On February 3, 2014, the U.S. Department of Health and Human Services (HHS) released a long-awaited final rule that amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations to permit patients and their personal representatives to access laboratory test reports. By requiring expanded access, HHS rejects what some have characterized as “paternalistic” arguments that such reports are complicated and should be provided only through treating physicians. HHS justifies the rule as necessary to empower patients to take an active role in managing their health and health care. As anyone who has tried to interpret a laboratory test report can attest, whether the stated objectives of the new rule will be achieved has yet to be seen.
The new CLIA regulations specify that, upon the request of a patient (or the patient’s personal representative), laboratories subject to CLIA may provide the patient, the patient’s personal representative, or a person designated by the patient, as applicable, with copies of completed test reports that, using the laboratory’s authentication process, can be identified as belonging to that patient. Under prior regulations, test results could only be released (1) to “authorized persons,” which in some states is defined as only a healthcare provider, (2) to the person responsible for using the test results in the treatment context, or (3) the laboratory that initially requested the test; thus, patients previously did not have direct access to the results. The final rule maintains these limitations, but adds an exception for access by patients, or their representatives, to laboratory test results.
The final rule additionally makes conforming changes to the HIPAA privacy regulations at 45 C.F.R. § 164.524. Previously, the privacy regulations included an exception for CLIA-certified or CLIA-exempt laboratories to HIPAA’s general requirement that patients have a right to access their protected health information contained in a designated record set. The final rule removes this exception, requiring that all laboratories subject to HIPAA must provide patients with access to their completed test results, generally within 30 days of the request. The rule preempts any contrary state law, but a state law that is “more stringent,” which in this case means more protective of patient rights (e.g., requires the release of records within 15 days), would remain effective. CLIA laboratories not subject to HIPAA maintain discretion as to whether they release test results to patients.
In order to provide flexibility, the final rule does not prescribe how laboratories must receive, process, and respond to requests, as long as, for HIPAA covered entities, the system complies with the requirements in the HIPAA privacy regulation (e.g., requirements relating to timing, form, and fee provisions). Under the rule, ordering physicians are encouraged, but not required, to inform patients of this new right of access. However, HIPPA-covered laboratories must revise their notice of privacy practices (NPP) to inform patients of this new right and include a description of how to exercise the right by the compliance date of the final rule, which is 240 days after publication in the Federal Register. As noted in preamble of the rule, NPP revisions should also reflect the NPP changes required by the HIPAA Omnibus rule promulgated in January 2013. For laboratories that have not historically provided direct patient access to laboratory test report, 240 days is a very short time to create the policies, procedures and other documentation necessary to achieve compliance with the new rule.