Regulatory Update: Changes to HIPAA Privacy Rule and CLIA

Patients Now Have Expanded Right of Access to Lab Reports

Following the regulatory trend of making  a patient’s clinical information  available to that patient upon request, HHS is implementing a new rule allowing patients direct access to their lab results without having to go through their provider.

After issuing a proposal in 2011 and an enforcement delay in 2013, the Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) published its final Rule on February 6, 2014, by setting a national standard for patients (and/or their personal representatives) to directly access test results when created by laboratories subject to the Clinical Laboratory Improvement Amendments of 1988 (CLIA). The final Rule amends both the HIPAA Privacy Rule and CLIA regulations.

CLIA and its implementing regulations set national quality standards to ensure the accuracy, reliability and timeliness of clinical laboratories’ test results. Under CLIA regulation, covered clinical laboratories could only share lab results with “authorized” individuals (42 CFR § 493.1291(f) as defined at 42 CFR § 493.2). The regulatory definition left it up to states to determine who is “authorized” and as such, many states excluded test subjects (i.e. patients) from the list of people who could access test results directly from the lab. In these states, patients must request access to lab results from the provider who ordered the test.

While lab tests have usually been available to individuals upon request to the ordering provider, HHS believes removing a regulatory barrier (45 CFR § 164.524(a)(1)(iii)) to allow direct access to lab results is necessary to empower and encourage patients to more actively engage in their healthcare.

The final Rule also tweaks the CLIA regulations by expressly requiring covered clinical laboratories to provide access to lab reports to individuals or personal representatives upon request (labs must authenticate requesters’ identities prior to providing access).

What Should Healthcare Providers Do To Comply With These Changes?

  • Impacted laboratories may need to modify their HIPAA Notice of Privacy Practices to reflect enhanced access rights for individuals.
  • Other healthcare providers may wish to review internal policies and procedures to accommodate patient requests to obtain completed test reports directly from the lab.
  • For a clinical laboratory operating under a  Business Associate Agreement (BAA),  language in the BAA may need to be updated to reflect patients’ expanded right of direct access to lab reports.

Organizations impacted by these regulatory changes will need to comply by October 6 2014.

Clearwater Compliance

Clearwater Compliance helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.