In an effort to further eliminate barriers to the exchange of health information and encourage a more active patient role in personal health care decisions, federal regulators have once again expanded HIPAA patient rights provisions. 

Last week, the U.S. Department of Health & Human Services Centers for Medicare & Medicaid Services (“CMS”), Centers for Disease Control and Prevention (“CDC”), and Office for Civil Rights (“OCR”) jointly published a final rule that will give patients or their personal representatives direct access to the patient’s completed laboratory test reports.  The final rule amends both the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) regulations and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule to allow individuals and their personal representatives the right to access test reports directly from laboratories.

Current Access Rights to Lab Test Reports

CLIA regulations permit a CLIA laboratory to disclose laboratory test results to three categories of individuals or entities:  (1) the “authorized person,” (2) the person responsible for using the test results in the treatment context, and (3) the laboratory that initially requested the test.  “Authorized person” is defined as the individual authorized under state law to order or receive test results, or both.  In states that do not allow individuals to access their own test results, the individuals must receive their test results through their health care providers.

The Privacy Rule provides individuals and their personal representatives with a right of access to inspect and obtain a copy of protected health information (“PHI”) about the individual in a designated record set.  Laboratory reports maintained by or for a laboratory are part of the designated record set.  However, while individuals and personal representatives have the right to inspect and obtain a copy of their PHI in a designated record set, the current Privacy Rule includes exceptions related to CLIA.  Specifically, the access rights do not apply to PHI maintained by a covered entity that is (1) subject to CLIA to the extent the provision of access to the individual would be prohibited by law, or (2) exempt from CLIA.  These exceptions apply to test reports and other PHI only at CLIA and CLIA-exempt laboratories.

Expanded Access Provisions

Individuals and their personal representatives now will have the right to access their PHI directly from laboratories subject to HIPAA.  The final rule also removes federal barriers to direct access for laboratories not subject to HIPAA.

With respect to the CLIA regulations, the final rule permits laboratories subject to CLIA, upon the request of a patient or the patient’s personal representative, to provide access to completed test reports belonging to the patient.  The final rule retains the CLIA provision that requires the release of test reports only to “authorized persons,” the persons responsible for using the test reports, and to the laboratory that initially requested the test.  These CLIA modifications take effect April 7, 2014.

The final rule amends the Privacy Rule by removing the exceptions to an individual’s right of access related to CLIA and CLIA-exempt laboratories.  As a result, upon request, laboratories subject to HIPAA will be required to provide an individual or the individual’s personal representative with the individual’s competed test reports, as well as other information maintained in a designated record set, in accordance with the right of access provisions in the Privacy Rule. 

Because this change in an individual’s access rights constitutes a material change to the privacy practices of HIPAA-covered laboratories, these laboratories must promptly revise their notice of privacy practices (“NPPs”).  Thus, by the compliance date of this final rule, HIPAA-covered laboratories must revise their NPPs to inform individuals of this expanded right, include a brief description of how to exercise this right, and remove any statements to the contrary.  In addition, HIPAA-covered laboratories must make their revised NPPs available in accordance with the Privacy Rule.

The compliance date of the final rule is October 4, 2014.