The U.S. Department of Health and Human Services (HHS) recently published a Final Rule granting patients and their personal representatives access to the patient’s completed laboratory test reports directly from the lab maintaining the information. The Final Rule, published jointly by the Office for Civil Rights (OCR), the Centers for Medicare & Medicaid Services (CMS) and the Centers for Disease Control (CDC), amends both the HIPAA Privacy Rule and Clinical Laboratory Improvements Amendments of 1988 (CLIA) regulations to provide an additional avenue by which patients can access their lab test results in addition to requesting the information from the treating physician. HIPAA-covered laboratories will need to revise their policies, procedures and notices related to the release of information to patients in order to comply with the Final Rule.

Previously, the HIPAA Privacy Rule excluded protected health information (PHI) held by CLIA and CLIA-exempt covered entity laboratories from the information accessible by patients, effectively forcing patients to request lab test results from their treating physicians. This exclusion was originally intended to avoid conflict between the Privacy Rule’s otherwise broad access provisions and CLIA regulatory requirements limiting patient access to test reports. The Final Rule amends the Privacy Rule by removing this exclusion, thus extending the patient’s right of access to the PHI maintained by covered entity laboratories. The Final Rule also amends CLIA regulations to specify that, upon receiving a request from the patient or the patient’s legally authorized representative, CLIA laboratories may provide access to completed lab reports that, using the laboratory’s identification process, can be identified as belonging to that patient. Importantly, covered entity laboratories subject to CLIA still must verify that the patient in question is actually the subject of the completed lab test report requested pursuant to CLIA requirements and are not obligated to release reports that cannot be authenticated under the Final Rule. Further, according to the Final Rule, the Privacy Rule’s expanded access provisions preempt contrary state law prohibiting the release of lab test information without the ordering provider’s consent under HIPAA’s preemption regulations.

This Final Rule comes just over one year after publication of the HIPAA Omnibus Rule, which included sweeping changes to the HIPAA Privacy, Security and Breach Notification Rules. Included among these changes were revisions affecting the manner in which a covered entity must fulfill a patient’s request for access to their PHI. Specifically, under the Omnibus Rule, if a covered entity maintains requested PHI in electronic format and if the patient requests an electronic copy of their information, the covered entity must provide the requested PHI in electronic format. In addition, if a patient’s request for access directs the covered entity to transmit the requested PHI to another person designated by the individual, the covered entity must provide the PHI to the individual as requested so long as the patient’s request is in writing, signed by the patient and clearly identifies the recipient. Covered entity laboratories subject to the Final Rule’s expanded access provisions will need to ensure that their policies and procedures comply with these amended Privacy Rule requirements.

Covered entity laboratories also will need to revise their Notice of Privacy Practices (NPP) in order to comply with the Final Rule. Specifically, under the Privacy Rule, covered entities must promptly revise their NPP whenever there is a material change to their privacy practices as outlined in the NPP. The Omnibus Rule included several material changes to a covered entity’s obligations that necessitated NPP revisions, and covered entities were required to implement these revisions by September 23, 2013. However, following publication of the Omnibus Rule, HHS realized that the additional material changes included in the Final Rule discussed above would not be finalized by September 23, 2013. Consequently, the covered entity laboratories affected by these changes would have been required to update their NPP multiple times in a matter of months unless HHS took action. On September 19, 2013, HHS published an enforcement delay stating that it would not be enforcing the requirement that covered entity CLIA and CLIA-exempt laboratories revise their NPP to comply with the Omnibus Rule until further notice due to the proximity between publication of the Omnibus Rule and the Final Rule discussed above. Accordingly, in addition to the changes required under the Omnibus Rule, covered entity laboratories also must revise their NPP to include information regarding patients’ new right of access to their lab test results and remove any statements to the contrary.

The Final Rule is effective April 5, 2014, and covered entities must comply by October 2, 2014. In addition to revising policies, procedures and NPPs, covered entity laboratories also will need to train their workforce members and refine their information security practices in order to comply with the Final Rule.