College of American Pathologists
Printable Version

  Q & A





cap today

May 2005

Richard A. Savage, MD, Editor

Q.  Our hospital laboratory policy requires a repeat analysis of any critical values obtained by chemistry or hematology instrumentation. Our hematology analyzer samples the specimen once, then splits the sample into four parts and measures white blood cells in two channels by different methodologies. Hemoglobin is measured directly in one channel and is calculated from measured red blood cell values in another channel. The instrument performs various comparisons of values from each channel for verification.

With today's short labor supply and dwindling reimbursements, is it necessary to repeat critical WBC or hemoglobin results? One issue not addressed by double-channel analyses might be the poorly mixed specimen resulting in a diluted or concentrated sampling (when the automated sampling tray is not used). Is it necessary to rerun critical WBC and Hgb results in this setting?

A.  No regulatory requirement exists for automatic repeat analysis of critical values. As you pointed out, modern hematology analyzers are designed to detect interferences that may render a result unreliable, resulting in a flag being generated. Such flags might then warrant repeat analysis or additional manual review or troubleshooting, depending on the nature of the flag. The important point regarding critical values is that they require some sort of intervention to ensure the validity of the result. While repeating the analysis is not an inappropriate procedure, it may not always be necessary.

In your situation, in which a sample is mixed poorly, the results produced by the instrument will be internally consistent, so a flag will not be generated. However, if this is occurring at a substantial frequency in your laboratory, this problem may not be restricted to samples that generate critical values. All results would be suspect, and limiting repeats to only samples with critical values makes little sense. Instead, the logical extreme of this approach would be to replicate analyses of all samples. This, of course, is not only impractical but also medically unwarranted. A better approach would be to take steps to ensure that improperly mixed samples occur at an acceptably low rate. Introducing quality assurance measures into your processes at critical analytic checkpoints is much more efficient than attempting to catch errors at the output stage.

A reasonable approach to address your specific question would be to retrospectively or prospectively review the results of replicate analyses of your critical values and document the frequency with which spurious results were produced without your instrument generating flags. If this is an infrequent event, you can easily justify discontinuing your policy to replicate analyses of all critical values. What constitutes an acceptable error rate is a subjective decision for a medical director based on various local factors. If you find you have a problem with improperly mixed samples, I would recommend that you critically evaluate your processes to isolate the cause of the problem and adjust your procedures accordingly.

Steven Kroft, MD
Department of Pathology
University of Texas Southwestern Medical Center

Vice Chair, CAP Hematology/Clinical Microscopy Resource Committee

Q.  We report our laboratory results using a computer program called autofax, which sends the results to a dedicated fax machine in a secure location at the physician's office. The cover sheets accompanying each report are a paper burden for physicians' offices and have generated complaints. Must we use cover sheets with this automated process, or can each page have a header/footer stating the disclaimer of confidential information?

A.  The HIPAA privacy rule permits a health care provider, in this case the laboratory, to disclose protected health information to another health care provider (doctor's office) for treatment purposes. This can be done by fax or by other means. A health care provider must have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of health information that is disclosed using a fax machine.

Measures that could be reasonable and appropriate in such a situation include the sender confirming that the fax number is, in fact, the correct one for the physician's office and the recipient of the information placing the fax machine in a secure location to prevent unauthorized access to the information.

If adequate safeguards are in place and there are assurances that the recipient is in compliance with those safeguards, the cover sheet typically is not necessary.

The basic test in determining compliance with this requirement is whether the health care provider has established clear administrative (sender confirming that the fax number is correct), physical (placement of the fax machine in a secure location) and technical safeguards as required under HIPAA. (See HIPAA rule 45 CFR § 164.530[c].)

Please be advised that the HIPAA privacy rule sets the standards for, among other things, who may have access to protected health information, or PHI, while the HIPAA security rule sets the standards for ensuring that only those who should have access to electronic PHI, or EPHI, will have access. In developing the security rule, which went into effect for most covered entities on April 20, the Department of Health and Human Services is similarly requiring covered entities to have in place appropriate administrative, physical, and technical safeguards and to implement those safeguards reasonably. As a result, covered entities that have implemented the privacy rule requirements in their organizations may find that they have already taken some of the measures necessary to comply with the security rule.

The primary distinction between the two rules is that the privacy rule applies to all forms of patients' protected health information, whether electronic, written, or oral, while the security rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained, or transmitted. For example, EPHI may be transmitted over the Internet or stored on a computer, CD, disk, or magnetic tape, or in another format. The security rule does not cover PHI that is transmitted or stored on paper or provided orally. Therefore, if paper-to-paper faxes were not in electronic form before the transmission, those activities are not covered by the security rule. However, the case of an automated fax stored in some electronic form—as outlined in the question—could be subject to the security rule requirements. For example, the security rule states that EPHI also includes faxback systems because they are used as input and output devices for computers.

Further clarification on the definition of "electronic media" is available in § 160.103 of the HIPAA security rule. Additional information on this rule is available on the Centers for Medicare and Medicaid Services Web site,

It should be noted that the information provided here is intended solely for education and communication purposes and does not constitute medical or legal advice. The CAP expressly disclaims any and all liability for the information provided.


Phil Bongiorno
CAP Assistant Director,
Public Health and Scientific Affairs