Today, the Centers for Medicare & Medicaid Services (CMS), the HHS Office for Civil Rights (OCR) and the Centers for Disease Control and Prevention (CDC) published a final rule in the Federal Register, amending the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations and the HIPAA Privacy Rule to provide patients with greater access to their lab test results. Until now, the CMS CLIA regulations and the HIPAA Privacy Rule could prevent patients from gaining access to test results maintained by labs subject to CLIA (or exempt from CLIA). The CLIA regulations prevented labs from providing test results directly to patients by limiting the persons to whom such test results could be provided to “authorized persons” (individuals authorized under state law to order and/or receive test results), persons responsible for using test results in the treatment context, and the lab that initially requested the test. If a state does not include patients as “authorized persons” to receive their own test results, the CLIA regulations precluded such labs from disclosing such results to them. The Privacy Rule exempted protected health information (PHI) maintained by covered entities that are CLIA-regulated labs (and labs exempted from CLIA) from the individual’s right of access to PHI. Under the new final rule, patients may request test reports directly from CLIA labs. As amended, the CLIA regulations permit a CLIA lab to provide, upon request, a patient and/or his/her personal representative (and any person designated by the patient) with access to completed test reports that, using the lab’s authentication process, can be identified as belonging to that patient. The Privacy Rule amendments require HIPAA-covered CLIA labs to provide such individuals and/or persons with access to PHI about the individual maintained in a designated record set, subject to the Privacy Rule’s requirements for verification of the identity and authority of the person making the request and for provision of access. Thus, the combination of the two provisions will essentially now require most CLIA labs to provide test results when requested by the patient; the prior limitation in CLIA no longer applies.
In the rule, the HHS agencies note that the rule applies to all test reports (or PHI) maintained by the CLIA lab that can be identified as belonging to the patient. Thus, labs must provide patients access to all such previous lab tests as well as those conducted after the rule goes into effect. Labs, however, are only required to provide tests that are “complete” as defined under CLIA.
The HHS agencies also responded to concerns expressed by commenters that individuals are unable to understand test reports without the advice of their physician and, thus, should not be able to obtain test reports directly from the labs. The agencies indicated that the rule changes would further encourage ordering and treating health care providers to more proactively discuss with patients the range of possible test results and what the results may mean for the patient before or at the time a test is ordered. Furthermore, under the Privacy Rule, the labs have 30 days (with a possible 30-day extension) to respond to a patient’s request for access. The agencies indicated that such time period should provide labs sufficient time to complete any tests and communicate the results to the requesting physician – and for the requesting physician to reach out to the patient to explain, and counsel the patient about, the test results. The agencies made it clear that the labs are not required to interpret test results for the patient. HHS declined to create any additional Privacy Rule exceptions to the right of access based on concerns about potential harm arising from an individual’s inability to understand the test results, noting that existing exceptions address and appropriately balance an individual’s right of access to his/her PHI with other considerations, including the potential for harm. The Privacy Rule permits a request for access to be denied if provision of access would endanger the life or physical safety of the individual or another person.
Patient authentication presents challenges specific to labs because they often have limited (or no) direct contact with the patient. Labs are only required to provide the individual with access to reports to the extent a lab can authenticate the test belongs to the patient. When the lab can authenticate that the test results belong to a particular patient, the lab should also have at least some basic information about the patient (such as name, date of birth, date specimen was collected, etc.), with which it can also verify the identity of the requestor. The HIPAA Privacy Rule also requires HIPAA-covered labs to verify the identity and authority of the person making the request to access the patient’s records. The agencies note that reference labs, including those operated by hospitals, must comply with the rule even if they have no patient contact and that labs cannot require patients to request test results through their providers. The agencies note, however, that the rule changes do not affect the ability of CLIA labs to continue anonymous testing: In the case of anonymous testing, if a lab cannot authenticate that the requesting individual is the subject of the test report, it would have no obligation, under CLIA or HIPAA, to provide access.
HIPAA covered CLIA labs are required to update their Notices of Privacy Practices (NPP) to inform individuals of their right to access PHI maintained by the lab, to provide a brief description of how to exercise that right, and to remove any statements to the contrary. Such notices must be updated by the HIPAA compliance date of October 6, 2014. Pursuant to an exercise of enforcement discretion, such CLIA labs were permitted to take until the compliance date for this rule to revise their NPP to reflect changes required under the HIPAA/HITECH Act Omnibus Rule. Accordingly, if such labs have not yet updated their NPPs under the Omnibus Rule, they have until that date to do so.
The amendments made by the final rule become effective April 7, 2014. Compliance with the amended Privacy Rule provisions is required by October 6, 2014.