On February 3, 2014, the Department of Health and Human Services (HHS) took action to give patients or a person designated by the patient a means of direct access to the patient’s completed laboratory test reports.  The final rule is issued jointly by three agencies within HHS: the Centers for Medicare & Medicaid Services (CMS), which is generally responsible for laboratory regulation under CLIA, the Centers for Disease Control and Prevention (CDC), which provides scientific and technical advice to CMS related to CLIA, and the Office for Civil Rights (OCR), which is responsible for enforcing the HIPAA Privacy Rule.

“The right to access personal health information is a cornerstone of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule,” said Secretary Kathleen Sebelius. “Information like lab results can empower patients to track their health progress, make decisions with their health care professionals, and adhere to important treatment plans.”

The final rule amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to allow laboratories to give a patient, or a person designated by the patient, his or her “personal representative,” access to the patient’s completed test reports on the patient’s or patient’s personal representative’s request.  At the same time, the final rule eliminates the exception under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to an individual’s right to access his or her protected health information when it is held by a CLIA-certified or CLIA-exempt laboratory.  While patients can continue to get access to their laboratory test reports from their doctors, these changes give patients a new option to obtain their test reports directly from the laboratory while maintaining strong protections for patients’ privacy.

Under the HIPAA Privacy Rule, patients, patients’ designees and patients’ personal representatives can see or be given a copy of the patients’ protected health information, including an electronic copy, with limited exceptions.  In doing so, the patient or the personal representative may have to put their request in writing and pay for the cost of copying, mailing, or electronic media on which the information is provided, such as a CD or flash drive.  In most cases, copies must be given to the patient within 30 days of his or her request.

The Department of Health and Human Services (HHS) published the Final Rule on February 6, 2014, amending regulations implementing the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Final Rule takes effect on April 7, 2014. HIPAA covered entities must comply by October 6, 2014.

HIPAA-covered laboratories should:

  • Update the entity’s Notice of Privacy Practices to include the new right of access;
  • Modify policies and procedures to ensure an authentication process is in place for verifying the identity of the individual requesting PHI directly from the lab;
  • Ensure that access policies address an individual’s right to obtain access and to designate access to a third party, and the obligation to provide the individual (or individual’s designee) the PHI in the form requested (including in electronic format if it is readily producible);
  • Train workforce members on the new access rights and the new policies and procedures for providing an individual access and verifying identity; and,
  • Review applicable state law to determine whether there are conflicts with HIPAA (and if so, determine whether HIPAA preempts that state law).

Now is the time to review your forms and policies to be sure that they meet the many changes to the HIPAA rules which occurred in 2013.