HHS Amends CLIA to Broaden the Patient’s Access Rights to Lab Test Results

by Kathie McDonald-McClure and Elizabeth O’Keeffe

lab_specimensAs we have previously reported on the Wyatt HITECH Law blog on September 14, 2013 and September 23, 2011, the Department of Health and Human Services (HHS) has had in the works, for over two years now, revisions to the Clinical Laboratory Improvement Act of 1988 (CLIA) regulations concerning whether a lab may release test results directly to patients.  On February 3, 2013, HHS announced the release of a Final Rule (Final Rule) amending the CLIA regulations to allow laboratories to give a patient, or a person designated by the patient, his or her “personal representative”, access to the patient’s completed test reports upon the patient’s or patient’s personal representative’s request.  The Final Rule was issued jointly by three agencies within HHS: the Centers for Medicare & Medicaid Services (CMS), which is generally responsible for laboratory regulation under CLIA, the Centers for Disease Control and Prevention (CDC), which provides scientific and technical advice to CMS related to CLIA, and the Office for Civil Rights (OCR), which is responsible for enforcing the HIPAA Privacy Rule.

Broad patient access rights. Generally, under the HIPAA Privacy Rule, patients, patient’s designees and patient’s personal representatives have broad access rights to see or obtain a copy of the patient’s PHI, including an electronic copy, with limited exceptions one of which included direct access to lab test results.  Importantly, the Final Rule eliminates the exception under the HIPAA Privacy Rule that had limited an individual’s right to access his or her protected health information (PHI), including laboratory test reports, when such PHI is held by a CLIA-certified or CLIA-exempt laboratory.  While patients can continue to get access to their laboratory test reports from their doctors, patients now may request and obtain a copy of their test results directly from a CLIA laboratory and CLIA laboratories will be required to release these results irrespective of conflicting state laws, as further discussed below.

In announcing the Final Rule, HHS emphasized the importance of giving patients broad access rights to their PHI.  “The right to access personal health information is a cornerstone of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule,” said Secretary Kathleen Sebelius. “Information like lab results can empower patients to track their health progress, make decisions with their health care professionals, and adhere to important treatment plans.”

Meaningful Use Criteria.  The Medicare Electronic Health Records (EHR) Incentive Program, which was promulgated pursuant to the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), is actually credited with prompting a review of barriers that limit patient access to their PHI, leading to the proposal to amend the CLIA regulations to eliminate the barrier to a patient’s direct access to test results from the lab.  Specifically, the EHR Incentive Program’s Stage 1, Meaningful Use Menu Set Measure 5 of 10 requires physicians who apply for the EHR incentive payments to provide patients with electronic access to their health information, including lab results (among other things), within 4 business days of the information being available to the physician.  Once a physician advances to Stage 2, Meaningful Use Core Measure 7 of 17 requires the physician to provide patients with the ability to “view online, download and transmit” their health information (including laboratory test results) within 4 business days of the information being available to the physician.   Both of these Stage 1 and Stage 2 criteria provided an exception if federal, state or local laws restricted disclosure (the situation with the former CLIA law and several state laws), or if the physician believes that “substantial harm may arise from disclosing particular health information in this manner.”  The Final Rule alleviates the previous federal law restriction.  Does it also alleviate state law restrictions on disclosure?  And what about the release by a lab of sensitive test results directly to a patient? 

State Law Restrictions & Federal Preemption.  As we noted in our September 2011 Wyatt HITECH Law blog post, there are state law barriers regarding the direct release of test results that the proposed rule intended to remove.  Although many states do not expressly prohibit the lab from providing the test results directly to the individual patient, many of such states only expressly provide for the provision of lab test results to the ordering physician and remain silent on whether the lab can also provide the test results to the patient.  Accordingly, state regulators in some of these states have interpreted such silence as prohibiting the lab from releasing lab results directly to patients absent an express directive from the ordering physician that such a patient is an “authorized person.”  As we noted then, still other states expressly prohibit the provision of test results directly to the patient. (The Proposed Rule, page 17, provides a chart breaking down the status of state laws in regard to whether direct access to lab results by patients is allowed.)

HHS says that the Final Rule will not preempt “stricter” state privacy laws, meaning if the state law provides for broader patient access rights, then those rights will remain intact.  However, if a state law provides for more narrow access rights, then the Final Rule will preempt that state law.  For example, Kentucky law governing the release of test results states: “The results of a test shall be reported to the licensed health care provider who requested it.”  (KRS 333.150(1).)  The Final Rule may preempt this provision of Kentucky law to the extent that it restricts a lab from providing direct access to test results by a patient.

Access to Results Before Interpretation by Physician.  Some physicians were concerned that the direct release of test results by laboratories may be damaging to patients if the results may be misunderstood, of a highly sensitive nature, are incorrect, or suggest a devastating diagnosis.  Under the Final Rule, CLIA-laboratories cannot delay the release of test on the sole basis that the physician has not first communicated and interpreted the results for the patient.  The Final Rule notes that HIPAA gives laboratories up to 30 days to release results once a request is made.  In the Final Rule’s Preamble, HHS states: “[I]n cases where an individual requests access to completed test reports, we believe 30 days will generally be sufficient to allow the ordering or treating provider to receive the test report in advance of the patient’s receipt of the report, and to communicate the result to the patient, and counsel the patient as necessary with regard to the result.”  HHS also notes that HIPAA allows for additional time to comply with the requested access under certain circumstances, such as where the requested test will take longer than 30 days to analyze and complete. The lab must explain to the patient, in writing, the reason for the delay.

Lab Responsibility to Verify Request.  Under the Final Rule, the laboratory is also responsible for verifying the authenticity of the request.  The provider community is abuzz about what is sufficient for “verification” purposes and may require implementation of new or updated policies and procedures, especially for independent labs not connected with a hospital where such requests may have been handled within existing hospital Health Information Management (HIM) Department policy and procedure.  While the Privacy Rule requires verification of the identity of the person requesting access, a HIPAA-covered laboratory may not impose “unreasonable” verification measures on an individual as a means to avoid having to provide the individual with access. For example, a HIPAA-covered laboratory may not require an individual who wants a copy of his or her test reports mailed to his or her home address to physically come to the laboratory to request access and provide proof of identity in person.  Nonetheless, laboratories must prepare and implement policies and procedures that articulate a reasonable verification process to authenticate the requestor.  The Final Rule provides laboratories with flexibility as to how to set up systems to receive, process, and respond to requests for access by individuals, so long as these processes comply with the timing and other requirements for access in 45 C.F.R. §164.524 of the HIPAA Privacy Rule where HIPAA-covered laboratories are concerned.

Laboratory Notice of Privacy Practices.  Notably, the HIPAA Omnibus Rule would have required labs to revise their Notice of Privacy Practices (NPPs) by September 23, 2013.  Rather than force labs to revise their NPPs in one year, only to then revise them again the next year when the new CLIA regulations became final, HHS chose to delay enforcement until the Final Rule.   The delay applied to HIPAA-covered, CLIA-certified or CLIA-exempt laboratories that are not required to provide an individual with access to his or her laboratory test reports under the HIPAA Privacy Rule because such information was subject to HIPAA’s exceptions to the right of access.   Upon publication of the Final Rule, HIPAA-covered laboratories will have a date certain by which to revise their NPPs in order to inform individuals of their right of access to the lab test results and to include a brief description of how to exercise this right (see below discussion about the effective date).  Further, HIPAA-covered laboratories must make the NPPs available to individuals as required by 45 C.F.R. §164.520(c).  Other covered health care providers, such as ordering providers, may (but are not required) to revise their NPPs to inform individuals of their right to access PHI directly from laboratories.

Effective Date. The Final Rule was published in the Federal Register on February 6, 2014, and is effective within sixty days of publication.  Accorrdingly, the requirements set forth in the Final Rule become effective on April 7, 2014.  The Federal Register publication version is here.

(Updated February 6, 2014.)

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.