HIPAA and CLIA Strengthen Rules on Direct Access to Laboratory Test Results
On February 6, 2014, the Centers for Medicare and Medicaid Services, Centers for Disease Control and Prevention, and Office for Civil Rights jointly released final rules that give individuals direct access to lab test results. The new rules have implications for hospital labs, including reference labs, and allow individuals (or a personal representative designated by the individual) to obtain test results directly from the lab. Previously, labs could only disclose test results to limited categories of entities and individuals, and an individual usually had to access test results through his or her health care provider. The final rules amend the Clinical Lab Improvement Amendments (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HIPAA contains limited exceptions governing an individual’s right to access his or her protected health information (PHI), including an exception for PHI held by a CLIA-certified or CLIA-exempt lab. The new rules eliminate this lab test results exception with the effect that covered entity labs now have the same obligations as other covered entity health care providers with respect to individual’s rights to access PHI. This means that a lab will have to provide access to test results within thirty (30) days of the individual’s request.
The rules also affect hospital labs in reporting results to the hospital’s own patients. The new rules apply when a hospital lab is a reference lab, and the reference lab must also provide an individual access to reference lab test results. However, as noted in the comments to the new rules, requests made directly to a reference lab would likely be uncommon, as many individuals do not know that a reference lab is conducting the test.
Hospital labs typically follow the hospital’s HIPAA compliance plan and policies and procedures. Hospital labs should continue to follow HIPAA procedures, including verification procedures, to authenticate a request for the results. For example, the lab could ask for photo identification to verify the individual is the individual who provided the specimen. Labs should also follow HIPAA procedures regarding the form and format of how access is provided, including electronic copies, if feasible.
The new rules do not require that labs interpret test results and labs may continue to refer individuals back to the ordering or treating provider for further questions or discussions about the results. The new rules are effective April 7, 2014. Hospitals and labs should review current HIPAA policies and procedures and the entity’s Notice of Privacy Practice to ensure compliance with the new rules.