On September 14, 2011, the Centers for Medicare and Medicaid Services (“CMS”) published in the Federal Register a proposed rule amending the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to specify that, upon request, a patient may gain access to his/her completed test reports directly from a laboratory (“Proposed Rule”).
Currently, CLIA provides that a laboratory may only disclose test results to three categories of individuals: (1) an “authorized person,” (2) the person responsible for using the test results in the treatment context, and (3) the referring lab (42 CFR 493.1291(f)). “Authorized person” is defined as “the individual authorized under State law to order or receive test results, or both.” Moreover, even though HIPAA requires patients have access to their protected health information (“PHI”), this right of access does not extend to PHI maintained by a covered entity that is subject to CLIA or exempt from CLIA (this exception can be found at 45 CFR 164.524(a)(1)(iii)).
Under the Proposed Rule, CMS proposes to remove such restrictions in the patient-access rules thereby allowing patients to obtain the laboratory testing results directly from the laboratory. CMS proposes to amend CLIA to allow patients, upon request, to have direct access to their laboratory test reports. In the preamble to the regulations, CMS stated that it would not dictate under CLIA how patients could request such access:
[T]he CLIA regulations would not spell out the mechanism by which patient requests for access would be submitted, processed, or responded to by the laboratories. In providing this latitude, we intend to allow patients and their personal representatives’ access to patient test reports in accordance with the requirements of the HIPAA Privacy Rule.
CMS likewise proposes amending the HIPAA Privacy Rule to require covered entities that are laboratories subject to CLIA and those that are CLIA-exempt to have the same obligations as other covered entities with respect to providing individuals access to their PHI in accordance with the requirements 45 CFR 164.524. In other words, CLIA laboratories and CLIA-exempt laboratories would no longer be excepted from the requirement to give patients access to their PHI upon request.
CMS also notes that even though there may be a number of state laws prohibiting laboratories from releasing test reports directly to patients, the new regulations, if adopted, would preempt such laws.
For more information on HIPAA and compliance, please contact Abby Pendleton, Esq. or Jessica L. Gustafson, Esq. at (248) 996-8510 or (212) 734-0128 or visit the HLP website.