On February 6, 2014, the U.S. Department of Health & Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and Office for Civil Rights jointly published a final rule amending the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to provide patients with direct access to laboratory test reports. HHS believes that a right to access these test reports under HIPAA is crucial to provide patients with vital information to empower them to better manage their health and take action to prevent and control disease. The amendments to both regulations become effective April 7, 2014, and HIPAA-covered laboratories must comply with the new right by October 6, 2014.

Under the currently enforced Privacy Rule, a patient’s right to access his or her protected health information (PHI) is limited with respect to PHI maintained by a CLIA laboratory or a CLIA-exempt laboratory. This limitation was included in the Privacy Rule because the existing CLIA regulations may prohibit such laboratories from disclosing this information. Currently, a CLIA laboratory may only disclose laboratory test results to three categories of individuals or entities: (1) the “authorized person,” (2) the health care provider who will use the test results for treatment purposes, and (3) the laboratory that initially requested the test. An “authorized person” is the individual authorized under state law to order or receive test results. If a state does not authorize patients to receive their test results, the patients must receive this information from their health care providers.

The final rule modifies the CLIA regulations to allow laboratories subject to CLIA, upon the request of a patient (or the patient’s personal representative), to provide access to completed test reports that – using the laboratory’s authentication process – can be identified as belonging to that patient. With respect to the Privacy Rule, the final rule removes the exceptions to a patient’s right of access related to CLIA and CLIA-exempt laboratories. Therefore, as of October 6, 2014, HIPAA-covered laboratories will be required to provide a patient or his or her personal representative with access, upon request, to the patient’s completed test reports, as well as to other PHI maintained in a designated record set. For purposes of the final rule, test reports are not part of a designated record set until they are “complete.” A test report is considered complete when all results associated with an ordered test are finalized and ready for release. These changes to the Privacy Rule preempt any contrary state laws that prohibit a HIPAA-covered laboratory from providing patients direct access to their completed test results.

In order to comply with the amended Privacy Rule, HIPAA-covered laboratories should develop and implement a policy and procedure to receive and respond to patient requests. Processing a request for a test report, either manually or electronically, will require completion of the following steps: (1) receipt of the request from the individual; (2) authentication of the identification of the individual; (3) retrieval of test reports; (4) verification of how and where the individual wants the test report to be delivered and provision of the report by mail, fax, email or other electronic means; and (5) documentation of test report issuance. Additionally, HIPAA-covered laboratories must revise their notice of privacy practices to inform patients of their right to access completed test reports, including a brief description of how to exercise the right, and removing any statements to the contrary.

This amendment to the regulations is consistent with OCR’s focus on improving patients’ rights under the Privacy Rule, and represents another important aspect of policy change and documentation efforts for HIPAA-covered entity providers.