Beginning April 7, 2014, a new federal rule entitled “CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports” (the Final Rule) will permit patients to directly access their personal laboratory test results that they were previously not eligible to access under some state laws. The Final Rule amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations and the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Final Rule is intended to encourage patients to work closely with their healthcare providers to understand their test results, and to assist patients in tracking their health progress, making informed decisions about their healthcare and adhering to important treatment plans.
The Final Rule will revise CLIA regulations pertaining to the release of patient test results. Prior to the Final Rule, a CLIA laboratory could only disclose laboratory test results to the following three categories:
- Authorized persons (defined as individuals authorized under state law to order and/or receive test results);
- Persons responsible for using the test results (e.g., physicians for treatment purposes); and
- The laboratory that initially requested the test.
With respect to number one above, if the applicable state law does not allow patients to directly access their personal test results, the patients must receive their test results through their healthcare providers, and not from the laboratory.
With the implementation of the Final Rule, CLIA will be revised such that upon request by a patient (or the patient’s personal representative), the laboratory may provide the patient, the patient’s personal representative and other persons designated by the patient with access to the patient’s completed test reports that, using the laboratory’s authentication processes, can be identified as belonging to that patient. While the Final Rule still permits the laboratory to disclose test results to the previously described three categories, it adds the patient and the patient’s personal representative to the list of approved recipients, regardless of whether a state law restricts patient access to the laboratory results. The revisions to CLIA apply to laboratory test results generated by the laboratory prior to and after the enactment of the Final Rule, however the Final Rule does not require the laboratory to implement new record-keeping requirements.
The Final Rule will revise the HIPAA Privacy Rule that governs patient access to “protected health information” (PHI for short). PHI is defined under HIPAA, in part, as health information that (i) is created or received by a healthcare provider (e.g., laboratory, physician, hospital), (ii) relates to the health or condition of an individual, (iii) identifies the individual (or with respect to which there is a reasonable basis to believe the information can be used to identify the individual) and (iv) is transmitted by or maintained in electronic media, or transmitted or maintained in another form or medium. Prior to the Final Rule, patients and their personal representatives generally had a right to inspect and obtain a copy of PHI about the patient, except for certain PHI, such as PHI subject to CLIA to the extent the provision of access was prohibited under law or was exempt from CLIA. These exceptions include laboratory test reports and other PHI only at CLIA and CLIA-exempt laboratories. While the patient and the patient’s personal representative could access this information from the treating physician, for example, such information could not be obtained directly from the laboratory under HIPAA.
With the implementation of the Final Rule, the exception that precluded patients and their personal representatives from having access to the patient’s PHI that was subject to CLIA to the extent the provision of access was prohibited under law or was exempt from CLIA, will be abolished. This means CLIA laboratories and CLIA-exempt laboratories will be obligated to provide patients and their personal representatives with access to laboratory test results that were previously not accessible to them. CLIA and CLIA-exempt laboratories still must verify the identity of the person requesting the PHI and the authority of such person to have access through the laboratory’s authentication processes. Additionally, in certain situations, a patient has the right to designate third parties with whom his/her PHI may be shared who would otherwise not have the independent right of access.
Action steps: What do I need to do to be compliant?
Beginning April 7, 2014, if a patient (or a patient’s personal representative) requests his/her laboratory test results, the laboratory may provide the results directly to the patient (or the patient’s personal representative).
Additionally, beginning Oct. 6, 2014 (180 days after the effective date), a laboratory that is a covered entity under HIPAA is required to comply with the HIPAA Privacy Rule’s provision regarding patient access to PHI and the laboratory will need to revise its Notice of Privacy Practices and privacy policies (e.g., HIPAA Privacy Policies and Procedures) to address these changes.
Click here to view the Final Rule.