United States: New CMS Rule Provides Direct Patient Access To Laboratory Results

Last Updated: February 20 2014
Article by Peter A. Blenkinsop and Krissa Webb


The Centers for Medicare & Medicaid Services (CMS) published a final rule on February 6 that will allow patients to have direct access to their laboratory test results. Both the Clinical Laboratory Improvement Amendments (CLIA) and the Health Insurance Portability and Accountability Act (HIPAA) govern a patient's direct access to laboratory test results. The final rule amends CLIA regulations and the HIPAA Privacy Rule in order to provide patients with greater access to their health information and thereby empower individuals to take an active role in their healthcare.

Changes to CLIA Regulations

CLIA establishes uniform quality standards for all laboratory testing to ensure the accuracy, reliability and timeliness of patient test results. Under CLIA, a "laboratory" is any facility that does testing on human specimens to provide information for the diagnosis, prevention, or treatment of disease or impairment, or the assessment of health.See42 CFR 493.2. Formerly, laboratories subject to CLIA were allowed to disclose test results only to: (1) a person responsible for using the test results in the treatment context; (2) a referring laboratory that initially requested the test; or (3) an "authorized person," defined as an individual authorized under state law to receive test results. State laws vary in their definitions of "authorized persons" permitted to receive laboratory test results, with some states specifically authorizing disclosure to the patient, some specifically prohibiting direct disclosure to the patient, some authorizing direct disclosure to the patient only with the requesting provider's approval, and others remaining silent on the issue. Where a state remains silent on the issue or defines an "authorized person" only as a health care provider, CLIA has restricted direct disclosure to the patient. As a result, except for patients in states that expressly authorize direct disclosure of test results to the patient, most patients have only been able to access laboratory test results through their health care provider.

Under the final rule, CLIA laboratories are now permitted to provide test results directly to the patient, the patient's personal representative, or a person designated by the patient, so long as the laboratory can authenticate that the person requesting the results is the person who provided the specimen. Unless the laboratory is also subject to the HIPAA Privacy Rule (discussed below), the laboratory subject to CLIA will not be required to provide patients with access to test reports. In addition, the laboratory will remain subject to state laws affirmatively restricting direct patient access as the permissive final rule is not contrary to these state restrictions and therefore the state laws are not preempted.

CMS did not specify how to verify an individual's identity but did cite the verification standard in the HIPAA Privacy Rule. The Privacy Rule allows covered entities to use discretion in determining means of verification, so long as reliance on those means is reasonable. Verification may vary depending on how the patient requests access (e.g., requiring photo identification where the patient requests test results in person or requesting authentication credentials when the patient requests test results by form or over the phone). Likewise, the final rule does not specify a format for a patient to request or receive access to their test results, presuming that the requirements already specified in the Privacy Rule will govern.

Changes to the Privacy Rule

The final rule also amends the HIPAA Privacy Rule. The Privacy Rule requires covered entities to provide individuals the right to access protected health information (PHI) that is maintained in a designated record set. A laboratory is a "covered entity" only if it conducts electronic covered transactions, such as transmitting health care claims to a health plan, requesting prior authorization from a health plan, or inquiring about an individual's coverage to a health plan. A "designated record set" includes laboratory test reports when the laboratory falls under the definition of a covered entity. To achieve consistency with CLIA regulations, an individual's right of access under the Privacy Rule did not previously apply to PHI maintained by laboratories in states with CMS-approved laboratory programs exempt from CLIA certification -- currently Washington and New York -- (CLIA-exempt laboratories) or laboratories subject to CLIA if the provision of access to the patient would be prohibited by law (i.e., all states except those that expressly permitted direct disclosure to the patient).

However, with the final rule's changes to the CLIA regulations to remove the restriction on direct disclosure of test results to patients, it is no longer necessary for the Privacy Rule to defer to CLIA requirements. Therefore, the final rule amends the Privacy Rule to remove the exceptions relating to CLIA and CLIA-exempt laboratories. Now, CLIA or CLIA-exempt laboratories that are covered entities have the same obligations as other covered health care providers to provide individuals with access to their PHI, including laboratory test results. This requirement will preempt contrary state laws that prohibit laboratories from releasing test results directly to the patient or that require the ordering provider's consent. As with CLIA regulations, laboratories must first satisfy the patient identity verification requirement of the Privacy Rule before providing access to test results. Accordingly, where a laboratory receives an anonymous test order, the laboratory is under no obligation to provide access to the requesting individual.


Under the final rule, laboratories are permitted release test results to individual patients or their representatives and are required to provide patients with these test results upon the patient's request if the laboratory is a covered entity under HIPAA. The final rule does not require laboratories to interpret test results for patients or include any statement advising the patient to seek the counsel of a physician. However, laboratories are free to include such advisory statements or any other explanatory or educational materials.

Implications for Clinical Research Testing. The changes in the final rule may extend beyond routine diagnostic testing and have a limited effect on clinical research testing. CLIA regulations specifically exempt "[r]esearch laboratories that test human specimens but do not report patient specific results for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of individual patients."See42 CFR 493.3(b)(2). Thus, the changes to CLIA regulations that preempt state law and permit individual patient access to a laboratory's test results apply only where the laboratory reports patient-specific results to another entity and the results are available to be used for health care for individual patients.

Moreover, it is important to remember that the Privacy Rule remains applicable only to laboratories that are covered entities under HIPAA. A laboratory is a covered entity only if it conducts electronic covered transactions, such as transmitting health care claims to a health plan, requesting prior authorization from a health plan, or inquiring about an individual's coverage to a health plan. Most research laboratories do not meet the definition of a "covered entity" and therefore are not subject to the Privacy Rule. Consequently, where CLIA regulations apply to research laboratory testing but the Privacy Rule does not, the research laboratory will only be permitted, not required, to release a patient's test results directly to the patient, subject to applicable state laws that restrict such access.

Implications for Notice of Privacy Practices. The Privacy Rule requires a covered entity to revise its Notice of Privacy Practices (NPP) to reflect any material changes. Consequently, affected laboratories will need to revise NPPs to inform individuals of their new rights and how to exercise them. Previously, the Department of Health and Human Services Office of Civil Rights (OCR) announced an enforcement delay for other NPP revisions stemming from the Omnibus Rule implementing the Health Information Technology for Economic and Clinical Health Act. This delay was intended to allow covered entities to consolidate Omnibus Rule NPP revisions with the requirements of these impending CLIA revisions. OCR has not announced whether the publication of the CLIA final rule will trigger the end of the NPP enforcement delay. However, OCR has indicated that it will provide at least 30 days advance notice of the end of the enforcement delay.

Implementation. The final rule is published in the Federal Register as of February 6 and takes effect 60 days after publication. Laboratories subject to HIPAA will have an additional 180 days after publication of the final rule to come into compliance and thereafter will be required to supply test reports to patients within 30 days of any request. However, where 30 days may not be sufficient to complete the test performed or prepare the report, the Privacy Rule allows covered entities to gain an additional 30-day extension upon notifying the patient with a description of the cause for delay.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Krissa Webb
Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions