HIPAA covered laboratories and hospitals with laboratories subject to the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) must comply with changes to the HIPAA Privacy Rule that provide patients with direct access to laboratory test results by October 6, 2014.  Earlier this year, the Centers for Medicare & Medicaid Services, the HHS Office for Civil Rights and the Centers for Disease Control and Prevention published a final rule amending the CLIA regulations and the HIPAA Privacy Rule to provide patients with greater access to their lab test results.  As we previously blogged, patients may now request test reports directly from CLIA labs.  As amended, the CLIA regulations, which are now effective, permit a CLIA lab to provide, upon request, a patient and/or his/her personal representative (and any person designated by the patient) with access to completed test reports that, using the lab’s authentication process, can be identified as belonging to that patient.  Beginning October 6, 2014, the Privacy Rule amendments (which eliminated an exemption for PHI held by CLIA labs) require HIPAA covered CLIA labs to provide individuals and/or their personal representatives with access to protected health information (“PHI”) about the individual maintained in a designated record set under the Privacy Rule provisions establishing the individual’s right of access to PHI (“access rights”).  Thus, the combination of the two provisions now require most CLIA labs to provide test results (and any other PHI they maintain) when requested by the patient.  Labs that are not covered by HIPAA may provide a patient and/or his/her personal representative (and any person designated by the patient) with access to completed test reports, but are not required to do so.  (For more information on the final rule and how the new requirements interact with the Privacy Rule’s requirements for verification of the identity and authority of those exercising the access right, please see our February 6, 2014 blog post referenced above.)

As amended, the Privacy Rule preempts state laws that prohibit labs from releasing test results to patients or prohibit labs from releasing test results to patients without the consent of the ordering provider.  HIPAA covered CLIA labs must now release test results despite those state law prohibitions; labs not covered by HIPAA may remain subject to such state law prohibitions.  Keep in mind that state laws may provide patients with even greater access to lab test results.  For example, some state laws may require labs to release lab test results (or require health care providers, generally, to provide PHI or patient records) to patients in less time than the 30 days mandated by the Privacy Rule.  In these situations, state law applies – because HIPAA does not preempt “more stringent” state laws, including laws that provide greater access rights – and the lab must provide access to the information in the shorter time frame provided by applicable state law.

CLIA labs should review and update their policies and procedures applicable to the exercise of individuals’ right to access their PHI, including lab test results, for compliance issues.  Because HIPAA covered entities are required to update their Notices of Privacy Practices (“NPP”) whenever there is a “material change” to any of their privacy practices, including changes to a patient’s right to access their PHI, such labs must also update their NPPs to inform individuals of their right to access PHI maintained by the lab, to provide a brief description of how to exercise that right, and to remove any statements in the NPP to the contrary.

The agencies have noted they do not expect hospital labs to encounter significant operational issues because hospitals already have policies and procedures in place to comply with the Privacy Rule’s access provisions. Hospital labs should generally be able to rely on the hospital’s policies and procedures for compliance with the new rules.  Nevertheless, hospitals should review any general – or lab-specific – policies and procedures on the release of information and rescind any provisions which exempt PHI in lab records from release under the Privacy Rule’s access rights.  While it may be unlikely that hospital NPPs would note that such PHI was exempted from individuals’ right to access PHI, hospitals should review their NPPs – and any hospital lab specific NPPs – to ensure that they are consistent with the amended Privacy Rule.

HIPAA covered CLIA labs and hospital with such labs should consider providing training, so that lab personnel – and any other personnel responsible for handling patient requests for records – are aware of the change in the Privacy Rule and the corresponding changes to the applicable policies and procedures, and appropriately handle patient requests for lab test results.  For example, hospital labs might wish to coordinate with the hospital’s existing HIPAA process to handle patients’ requests for lab test results, especially as HHS provides the same denial and appeal rights for lab test results as for other types of PHI.

As noted by HHS, patient access to lab test results can assist patients in becoming educated participants in their own care.  As the HIPAA Privacy Rule has now expanded the scope of PHI to which patients have access, HIPAA covered labs should update their policies and procedures in order to facilitate patient rights under HIPAA.