Skip to main content

CMS Finalizes HIPAA and CLIA Amendments Intended to Increase Patient Access to Test Results

Written by Dianne Bourque and Karen Lovitch

Yesterday the Centers for Medicare & Medicaid Services (CMS) finally published the long-awaited final rule amending the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to permit CLIA-certified laboratories to provide copies of completed test reports to patients upon request.  In addition, any laboratory that qualifies as a covered entity under HIPAA will now be required to comply with such patient requests.  These amendments represent a significant policy shift for CMS, which has historically deferred to the states on the issue of whether laboratories could communicate test results directly to patients or only through the ordering provider.  The final rule results in the preemption of a number of state laws that prohibit laboratories from releasing test reports directly to patients.

In finalizing the rule, CMS was unmoved by commenters’ concerns that patients would not understand test result reports sent directly from laboratories and that the lack of a physician intermediary would create stress or confusion for patients.  For example, the American Clinical Laboratory Association (ACLA) persuasively argued that because some test results – such as those associated with genetic testing – are sensitive as well as complex, patients should not receive them before the ordering physician. However, CMS declined to differentiate among types of testing for this purpose, and it views the new rule as an opportunity for patients to become more engaged in their health care and to ask questions of their providers.  CMS was quick to point out that the rule does not require laboratories to interpret test results for patients who request them.  Laboratories need only provide copies of result reports. CMS’s expectation is that the ordering physician will have provided in-depth testing information and informed consent prior to testing and that patients will typically request results only after talking with the physician.

Another goal of the final rule was to ensure patients’ right of access to their protected health information (or PHI) under HIPAA.  HIPAA requires regulated entities to provide access to PHI upon the request of the affected patient or his or her personal representative.  CLIA-certified laboratories were historically exempt from this requirement due to state-imposed limitations on their ability to communicate directly with patients.  CMS makes clear in the final rule that laboratories must honor patients’ request for access to PHI, including test result reports, billing information, and other PHI. CLIA-certified laboratories should be aware that the HIPAA Omnibus Rule, published in January 2013, expanded HIPAA’s right of access by requiring regulated entities to provide PHI in electronic form when requested by a patient.  HIPAA-regulated entities also must forward electronic copies of PHI to third parties upon the request of a patient, so laboratories should not only prepare to grant patients’ requests for access but also ensure mechanisms are in place to comply with the HIPAA Omnibus Rule’s expanded right of access to PHI in electronic form.  HIPAA’s deadline for responding to patient requests is tight – the laboratory must act within 30 days of receipt of the patient’s request, but may have one 30-day extension.

Covered entity laboratories should be aware that the HHS Office for Civil Rights (OCR) has been exercising “enforcement discretion” under the Notice of Privacy Practices requirements under the HIPAA Omnibus Rule, which required covered entities to update their Notices by September 23, 2013, to reflect new obligations, such as the expanded right of access.  Recognizing the potential burden on laboratories of updating their Notices and then doing so again to reflect impending changes under CLIA, OCR announced that it would not enforce the September 23, 2013 Notice update deadline against CLIA- certified laboratories.  OCR is expected to announce the termination of its enforcement discretion, which means that laboratories should take steps to update their Notices consistent with the Omnibus Rule and this final rule.

As detailed in a previous post, these regulations will require nearly 23,000 laboratories in 39 states and territories to develop new procedures for providing patients access to their test results.  And over 33,000 laboratories will need to revise their Notices to reflect the right of individuals to obtain test results directly from the laboratory.  Compliance with the new requirements is expected to cost laboratories millions of dollars.  CMS estimates that the cost of developing the necessary policies and procedures for all affected laboratories could range from $2.2 million to $10.2 million.  Responding to patient requests could exceed $52 million annually.  This additional financial burden comes on the heels of CMS’s recent decision to reexamine certain payment amounts under Medicare’s Clinical Laboratory Fee Schedule as well as cuts to a number of pathology codes under Medicare’s Physician Fee Schedule over the past couple of years.  More details are available in this post.

The final rule is effective sixty (60) days from publication in the Federal Register, which is expected on Thursday, February 6th, and covered entities must comply with the final rule’s HIPAA-related requirements within 240 days after the date of publication.



Subscribe To Viewpoints


Karen S. Lovitch

Chair, Health Law Practice & Co-Chair, Health Care Enforcement Defense Practice

Karen advises industry clients on regulatory, transactional, operational, and enforcement matters. She has deep experience handling FCA investigations and qui tam litigation for laboratories and diagnostics companies.