On February 6, 2014, the U.S. Department of Health & Human
Services' (HHS) Centers for Medicare & Medicaid Services
(CMS), Centers for Disease Control and Prevention (CDC), and Office
for Civil Rights jointly published a final rule amending the HIPAA Privacy Rule and
the Clinical Laboratory Improvement Amendments of 1988 (CLIA)
regulations to provide patients with direct access to laboratory
test reports. HHS believes that a right to access these test
reports under HIPAA is crucial to provide patients with vital
information to empower them to better manage their health and take
action to prevent and control disease. The amendments to both
regulations become effective April 7, 2014, and HIPAA-covered
laboratories must comply with the new right by October 6, 2014.
Under the currently enforced Privacy Rule, a patient's right
to access his or her protected health information (PHI) is limited
with respect to PHI maintained by a CLIA laboratory or a
CLIA-exempt laboratory. This limitation was included in the Privacy
Rule because the existing CLIA regulations may prohibit
such laboratories from disclosing this information. Currently, a
CLIA laboratory may only disclose laboratory test results
to three categories of individuals or entities: (1) the
"authorized person," (2) the health care provider who
will use the test results for treatment purposes, and (3) the
laboratory that initially requested the test. An "authorized
person" is the individual authorized under state law to order
or receive test results. If a state does not authorize patients to
receive their test results, the patients must receive this
information from their health care providers.
The final rule modifies the CLIA regulations to allow
laboratories subject to CLIA, upon the request of a patient (or the
patient's personal representative), to provide access to
completed test reports that – using the laboratory's
authentication process – can be identified as belonging to
that patient. With respect to the Privacy Rule, the final rule
removes the exceptions to a patient's right of access related
to CLIA and CLIA-exempt laboratories. Therefore, as of October 6,
2014, HIPAA-covered laboratories will be required to
provide a patient or his or her personal representative with
access, upon request, to the patient's completed test reports,
as well as to other PHI maintained in a designated record set. For
purposes of the final rule, test reports are not part of a
designated record set until they are "complete." A test
report is considered complete when all results associated with an
ordered test are finalized and ready for release. These changes to
the Privacy Rule preempt any contrary state laws that prohibit a
HIPAA-covered laboratory from providing patients direct access to
their completed test results.
In order to comply with the amended Privacy Rule, HIPAA-covered
laboratories should develop and implement a policy and procedure to
receive and respond to patient requests. Processing a request for a
test report, either manually or electronically, will require
completion of the following steps: (1) receipt of the request from
the individual; (2) authentication of the identification of the
individual; (3) retrieval of test reports; (4) verification of how
and where the individual wants the test report to be delivered and
provision of the report by mail, fax, email or other electronic
means; and (5) documentation of test report issuance. Additionally,
HIPAA-covered laboratories must revise their notice of privacy
practices to inform patients of their right to access completed
test reports, including a brief description of how to exercise the
right, and removing any statements to the contrary.
This amendment to the regulations is consistent with OCR's
focus on improving patients' rights under the Privacy Rule, and
represents another important aspect of policy change and
documentation efforts for HIPAA-covered entity providers.
This article is presented for informational purposes only
and is not intended to constitute legal advice.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
A recently publicized settlement with the Office of Civil Rights of the U.S. Department of Health and Human Services highlights that it is not only important to have a HIPAA-compliant form of business associate agreement, but also to train staff to identify and carefully analyze when a BAA is required.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).