barrier to providing effective patient care" and 59 percent "cited the complexity of HIPAA requirements as a major barrier to modernizing the healthcare system."[17]

Audit guidelines and checklist

For those auditing computer systems and IT environments for their compliance with the Health Insurance Portability and Accountability Act and other regulations, a set of guidelines and checklist items may be useful.

Click the link above for the full set of guidelines and checklist items as they relate to HIPAA.

Further reading


  1. 1.0 1.1 1.2 "Public Law 104 - 191 - Health Insurance Portability and Accountability Act of 1996". U.S. Government Publishing Office. Retrieved 15 April 2020. 
  2. 2.0 2.1 2.2 2.3 "Bill Makes Health Insurance ‘Portable’". CQ Almanac 1996 52: 6-28–6-39. 1997. Retrieved 12 February 2015. 
  3. "S. 1028 (104th): Health Insurance Reform Act of 1995". Civic Impulse, LLC. Retrieved 12 February 2015. 
  4. 4.0 4.1 Hiebert-White, J. (September-October 1996). "Who Won What in the Kassebaum/Kennedy Struggle?" (PDF). Health Progress 77 (5). Retrieved 12 February 2015. 
  5. Starr, P. (22 August 1996). "The Signing of the Kennedy-Kassebaum Bill". The Electronic Policy Network. Archived from the original on 29 January 1998. Retrieved 12 February 2015. 
  6. 6.0 6.1 6.2 Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule (2009). Nass, S. J.; Levit, L. A.; Gostin, L. O.. ed. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. National Academies Press. Bookshelf ID NBK9576. Retrieved 12 February 2015. 
  7. "The Privacy Rule". U.S. Department of Health and Human Services. Retrieved 15 April 2015. 
  8. 8.0 8.1 Stein, R. (5 June 2006). "Medical Privacy Law Nets No Fines". The Washington Post. Retrieved 15 April 2020. 
  9. 9.0 9.1 "The HIPAA Enforcement Rule". U.S. Department of Health and Human Services. Retrieved 15 April 2020. 
  10. Office for Civil Rights, Department of Health and Human Services (25 January 2013). "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules" (PDF). Federal Register 78 (17). Retrieved 15 April 2020. 
  11. 11.0 11.1 Solove, D.J. (April 2013). "HIPAA Turns 10: Analyzing the Past, Present and Future Impact". Journal of AHIMA 84 (4): 22–28. Retrieved 15 April 2020. 
  12. 12.0 12.1 12.2 "Enforcement Highlights". U.S. Department of Health and Human Services. 15 January 2015. Archived from the original on 11 February 2015. Retrieved 11 February 2015. 
  13. Wilson, J.F. (2006). "Health Insurance Portability and Accountability Act Privacy Rule Causes Ongoing Concerns among Clinicians and Researchers". Annals of Internal Medicine 145 (4): 313–6. doi:10.7326/0003-4819-145-4-200608150-00019. PMID 16908928. 
  14. "Potential Impact of the HIPAA Privacy Rule on Data Collection in a Registry of Patients With Acute Coronary Syndrome". Archives of Internal Medicine 165 (10): 1125–9. 2005. doi:10.1001/archinte.165.10.1125. PMID 15911725. 
  15. Dorward, L.. "The Positive and Negative Effects of HIPAA Employment Laws". Houston Chronicle. Hearst Newspapers, LLC. Retrieved 15 April 2020. 
  16. Colvert, Anna (2013). "HIPAA'S Influence on Consumers: Friend or Foe?". Loyola Consumer Law Review 25 (4): 431–447. Retrieved 15 April 2020. 
  17. Mearian, L. (07 May 2013). "HIPAA rules, outdated tech cost U.S. hospitals $8.3B a year". Computerworld. Computerworld, Inc. Retrieved 15 April 2020. 


This article is reused from [2].

HIPAA Checklist

The following guidelines and checklist items provide a frame of reference for vendors and auditors to better determine potential compliance issues with the Health Insurance Portability and Accountability Act and a variety of other regulatory guidelines.

The following checklist is focused largely on computerized systems that house Protected Health Information (PHI) under the HIPAA regulations. However, since the computerized system exists as part of a complete operation, even when it is hosted by a Cloud provider, the checklist covers the majority of the regulation. This notion of the requirements of the entire regulation applying even to Cloud companies is particularly underscored with the HITECH modifications to the HIPAA regulations where Business Associates are now entirely responsible with adherence to the HIPAA privacy regulations and not merely on a contractual basis.

Administrative safeguards

Security Management Process

  • Does a detailed risk assessment exist regarding potential vulnerabilities to the confidentiality, integrity, and availability of PHI?
  • Does the assessment identify actions to mitigate certain risks? Have these actions been taken, or have plans been generated to take these actions?
  • Does a policy exist specifying sanctions to be taken against employees who fail to comply with security policies and procedures?
  • Is there a system in place for regular review of system activity, including things such as audit logs and incident reports?

Assigned security responsibility

  • Is there a formally identified individual who is responsible for developing and implementing security policies?
  • Has this individual, or the individual's direct reports, developed and implemented security policies?
  • Collect evidence of security policies being implemented (group policy reports for the AD server, for instance)

Workforce security and Information Access Management

  • Do procedures exist governing access to PHI by employees?
  • Are employees who should not have access to PHI prevented from accessing it?
  • If employees are permitted to access systems that contain PHI, but are not permitted to access PHI, does the system have suitable controls to prevent that access?
  • View system accesses by both individuals who have access to PHI and those who don't, and evaluate potential areas of weakness in the security measures.
  • Do processes exist for authorizing access to PHI? Do these processes seem reasonable.
  • Are employees who have access to PHI supervised appropriately? Do their supervisors have adequate training and understanding regarding the treatment of PHI?
  • Are adequate procedures in place governing the termination of employees with access to PHI?
  • Do these procedures include appropriately times termination of accounts (i.e., in the case of involuntary termination, is the account terminated before the employee might have the opportunity to cause harm?).
  • For voluntary terminations, are procedures in place that require the supervisor to evaluate the need for continued access to PHI prior to the departure of the employee in question?
  • Is there a clear requirement for communication with system administrators and IT staff regarding affected accounts?
  • If a health clearinghouse is part of a larger organization, confirm that adequate controls exist that prevent the larger organization from accessing PHI.
  • Do the PHI access procedures apply to the IT/IS organization? That is, is access to PHI only allowed for IT/IS employees with a legitimate business reason to access that data? Are IT/IS employees adequately trained in the HIPAA regulations, internal policies and procedures regarding PHI?

Security Awareness and Training

  • Is there a formal and documented training program for employees who deal with PHI?
  • Are employees provided training on principles of security?
  • Are there procedures in place for addressing malicious software, including it's detection and reporting? Are employees prevented from accessing remote sites that are at high risk for containing malicious software?
  • Is there a system for ensuring that security protection software (in particular anti-virus programs, and firewalls) are updated periodically?
  • For outward facing applications, is there a process by which security flaws in components (such as Java) are identified and fixed.
  • For systems that provide access to PHI, do they track log-ins, and in particular failed logins?
  • Does the system lock out users after a specified number of failed logins?
  • Are system administrators notified if such an event occurs?
  • Is there evidence that administrators respond to such events in an appropriate manner?
  • Are there policies governing password complexity, change and reuse frequency? Are the policies consistent with current "standards" within the industry?
  • Are employees trained to maintain strict secrecy regarding their passwords?
  • Are there procedures mandating that IT may not request passwords from users?

Security Incident Procedures

  • Are procedures in place for responding to security incidents?
  • Is there evidence that these procedures are being followed (review any logs/files regarding actions taken in response to security incidents).

Contingency Plan

  • Does the organization have a comprehensive disaster preparedness/business continuity plan?
  • Does the plan included a backup and recovery procedure for all system data?
  • Does the plan adequately address how operations can be continued under various scenarios?
  • Does the plan include procedures for testing the various elements of the plan to ensure they are still valid?
  • Does the plan address the criticality of the various systems in its design?


  • Is a periodic re-evaluation of security standards undertaken?
  • Does the re-evaluation take into account changes in the current state of IT security and the environment of threats facing secured systems, as well as the current state of the regulations?

Business Associate Agreements

  • If components of the system are held outside the direct control of the company, such that PHI will be outside of the direct control of the company, do sufficient agreements exist to guarantee that the party responsible for handling the PHI will adhere to the requirements of the regulation?
  • Are these agreements in such a form that they qualify as a contract or equivalent?

Physical safeguards

Facility Access Controls

  • Is the facility containing the system (this includes electronic access points that connect to the system in a "non-secure" manner) sufficiently protected from unauthorized access?
  • Is access to application and database servers further restricted to only those personnel who are authorized to directly interact with those elements of the system (i.e., system administrators).
  • Is there a system that limits access to facilities and areas within facilities to authorized personnel? Does this system implement a mechanism for confirming the identify of individuals accessing the facility (e.g., through a electronic key access system)
  • Does this system apply to visitors as well?
  • Is access to systems used for testing and revision of software similarly restricted? Evaluate the access restrictions to tools that could be used to modify and deploy the software. Ensure that these access restrictions are addressed via SOP.

Workstation Use

  • Do procedures exist which govern the class of workstation that can be used to access PHI?

Workstation Security

  • Are workstations that are used to access PHI appropriately restricted?
  • If workstations can directly interact with PHI without additional controls, are the workstations secured in appropriately restricted areas?

Device and Media Controls

  • Are procedures in place governing the use and removal of hardware and storage media used to house PHI?
  • Do the procedures seem reasonable?
  • Do procedures exist regarding the disposal of media and devices used to store PHI?
  • Are records maintained that account for the movement of such media, and who moved it?

Technical safeguards

Access Control

  • Do systems with access to PHI have a robust authentication process for gaining access?
  • Do these system require that all users have a unique id?
  • Are password assignment, change, recovery, and related processes designed in such a way so as to ensure that the user gaining access to PHI is who they say they are?
  • Is there a mechanism for gaining access to necessary PHI in the event of an emergency? Is this mechanism designed such that it's invocation during non-emergencies would not be achievable in a non-obvious way?
  • Does this system automatically log off users after a defined period of inactivity?
  • Does the system maintain PHI in an encrypted state?

Audit Controls

  • Do systems used for PHI maintain audit trails which record, in a secure manner, all activities within the system. Are the audit trails reviewed periodically?


  • Are policies and procedures in place to ensure that PHI has not been altered or destroyed in an unauthorized manner?
  • Are electronic mechanisms employed to corroborate that PHI has not been altered or destroyed in an unauthorized manner?*
  • If PHI is transmitted outside of the responsible entity (i.e., via the internet), is the data transmitted in such a way so as to prevent unauthorized access (via ssl or similar protocols?)
  • Are security certificates on servers involved in managing PHI current, and authenticated by a recognized third party certifying organization?

Organizational requirements

Business associate contracts

  • Are business associates required contractually to adhere to the regulations with regard to PHI they maintain?
  • Do business associate agreements exist with third party data/application hosting services?
  • Do business associate agreements extend, contractually, to agents/subcontractors?
  • Is it clear within the terms of the business associate agreements that the business associate must immediately report any breaches or incidents?
  • Is it clear within the terms of the business associate agreements that the relationship can be terminated if the associate fails to comply with the requirements of the regulations?
  • Do records exist of audits and other reviews of business associates? If breeches or violations of the regulation have occurred, have appropriate actions been taken, up to and including termination of the agreement?

Documentation requirements


  • Are the procedures required by the regulations maintained in written (or alternatively electronic, but signed) form?
  • Are actions and activities which are required to be documented maintained in written form (or electronic alternatives)?
  • Is there a retention policy regarding the policies and procedures? Does the policy require that such documents be maintained for at least 6 years after either the date of its creation or of its effective date (whichever is later)?
  • Does a review system exist for these policies and procedures to ensure that they are current?


This article is reused from [3].

Meaningful Use

Although the HITECH and Affordable Care Act's use of the term "meaningful use" is applied to EHRs, its usage may be interpreted by some to appear to also include some aspects of laboratory information systems. To the extent that it may apply, we include information on it here.

Meaningful use

The main components of Meaningful Use are:

  • The use of a certified EHR in a meaningful manner, such as e-prescribing.
  • The use of certified EHR technology for electronic exchange of health information to improve quality of health care.
  • The use of certified EHR technology to submit clinical quality and other measures.

In other words, providers need to show they're using certified EHR technology in ways that can be measured significantly in quality and in quantity.[2]

The meaningful use of EHRs intended by the US government incentives is categorized as follows:

  • Improve care coordination
  • Reduce healthcare disparities
  • Engage patients and their families
  • Improve population and public health
  • Ensure adequate privacy and security

The Obama Administration's Health IT program intends to use federal investments to stimulate the market of electronic health records:

  • Incentives: to providers who use IT
  • Strict and open standards: To ensure users and sellers of EHRs work towards the same goal
  • Certification of software: To provide assurance that the EHRs meet basic quality, safety, and efficiency standards

The detailed definition of "meaningful use" is to be rolled out in 3 stages over a period of time until 2017. Details of each stage are hotly debated by various groups.[3]

Meaningful use Stage 1

The first steps in achieving meaningful use are to have a certified electronic health record (EHR) and to be able to demonstrate that it is being used to meet the requirements. Stage 1 contains 25 objectives/measures for Eligible Providers (EPs) and 24 objectives/measures for eligible hospitals. The objectives/measures have been divided into a core set and menu set. EPs and eligible hospitals must meet all objectives/measures in the core set (15 for EPs and 14 for eligible hospitals). EPs must meet 5 of the 10 menu-set items during Stage 1, one of which must be a public health objective.[4]

Full list of the Core Requirements and a full list of the Menu Requirements.

Core Requirements:

  1. Use computerized order entry for medication orders.
  2. Implement drug-drug, drug-allergy checks.
  3. Generate and transmit permissible prescriptions electronically.
  4. Record demographics.
  5. Maintain an up-to-date problem list of current and active diagnoses.
  6. Maintain active medication list.
  7. Maintain active medication allergy list.
  8. Record and chart changes in vital signs.
  9. Record smoking status for patients 13 years old or older.
  10. Implement one clinical decision support rule.
  11. Report ambulatory quality measures to CMS or the States.
  12. Provide patients with an electronic copy of their health information upon request.
  13. Provide clinical summaries to patients for each office visit.
  14. Capability to exchange key clinical information electronically among providers and patient authorized entities.
  15. Protect electronic health information (privacy & security)

Menu Requirements:

  1. Implement drug-formulary checks.
  2. Incorporate clinical lab-test results into certified EHR as structured data.
  3. Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, and outreach.
  4. Send reminders to patients per patient preference for preventive/ follow-up care
  5. Provide patients with timely electronic access to their health information (including lab results, problem list, medication lists, allergies)
  6. Use certified EHR to identify patient-specific education resources and provide to patient if appropriate.
  7. Perform medication reconciliation as relevant
  8. Provide summary care record for transitions in care or referrals.
  9. Capability to submit electronic data to immunization registries and actual submission.
  10. Capability to provide electronic syndromic surveillance data to public health agencies and actual transmission.

To receive federal incentive money, CMS requires participants in the Medicare EHR Incentive Program to "attest" that during a 90-day reporting period, they used a certified EHR and met Stage 1 criteria for meaningful use objectives and clinical quality measures. For the Medicaid EHR Incentive Program, providers follow a similar process using their state's attestation system.[5]

Meaningful use Stage 2

The government released its final ruling on achieving Stage 2 of meaningful use in August 2012. Eligible providers will need to meet 17 of 20 core objectives in Stage 2, and fulfill three out of six menu objectives. The required percentage of patient encounters that meet each objective has generally increased over the Stage 1 objectives.

While Stage 2 focuses more on information exchange and patient engagement, many large EHR systems have this type of functionality built into their software, making it easier to achieve compliance. Also, for those eligible providers who have successfully attested to Stage 1, meeting Stage 2 should not be as difficult, as it builds incrementally on the requirements for the first stage.[6][7]

Meaningful use Stage 3

On March 20, CMS released its proposed rule for Stage 3 meaningful use.[8] These new rules focus on some of the tougher aspects of Stage 2 and require healthcare providers to vastly improve their EHR adoption and care delivery by 2018.[9]


Much of this section was re-used from


External links


  2. (Oct 12, 2011). "CMS EHR Meaningful Use Overview". EHR Incentive Programs. Center for Medicare & Medicaid Services. Retrieved 31 October 2011. 
  3. "What is Meaningful Use? | Policy Researchers & Implementers |". Retrieved 4 September 2013. 
  4. " | the official site for Health IT information". Retrieved 4 September 2013. 
  5. Torrieri, Marisa "Dealing with Meaningful Use Attestation Aggravation". Physicians Practice. January 2012.
  6. "Meaningful Use: Stage 2 Regulations Overview" Robert Anthony, CMS, 30 August 2012.
  7. "EHR Incentive Program: A Progress Report" Marisa Torrieri, Physicians Practice, September 2012.

Comments are closed.