On February 6, 2014, the Centers for Medicare and Medicaid Services (CMS) published a final rule entitled, “CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports.” The February 6 final rule modifies the implementing regulations to the Clinical Laboratory Improvement Amendments of 1988 (CLIA) as well as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to impose significant new patient access obligations on CLIA and CLIA-exempt laboratories.
With respect to the CLIA regulations, the final rule allows laboratories subject to CLIA, upon the request of a patient (or the patient’s personal representative) to provide access to completed test reports that, using the laboratory’s authentication process, can be identified as belonging to that patient. The final rule also clarifies that laboratories subject to CLIA may provide a copy of the patient’s test reports to a person or entity designated by the patient to receive such reports in accordance with the HIPAA Privacy Rule at 45 C.F.R. § 164.524(c)(3)(ii). The final rule retains the CLIA regulatory provision that requires the release of test reports only to authorized persons, to the persons responsible for using the test reports, and to the laboratory that initially requested the test.
With respect to the HIPAA Privacy Rule, the February 6 final rule removes the exceptions to an individual’s right of access at § 164.524(a)(1)(iii) related to CLIA and CLIA-exempt laboratories. Thus, as of the compliance date of the final rule, HIPAA-covered laboratories will be required to provide an individual (or the individual’s personal representative) with access, upon request, to the individual’s completed test reports (and other information maintained in a designated record set) in accordance with the provisions of § 164.524 of the Privacy Rule. CMS also noted that HIPAA-covered laboratories must revise their notices of privacy practices by the compliance date of the final rule to inform individuals of this right.
The CLIA modifications take effect on April 7, 2014. The compliance date for the modifications to the HIPAA privacy rule is October 6, 2014.
The full version of the final rule can be found here.