13 Important Things to Know about the HIPAA and CLIA Final Rule Addressing Patients’ Access to Test Results

On February 6, 2014, the Centers for Medicare & Medicaid Services (CMS) published a Final Rule titled CLIA Program and HIPAA Privacy Rule:  Patients’ Access to Test Reports (“the HIPAA/CLIA Final Rule”).  The HIPAA/CLIA Final Rule amended both the HIPAA and CLIA regulations to require laboratories subject to CLIA  that are also covered entities under the HIPAA regulations (“HIPAA covered laboratories”) to provide individuals with HIPAA access rights to copies of completed test reports.  This blog post addresses 13 important highlights from the HIPAA/CLIA Final Rule.

  1. Effective Date.  The HIPAA/CLIA Final Rule is effective April 6, 2014 and HIPAA covered laboratories must comply with the rule by October 6, 2014.
  2. Access to Personal Representatives and Other Designees.  As is the case with all HIPAA covered entities, HIPAA covered laboratories must provide access to both individuals and their personal representatives.  An individual also has the right to request that his or her laboratory test be forwarded to another person or entity so long as that request is made in compliance with the HIPAA Privacy Rule (in writing, signed by the individual and clearly identifying the person/entity and information on where to send the protected health information).
  3. Reference Laboratories Included.  Reference laboratories that are HIPAA covered entities are also required to comply with the HIPAA access provisions.
  4. Archived and Offsite Reports Included.  Individuals’ right to access includes final test reports and other information in a designated record set that was created prior to the effective date of the Final Rule (even if that information has been archived or is stored offsite).
  5. 30 Day Timeframe Will Be Enforced.  HIPAA covered laboratories may not delay providing test reports to an individual in order to first provide the results to a physician.  Further, the completion of the test result does not trigger the 30 day compliance period for providing access.  However, HIPAA covered laboratories may utilize the full 30 day compliance period as well as the additional 30 day extension provided for in the HIPAA Privacy Rule.  For example, if a patient requests a copy of a test that is not completed yet, the laboratory is expected to finish the test and provide the results within the 30 day compliance period, with one 30 day extension.
  6. Requirement to Provide Electronic Copies.  HIPAA covered laboratories that maintain test reports electronically must provide individuals with an electronic copy of the information in the form or format requested by the individual, or in such other electronic form upon agreement of the patient.  A laboratory is not required to purchase new software or systems in order to provide patients with an electronic copy of the protected health information so long as the laboratory can provide some form of an electronic copy.
  7. Mail and Email Requests Must Be Accommodated and Reasonably Safeguarded.  Individuals have the right to have information mailed to them or emailed to them.  In both cases, the HIPAA covered laboratories are required to reasonably safeguard the information.  Email requests are expected to be sent via encrypted emails unless the patient specifically does not want the information to be encrypted, and has been informed of the risks associated with unsecured email.
  8. Explanation of Test Results Not Required.  HIPAA covered laboratories are not required to provide educational or explanatory materials with test results, but may decide to do so.
  9. Verification and Authentication of Requestors.  HIPAA covered laboratories must take reasonable steps to verify the identity of the requestor, relying on professional judgment and industry standards.  However, the HIPAA covered laboratory may not impose unreasonable verification measures on an individual.  For example, the HIPAA covered laboratory would not be permitted to require the individual to physically present to the laboratory in order to verify identification.
  10. Notice of Privacy Practices Revision.  HIPAA covered laboratories are required to revise their notices of privacy practices to inform individuals of the right to access and must remove any statements to the contrary.  The revised notice of privacy practices must be made available as required by the HIPAA Privacy Rule.
  11. No Change to Health Care Provider Notice of Privacy Practices Needed.  Health care providers such as physicians are not required to revise notices of privacy practices or inform patients of their ability to request test reports directly from HIPAA covered laboratories;  however, providers are encouraged to provide patients with the name of the laboratory where his/her specimen was sent, along with contact information to request access.
  12. Preemption of State Law.  The HIPAA/CLIA Final Rule specifically preempts any state law that prohibits a laboratory from releasing a test report directly to the individual or that require the ordering provider’s consent prior to release.
  13. No Suspension of Rights for Nonpayment.  A HIPAA covered laboratory may not withhold or suspend an individual’s right to access his or her test results because of nonpayment for services.

To read the full text of the HIPAA/CLIA Final Rule, please click here.

Speak Your Mind