Skip to main content

Proposed CLIA and HIPAA Amendments Would Increase Patient Rights and Administrative Burden for Labs

Written by Dianne Bourque and Karen Lovitch

CMS has announced the publication of a proposed rule that will require HIPAA-covered laboratories to make test results available to patients no later than 180 days after the rule's effective date, which will be 60 days after publication in tomorrow's Federal Register.  In other words, laboratories, many of which interface with patients directly only when billing issues arise or when collecting specimens, will have a mere 240 days to implement this significant operational change unless stakeholders convince CMS that it should withdraw the proposed rule.

To accomplish this change, CMS has proposed revisions to the CLIA regulations and to the HIPAA Privacy Rule.  CLIA currently limits disclosure of test results to the treating health care professional, a referring laboratory, or an "authorized person" as defined by state law, but to date only a small handful of states allow direct patient access.    The proposed CLIA regulation leaves the current language in place while adding a provision that would allow laboratories to provide patient access, but only after confirming that the test results belong to the requesting patients.  The language is permissive, but, in most cases, HIPAA would require covered laboratories to release the results because the proposed rule would remove the exemption that currently prohibits disclosure of test results to patients if disclosure is prohibited by law.  HIPAA’s other exemptions may not apply in the context of test results.  For example, it is unlikely that a test report would make reference to another person.   But HIPAA does have an exemption that would justify refusal to release test results if doing so would cause the patient substantial harm.  A laboratory could argue that this exemption applies where the release of test results could cause emotional distress, such as in the case of a cancer diagnosis.

According to CMS, nearly 23,000 laboratories located in 39 states and territories will need to develop procedures for providing patients access to their test results.  Such processes will have to comply with the new HITECH requirements for access to health information in the electronic form and format requested by the patient.   Although CMS downplayed the administrative and financial burden of the proposed rule, it is likely to present a variety of operational challenges for laboratories.

Subscribe To Viewpoints


Karen S. Lovitch

Chair, Health Law Practice & Co-Chair, Health Care Enforcement Defense Practice

Karen advises industry clients on regulatory, transactional, operational, and enforcement matters. She has deep experience handling FCA investigations and qui tam litigation for laboratories and diagnostics companies.
Dianne specializes in counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, and counsels health care clients on the HIPAA Privacy Rule and Security Standards.