On February 3 2014 the US Department of Health and Human Services (HHS) released a long-awaited final rule that amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations to permit patients and their personal representatives to access laboratory test reports. By requiring expanded access, HHS rejects what some have characterised as "paternalistic" arguments that such reports are complicated and should be provided only through treating physicians. HHS justifies the rule as necessary in order to empower patients to take an active role in managing their health and healthcare. As anyone who has tried to interpret a laboratory test report can attest, whether the stated objectives of the new rule will be achieved has yet to be seen.

The new CLIA regulations specify that, upon the request of a patient (or the patient's personal representative), laboratories subject to CLIA may provide the patient, the patient's personal representative or a person designated by the patient, as applicable, with copies of completed test reports that, using the laboratory's authentication process, can be identified as belonging to that patient. Under prior regulations, test results could be released only to:

  • 'authorised persons', which in some states are defined as healthcare providers only;
  • the person responsible for using the test results in the treatment context; or
  • the laboratory that initially requested the test.

Thus, patients previously did not have direct access to their results. The final rule maintains these limitations, but adds an exception for access by patients, or their representatives, to laboratory test results.

The final rule additionally makes conforming changes to the HIPAA privacy regulations at 45 CFR § 164.524. Previously, the privacy regulations included an exception for CLIA-certified or CLIA-exempt laboratories to HIPAA's general requirement that patients have a right to access their protected health information contained in a designated record set. The final rule removes this exception, requiring that all laboratories subject to HIPAA must provide patients with access to their completed test results, generally within 30 days of the request. The rule pre-empts any contrary state law, but a state law that is "more stringent" – which in this case means more protective of patient rights (eg, requires the release of records within 15 days) – would remain effective. CLIA laboratories not subject to HIPAA maintain discretion as to whether to release test results to patients.

In order to provide flexibility, the final rule does not prescribe how laboratories must receive, process and respond to requests, as long as, for HIPAA-covered entities, the system complies with the requirements in the HIPAA privacy regulation (eg, requirements relating to timing, form and fee provisions). Under the rule, ordering physicians are encouraged but not required to inform patients of this new right of access. However, HIPAA-covered laboratories must revise their notice of privacy practices to inform patients of this new right and include a description of how to exercise the right by the compliance date of the final rule, which is 240 days after publication in the Federal Register. As noted in preamble of the rule, notice of privacy practices revisions should also reflect the notice of privacy practices changes required by the HIPAA omnibus rule promulgated in January 2013. For laboratories that have not historically provided direct patient access to laboratory test report, 240 days is a very short time to create the policies, procedures and other documentation necessary to achieve compliance with the new rule.

For further information on this topic please contact Anna Spencer or Barbara Cammarata at Sidley Austin LLP by telephone (+1 202 736 8000), fax (+1 202 736 8711) or email (aspencer@sidley.com or bcammarata@sidley.com). The Sidley Austin website can be accessed at www.sidley.com.