Soon patients and patients' personal representatives will be able to obtain copies of completed laboratory test reports directly from laboratories.

The Department of Health and Human Services (HHS) released new rules Feb. 6 amending the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS believes the new rules will allow individuals to be more active in managing their health and promote more widespread adoption of electronic health records.

This article explains the current rules governing patients' direct access to test results and what will change under the new rules.

What are laboratories' obligations currently with respect to providing test results to patients directly?

The HIPAA Privacy Rule specifically exempts CLIA-certified and CLIA-exempt laboratories from complying with the HIPAA Privacy Rule that allows individuals to inspect and obtain copies of their protected health information maintained by HIPAA-covered entities. CLIA-certified laboratories may only disclose test results to:

  • persons authorized under state law to receive test results (some states allow patients to receive their own test results while others prohibit this);
  • persons responsible for using the test results in a treatment setting; and
  • the initial laboratory that requested the test be performed.

What is required under the amendments?

First, laboratories that are covered entities within the meaning of HIPAA are now required to comply with the HIPAA Privacy Rule. If a HIPAA-covered laboratory can authenticate the test results as belonging to the patient, then the laboratory must provide a copy of a patient's completed test results to the patient or a third party identified by the patient upon request by a patient in compliance with the Privacy Rule provisions at 42 C.F.R. § 164.

HIPAA-covered laboratories will have to update their notice of privacy practices to inform individuals of their right to access test reports directly from the laboratory and how to exercise that right.

Second, laboratories that are not covered entities within the meaning of HIPAA but are subject to CLIA ("CLIA-only laboratories") may — but are not required to — provide a copy of a patient's completed test results to the patient or the patient's personal representative upon request by the patient if the laboratory can authenticate the test results as belonging to the patient.

These CLIA-only laboratories will still be required to provide the results to authorized persons, persons responsible for ordering the test results and the laboratory that initially requested the test.

Both types of laboratories may — but are not required to — alert providers when patients directly request their test reports from the laboratory.

How will healthcare providers be impacted by the amendments?

If providers want patients to learn about their test results from them, providers will need to meet with patients to discuss those results before the patient can access those results themselves.

Providers may also be contacted by laboratories to confirm the identity of a patient for whom a result was ordered or to provide documentation of a third party's status as a patient’s personal representative. HHS does not require providers to inform patients of their right to receive test reports directly from HIPAA-covered laboratories

Will laboratories begin interpreting test results for my patients?

Laboratories may — but are not required to — provide a patient's test results with additional educational or explanatory materials that would allow a patient to interpret test results. Similarly, laboratories may — but are not required to — refer patients to their provider who ordered the test for a full interpretation of the results.

After a patient requests a test result, how long do laboratories have to furnish the results?

Laboratories have 30 days after a patient requests a copy of completed test results to supply those completed test results. If the tests will not be complete within that 30-day period, then the laboratory may alert the patient of this fact and the laboratory has an additional 30 days to supply the results to the patient.

Can laboratories deny patients access to their completed test results?

HIPAA-covered laboratories may only deny a patient access to a completed test report if a licensed healthcare professional determines that access to the record may endanger the life or physical safety of the individual or another person.

Upon the patient's request to have the denial reviewed, a HIPAA-covered laboratory must refer the request to a designated unaffiliated licensed healthcare professional who did not participate in the original decision, and that provider must determine within a reasonable amount of time whether the initial denial was proper.

HHS specifically declined to adopt an exception that would limit the rights of mental health patients to access their test reports.

In what format will laboratories be required to provide copies of completed test reports to patients?

Laboratories must provide completed test reports within 30 days of the request in a manner specified under the HIPAA Privacy Rules. HIPAA-covered laboratories must also comply with the HIPAA provisions regarding verification of identity and authority of the person requesting access to the results. Otherwise, laboratories are given great flexibility in how they accept, process and respond to requests from patients.

How do the amendments impact test results completed before the amendments?

The right to access test results will apply to all test reports and other information maintained by a HIPAA-covered laboratory for as long as that information is maintained, including test results that were created before this new amendment was issued. The amendments do not impose new record retention requirements for laboratory test results.

What if a state law allows a patient with greater access to laboratory results than required by the new amendments?

If state law permits a patient greater access to completed laboratory results than the patient has under the new amendments, then the laboratory must comply with the state requirements.

Will reference laboratories, including hospital laboratories acting as reference laboratories, be required to disclose test results to patients?

If reference laboratories are covered entities under HIPAA, then they will be expected to comply with the HIPAA Privacy Rule. Reference laboratories that are not subject to HIPAA will be permitted — but not required — under federal law to disclose test results to patients.

How do the amendments impact hospital laboratories that already have existing policies and procedures to comply with the existing HIPAA Privacy access provisions?

Laboratories that are part of (1) a larger legal entity that is a hospital or (2) an affiliated covered entity or organized healthcare arrangement with a hospital may continue to use their existing policies and procedures for the purpose of complying with new amendments.

When must laboratories begin complying with these amendments?

The regulations become effective April 7, 2014. Laboratories subject to CLIA must comply with these regulations on that date. Laboratories subject to HIPAA must comply with the HIPAA amendments by Oct. 6, 2014.