In a final rule published on February 6, 2014, the Department of Health and Human Services (HHS) amended the Clinical Laboratory Improvement Amendments (CLIA) regulations and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to provide individuals or their designated representatives with greater access to their laboratory test results directly from clinical laboratories, in most cases, within 30 days from the request. 

With the Final Rule’s amendments to the CLIA regulations, laboratories subject to CLIA may provide access to completed test reports upon request by a patient or the patient’s personal representative if the reports can be authenticated as belonging to the patient.  In the Final Rule, HHS also made conforming amendments to the HIPAA Privacy Rule by removing exceptions to an individual’s right of access that relate to CLIA and CLIA-exempt laboratories.  Laboratories subject to HIPAA now have the same obligations as other types of covered health care providers with respect to providing individuals (or their personal representatives) with direct access to their laboratory report when the laboratory is able to authenticate that the report pertains to the patient.  As explained by HHS, the changes to the Privacy Rule preempt state laws that prohibit a laboratory subject to HIPAA from releasing a test report directly to the individual or that prohibit the release without the ordering provider’s consent.  CLIA laboratories not subject to HIPAA have discretion to provide patients with direct access to their laboratory test reports, subject to applicable state laws that limit access.

In responding to comments to the proposed rule on the subject, HHS stated, among other things, that:

  • the right of an individual to receive information about himself or herself extended to information maintained by laboratories offsite, archived, or created before the publication or effective date of the Final Rule but also noted that the Final Rule did not change applicable record retention requirements under the Privacy Rule;   
  • the Final Rule does not require laboratories to interpret test reports for individuals;  
  • treating health care providers are encouraged, but not required, to inform individuals of their right to receive test reports directly from laboratories;   
  • by the compliance date of the Final Rule, HIPAA-covered laboratories must revise their notices of privacy practices to inform individuals of their right to direct information access, to include a brief description of how to exercise this right, and to remove statements to the contrary;   
  • laboratories that operate as part of a larger legal entity that is a hospital or that are part of an affiliated covered entity or organized health care arrangement with a hospital may still use their established mechanisms for providing access to individuals requesting their test reports from the hospital laboratories, such as through patient portals, as long as such mechanisms are compliant with access provisions of the Privacy Rule; and   
  • laboratories that are not part of a hospital need to establish their own process for providing individuals with direct access to their protected health information in accordance with the Privacy Rule, even if the laboratories’ test reports are otherwise available to an individual through an unaffiliated treating hospital or provider’s patient portal or other access mechanism.

Many commenters also expressed concerns about providing individuals access to test results without any explanation of such results.  HHS stated that the Final Rule does not eliminate the role or obligation of the treating or ordering provider to consult with patients regarding test results and also suggested the Final Rule should encourage providers to discuss the meanings of potential lab results at the time tests are ordered.  In light of this Final Rule, laboratories subject to HIPAA also should carefully review the Privacy Rule to ensure that required disclosures to patients or patient representatives are made in conformance with the Privacy Rule.  The CLIA regulatory modifications take effect April 7, 2014, while the compliance date of the amendments to the Privacy Rule is October 6, 2014.  A CMS Fact Sheet on the Final Rule is available here.