What the FDA's laboratory developed test rule means for HIPAA compliance

According to the US Food and Drug Administration (FDA), “On May 6, 2024, the FDA issued a final rule aimed at helping to ensure the safety and effectiveness of laboratory developed tests (LDTs). The rule amends the FDA's regulations to make explicit that in vitro diagnostic products (IVDs) are devices under the Federal Food, Drug, and Cosmetic Act (FD&C Act), including when the manufacturer of the IVD is a laboratory. 

Furthermore, “The FDA is finalizing a policy under which the FDA will provide greater oversight of IVDs offered as LDTs through a phaseout of its general enforcement discretion approach for LDTs over the course of four years, as well as targeted enforcement discretion policies for certain categories of IVDs manufactured by laboratories.”

Understanding laboratory developed tests

The FDA states that, “LDTs are in vitro diagnostic products (IVDs) that are intended for clinical use and are designed, manufactured, and used within a single laboratory that is certified under the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and meets the regulatory requirements under CLIA to perform high complexity testing. IVDs are intended for use in the collection, preparation, and examination of specimens taken from the human body, such as blood, saliva, or tissue. LDTs, like other IVDs, can be used to measure or detect a wide variety of substances or analytes in the human body, such as proteins, glucose, cholesterol, or DNA, to provide information about a patient's health, including to diagnose, monitor, or determine treatment for diseases and conditions.”

According to the FDA When they  initially implemented the Medical Device Amendments of 1976, they largely chose not to require standards for LDTs, under what's referred to as "enforcement discretion." But LDTs now are much riskier than LDTs decades ago. Early LDTs were often lower risk, used in smaller amounts, and addressed specialized regional patient needs. Modern business and technological advances in specimen transport altered the scene - today's LDTs are conducted more prevalently across diverse populations, large labs receiving samples across the country. These tests increasingly depend upon sophisticated technology and software, run in high numbers, and quite often guide important healthcare decisions.

The FDA now gradually phased out this enforcement discretion policy in regard to LDTs. This new policy aims to better protect public health by ensuring safety and effectiveness for LDTs, while, at the same time,balancing key considerations involving patient accessibilities and existing use of these tests.

The FDA's laboratory developed test rule

The FDA's LDT Rule aims to bring LDTs under one regulatory system with other medical devices, requiring:

• Premarket review for moderate and high-risk tests
• Test registration and listing with the FDA
• Reporting adverse events
• Compliance with quality system regulations
• Labeling regulations

According to the FDA their logic for this realignment is based on concerns related to patient safety and diagnostic correctness. Because LDTs have become more sophisticated and are more frequently used in life-or-death medical decisions, the agency asserts that it needs to exert stricter control over these tests to assure they are safe, effective, and trustworthy.

The case for FDA oversight

In the article "Navigating the New Norm: The FDA's Final Rule on Laboratory Developed Tests (LDTs) and Its Impact on Clinical Laboratory Operations" by Rob E. Carpenter, there are several convincing reasons as to why LDTs should fall under greater regulatory oversight:

• Patient safety: According to the article Dr. Jeff Shuren, director of the FDA's Center for Devices and Radiological Health (CDRH) highlights that, the rule is "designed to protect patients from faulty tests by requiring more rigorous validation." The FDA aims to ensure all diagnostic tests, including LDTs, meet the same standards of safety and efficacy to protect patient health.
• Consistency in standards: The FDA's rule seeks to "categorize in vitro diagnostics (IVDs) used as LDTs under the same stringent oversight applied to other medical devices," creating a level playing field where all diagnostic tests are held to similar standards for demonstrating safety and efficacy.
• Evidence-based medicine: Through more validation and oversight processes, the FDA intends to "not only enhance patient safety but also foster innovation by ensuring that new IVDs introduced to the market are both safe and effective," giving healthcare providers more confidence in test results.
• Evolving complexity: Modern LDTs have undergone a lot of transformation since the 1970s and 1980s when they originated. Today's tests "increasingly rely on high-tech instrumentation and software, are performed in large volumes, and are frequently used to guide critical health care decisions," warranting additional scrutiny beyond what CLIA provides.

Industry pushback and concerns 

From Rob E. Carpenter's article, we can also determine the concerns and reasons behind the industry’s pushback against greater regulatory oversight of LDTs:

• Innovation impact: "Some stakeholders have raised concerns that the new rule may slow down the development of new tests and limit laboratories' ability to tailor diagnostics to evolving pathogens," potentially stifling innovation, particularly for emerging infectious diseases.
• Regulatory redundancy: Many laboratories already operate under CLIA certification to conduct high complexity testing and are often accredited by the College of American Pathologists (CAP). This accreditation is "recognized by the Centers for Medicare & Medicaid Services (CMS), allowing CAP-accredited labs to bypass CMS inspections," suggesting existing oversight may be sufficient.
• Access to testing: "Laboratories fear that the stringent requirements may stifle their ability to respond quickly to public health emergencies," similar to their important role during the COVID-19 pandemic when "LDTs rapidly filled gaps left by traditional diagnostic development pipelines."
• Laboratory expertise: The role of LDTs was "starkly recognized during the recent COVID-19 pandemic," demonstrating "their critical role in responding to urgent public health needs" through laboratories' specialized capabilities to develop and deploy tests quickly.
• Implementation timelines: In response to concerns, "The U.S. House Appropriations Committee has requested that the FDA suspend its implementation of the new rule," expressing concerns that the rule "could disrupt patient care and innovation in diagnostic testing," and suggesting that a legislative solution might be more appropriate.
  
  

HIPAA compliance and laboratory testing

While FDA regulation focuses on test validation and safety, the Health Insurance Portability and Accountability Act (HIPAA) regulations address another vital aspect of laboratory operation: patient data privacy and security. HIPAA compliance remains necessary regardless of the regulatory status of the tests being run.

HIPAA requirements for laboratories

Patient specimen and information-processing labs must satisfy several primary HIPAA requirements:

• Privacy Rule: Restricts the disclosure and use of protected health information (PHI) and gives patients rights to their health information.
• Security Rule: Mandates adequate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and security of electronic PHI.
• Breach Notification Rule: Requires notice following a breach of unsecured PHI.
• Minimum Necessary Standard: Requires that a covered entity make reasonable efforts to use, disclose, and request only the minimum of PHI necessary to obtain the intended purpose.

The intersection of FDA regulation and HIPAA compliance

Data management challenges

• Test validation data may contain patient information requiring protection
• Quality control records may include PHI 
• Adverse event reporting may involve confidential patient details
• Electronic records systems need to meet both FDA and HIPAA requirements simultaneously

Risk assessment integration

• The FDA's LDT classification system separates tests by risk to patients if results are not accurate
• HIPAA requires risk analyses to identify vulnerabilities to PHI

Documentation and record-keeping

• FDA documents emphasize validation of tests, performance characteristics, and quality control
• HIPAA documentation focuses on policies, procedures, and evidence of privacy and security controls

Implementation strategies for dual compliance

1. Integrated quality management systems

• Design control and validation processes that protect patient privacy
• Document control systems that provide both test integrity and data security
• Training programs that address both regulatory frameworks
• Change management processes that evaluate impacts on both test performance and data privacy

2. Risk-based prioritization

• Identify major-risk tests worthy of priority focus under the FDA model
• Recognize data flows with high privacy concerns.
• Assign resources to fill the most important compliance gaps
• Create phased implementation plans that focus on important areas

3. Technology solutions

• Automated documentation of test validation
• Secure data handling with appropriate access controls
• Audit trail capability that complies with FDA as well as HIPAA requirements
• Electronic signatures that are FDA's 21 CFR Part 11 compliant
• Encryption and data security protocols that satisfy HIPAA standards

4. Collaborative governance

• Track new test development using both regulatory lenses
• Evaluate technology implementations for dual compliance
• Develop consolidated policies and procedures
• Monitor new regulatory guidance and industry best practices

Economic and operational impacts

The economic and operational consequences of the FDA's new regulations are mentioned in "Navigating the new norm: The FDA's final rule on laboratory developed tests (LDTs) and its impact on clinical laboratory operations." Within this article on ScienceDirect, several considerations for laboratories faced with implementation issues and resource needs are provided:

• Implementation costs: "The implementation of these regulations will potentially increase the demand for resources in several areas. Laboratories will likely require additional financial resources to update or implement quality management systems and processes that meet the FDA's compliance standards."
• Staffing requirements: "Laboratories may need to hire additional quality assurance specialists or regulatory affairs professionals to manage these systems effectively."
• Regulatory burden: "The regulations could introduce several bottlenecks, particularly in areas such as the PMA process for high-risk IVDs, and the increased documentation and reporting requirements."
• Strategic considerations: "By not requiring premarket review and certain QS requirements for LDTs marketed before May 6, 2024, laboratories potentially avoid the substantial costs associated with these processes."

Impact on healthcare innovation and access

The article "Navigating the new norm: The FDA's final rule on laboratory developed tests (LDTs) and its impact on clinical laboratory operations" provides an important perspective on how the new regulations might affect healthcare innovation and patient access to diagnostic testing. The balance between regulatory oversight and maintaining innovation capacity remains a concern:

• Innovation concerns: "This increased regulatory scrutiny is viewed by some as a potential barrier to innovation and accessibility in developing new diagnostic tests, particularly for emerging infectious diseases."
• Healthcare response: "Laboratories fear that the stringent requirements may stifle their ability to respond quickly to public health emergencies, similar to their crucial role during the COVID-19 pandemic."
• Competitive advantage: "Laboratories that can continue to offer their LDTs with minimal modification also enjoy a competitive advantage. As they are not bogged down by new compliance costs and processes, they can respond more agilely to market needs and opportunities."
• Long-term innovation: "With the saved resources and reduced immediate regulatory pressures, laboratories can invest more in innovation. This could mean improving existing tests, developing new ones, or investing in advanced technologies that enhance test accuracy and patient outcomes."

FAQs

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law that sets standards for protecting sensitive patient health information.

What is the FDA?

The FDA (Food and Drug Administration) is a U.S. agency responsible for regulating food, drugs, medical devices, and other health-related products and services.

What are in vitro diagnostic devices (IVDs)?

IVDs are tests performed on samples taken from the human body, like blood or tissue, to detect diseases or conditions.

What is CLIA certification?

CLIA (Clinical Laboratory Improvement Amendments) certification ensures laboratories meet quality standards for testing human specimens.

What is the difference between LDTs and other diagnostic tests?

LDTs are developed and used within a single CLIA-certified lab, while other tests are commercially manufactured and widely distributed.