On February 6, 2014, the Centers for Medicare and Medicaid Services (CMS) and the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) issued a final rule amending the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to provide individuals the right to access test reports directly from laboratories subject to HIPAA. The goal of the final rule is to provide individuals with a greater ability to access their health information, empowering them to take a more active role in managing their health and healthcare.

Under the final rule, HIPAA-covered labs must:

  • Disclose lab test results to individuals, in most cases, within 30 days of a request for such information. Labs are not required to disclose results to an individual if the individual did not request disclosure.
  • Comply with an individual’s request to have the lab transmit a copy of Protected Health Information (PHI) to another person or entity appropriately designated by the individual.
  • Verify the identity and authority of any person requesting access to lab test results as a personal representative of the individual. If the lab cannot verify the identity and authority, it may not release the test report.
  • Disclose test reports that the lab maintains even if the test report was created before the effective date of the final rules.
  • Subject to a narrow limitation, disclose test reports to the individual upon request even if the lab test is considered “sensitive,” i.e., tests for sexually transmitted disease, pregnancy test, etc…
  • Allow individuals to make requests for test reports directly to the lab and not require the individual to make the request to the healthcare provider.
  • Charge only the reasonable, cost-based copy fee permitted under the HIPAA Privacy Rule. HIPAA covered labs may not charge fees for verification, documentation, liability insurance, maintaining systems and other similar activities.
  • Revise their Notice of Privacy Practices by October 6, 2014 to inform individuals of their right to access PHI directly from HIPAA covered labs, include a brief description of how to exercise this right, and remove any contrary statements from the existing notice. Ordering providers are not required to update their privacy notices.
  • Not withhold an individual’s PHI because the individual has not paid the lab for services provided.

The Final Rule also explains what is not required:

  • With respect to employment-related testing, the CLIA regulations do not apply to the employer or entity that performs substance abuse testing for the purpose of employment screening where the results are merely used to determine compliance with conditions of employment.
  • CLIA labs that are not subject to HIPAA have discretion to provide individuals with direct access to lab test reports, subject to any applicable state laws that may limit access.
  • The final rule does not require labs to interpret test reports for individuals, although labs may provide additional education material regarding the test results if they choose to do so.

In the commentary, HHS says that effective April 7, 2014, the final rule preempts any state laws that prohibit individuals from having direct access to their test reports or that allow test results to go to directly to the patient only with provider approval. The rule does not preempt any state laws that require labs to provide access earlier than the 30-day requirement under the HIPAA Privacy Rule or state laws that prohibit parents and guardians from accessing the PHI of their minor children. HHS intends the final rule to provide labs with flexibility in setting up systems to receive, process, and respond to requests for access by individuals as long as those systems comply with the requirements of the HIPAA Privacy Rule. Specifically, labs that operate as part of a larger legal entity that is a hospital may continue to use the hospital’s already established mechanisms for providing access to individuals requesting their test reports from the hospital labs, provided those mechanisms comply with the access provisions of the HIPAA Privacy Rule. The final rule is effective on April 7, 2014. HIPAA-covered entities must comply with the rule by October 6, 2014. HIPAA-covered laboratories in all states, not just those that currently prohibit direct release of lab results to individuals, should review their existing policies and procedures for compliance with the new requirements under CLIA and HIPAA. Those labs that are not covered by HIPAA should also use this opportunity to examine whether to exercise their new authority to respond to requests of individuals for lab results.