Summary
The Centers for Medicare & Medicaid Services (CMS) published a
final rule on February 6 that will allow patients to have direct
access to their laboratory test results. Both the Clinical
Laboratory Improvement Amendments (CLIA) and the Health Insurance
Portability and Accountability Act (HIPAA) govern a patient's
direct access to laboratory test results. The final rule amends
CLIA regulations and the HIPAA Privacy Rule in order to provide
patients with greater access to their health information and
thereby empower individuals to take an active role in their
healthcare.
Changes to CLIA Regulations
CLIA establishes uniform quality standards for all laboratory
testing to ensure the accuracy, reliability and timeliness of
patient test results. Under CLIA, a "laboratory" is any
facility that does testing on human specimens to provide
information for the diagnosis, prevention, or treatment of disease
or impairment, or the assessment of health.See42 CFR
493.2. Formerly, laboratories subject to CLIA were allowed to
disclose test results only to: (1) a person responsible for using
the test results in the treatment context; (2) a referring
laboratory that initially requested the test; or (3) an
"authorized person," defined as an individual authorized
under state law to receive test results. State laws vary in their
definitions of "authorized persons" permitted to receive
laboratory test results, with some states specifically authorizing
disclosure to the patient, some specifically prohibiting direct
disclosure to the patient, some authorizing direct disclosure to
the patient only with the requesting provider's approval, and
others remaining silent on the issue. Where a state remains silent
on the issue or defines an "authorized person" only as a
health care provider, CLIA has restricted direct disclosure to the
patient. As a result, except for patients in states that expressly
authorize direct disclosure of test results to the patient, most
patients have only been able to access laboratory test results
through their health care provider.
Under the final rule, CLIA laboratories are now permitted to
provide test results directly to the patient, the patient's
personal representative, or a person designated by the patient, so
long as the laboratory can authenticate that the person requesting
the results is the person who provided the specimen. Unless the
laboratory is also subject to the HIPAA Privacy Rule (discussed
below), the laboratory subject to CLIA will not be
required to provide patients with access to test reports.
In addition, the laboratory will remain subject to state laws
affirmatively restricting direct patient access as the permissive
final rule is not contrary to these state restrictions and
therefore the state laws are not preempted.
CMS did not specify how to verify an individual's identity but
did cite the verification standard in the HIPAA Privacy Rule. The
Privacy Rule allows covered entities to use discretion in
determining means of verification, so long as reliance on those
means is reasonable. Verification may vary depending on how the
patient requests access (e.g., requiring photo
identification where the patient requests test results in person or
requesting authentication credentials when the patient requests
test results by form or over the phone). Likewise, the final rule
does not specify a format for a patient to request or receive
access to their test results, presuming that the requirements
already specified in the Privacy Rule will govern.
Changes to the Privacy Rule
The final rule also amends the HIPAA Privacy Rule. The Privacy
Rule requires covered entities to provide individuals the right to
access protected health information (PHI) that is maintained in a
designated record set. A laboratory is a "covered entity"
only if it conducts electronic covered transactions, such as
transmitting health care claims to a health plan, requesting prior
authorization from a health plan, or inquiring about an
individual's coverage to a health plan. A "designated
record set" includes laboratory test reports when the
laboratory falls under the definition of a covered entity. To
achieve consistency with CLIA regulations, an individual's
right of access under the Privacy Rule did not previously apply to
PHI maintained by laboratories in states with CMS-approved
laboratory programs exempt from CLIA certification -- currently
Washington and New York -- (CLIA-exempt laboratories) or
laboratories subject to CLIA if the provision of access to the
patient would be prohibited by law (i.e., all states
except those that expressly permitted direct disclosure to the
patient).
However, with the final rule's changes to the CLIA regulations
to remove the restriction on direct disclosure of test results to
patients, it is no longer necessary for the Privacy Rule to defer
to CLIA requirements. Therefore, the final rule amends the Privacy
Rule to remove the exceptions relating to CLIA and CLIA-exempt
laboratories. Now, CLIA or CLIA-exempt laboratories that are
covered entities have the same obligations as other covered health
care providers to provide individuals with access to their PHI,
including laboratory test results. This requirement will preempt
contrary state laws that prohibit laboratories from releasing test
results directly to the patient or that require the ordering
provider's consent. As with CLIA regulations, laboratories must
first satisfy the patient identity verification requirement of the
Privacy Rule before providing access to test results. Accordingly,
where a laboratory receives an anonymous test order, the laboratory
is under no obligation to provide access to the requesting
individual.
Conclusions
Under the final rule, laboratories are permitted release test
results to individual patients or their representatives and are
required to provide patients with these test results upon the
patient's request if the laboratory is a covered entity under
HIPAA. The final rule does not require laboratories to interpret
test results for patients or include any statement advising the
patient to seek the counsel of a physician. However, laboratories
are free to include such advisory statements or any other
explanatory or educational materials.
Implications for Clinical Research Testing. The
changes in the final rule may extend beyond routine diagnostic
testing and have a limited effect on clinical research testing.
CLIA regulations specifically exempt "[r]esearch laboratories
that test human specimens but do not report patient specific
results for the diagnosis, prevention, or treatment of any disease
or impairment of, or the assessment of the health of individual
patients."See42 CFR 493.3(b)(2). Thus, the changes to
CLIA regulations that preempt state law and permit individual
patient access to a laboratory's test results apply only where
the laboratory reports patient-specific results to another entity
and the results are available to be used for health care for
individual patients.
Moreover, it is important to remember that the Privacy Rule
remains applicable only to laboratories that are covered entities
under HIPAA. A laboratory is a covered entity only if it conducts
electronic covered transactions, such as transmitting health care
claims to a health plan, requesting prior authorization from a
health plan, or inquiring about an individual's coverage to a
health plan. Most research laboratories do not meet the definition
of a "covered entity" and therefore are not subject to
the Privacy Rule. Consequently, where CLIA regulations apply to
research laboratory testing but the Privacy Rule does not, the
research laboratory will only be permitted, not required, to
release a patient's test results directly to the patient,
subject to applicable state laws that restrict such access.
Implications for Notice of Privacy Practices. The
Privacy Rule requires a covered entity to revise its Notice of
Privacy Practices (NPP) to reflect any material changes.
Consequently, affected laboratories will need to revise NPPs to
inform individuals of their new rights and how to exercise them.
Previously, the Department of Health and Human Services Office of
Civil Rights (OCR) announced an enforcement delay for other NPP
revisions stemming from the Omnibus Rule implementing the Health
Information Technology for Economic and Clinical Health Act. This
delay was intended to allow covered entities to consolidate Omnibus
Rule NPP revisions with the requirements of these impending CLIA
revisions. OCR has not announced whether the publication of the
CLIA final rule will trigger the end of the NPP enforcement delay.
However, OCR has indicated that it will provide at least 30 days
advance notice of the end of the enforcement delay.
Implementation. The final rule is published in
the Federal Register as of February 6 and takes effect 60 days
after publication. Laboratories subject to HIPAA will have an
additional 180 days after publication of the final rule to come
into compliance and thereafter will be required to supply test
reports to patients within 30 days of any request. However, where
30 days may not be sufficient to complete the test performed or
prepare the report, the Privacy Rule allows covered entities to
gain an additional 30-day extension upon notifying the patient with
a description of the cause for delay.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.