The Centers for Medicare and Medicaid Services (CMS) prepared the following FAQ sheet answering questions about a proposed new rule to allow patients direct access to their testing results from previously-exempted labs. To view the proposed regulation, click here.
Frequently Asked Questions
CMS-2319-P: Patients’ Access to Test Reports
1. What are the proposed changes to the CLIA regulations at §493.1291?
The proposed rule includes the following proposed changes to the CLIA regulations at §493.1291:
§493.1291(f) would be amended as follows: Except as provided in §493.1291(l), test results must be released only to authorized persons, and, if applicable, the individual (or their personal representative) responsible for using the test results and the laboratory that initially requested the test.
A new provision would be added as §493.1291(l) that would read: Upon a patient’s request, the laboratory may provide access to completed test reports that, using the laboratory’s authentication process, can be identified as belonging to that patient.
2. From whom can patients access or receive their laboratory test reports under CLIA/HIPAA?
If the proposed changes to CLIA and HIPAA are finalized, patients would be able to request and receive their test reports directly from the laboratory. Patients can continue to receive their test reports through their physician or provider or by being specified by the ordering provider as an additional recipient on the laboratory test requisition.
3. What do the proposed changes to the CLIA regulations at §493.1291 mean for laboratories?
The proposed changes to §493.1291 would allow an individual or an individual’s personal representative to receive completed test reports directly from the laboratories upon request. Laboratories would need to identify the test reports as belonging to the individual by using their authentication processes.
4. What do the proposed changes to the HIPAA Privacy Rule at §164.524 mean for CLIA laboratories?
The proposed rule would remove the exceptions to an individual’s right of access for CLIA and CLIA-exempt laboratories currently found in the HIPAA Privacy Rule. As a result, HIPAA covered entities that are laboratories subject to CLIA would have the same obligations as other types of covered health care providers with respect to providing individuals with access to their protected health information. Laboratories, as covered entities, would be required to satisfy the requirements of the HIPAA Privacy Rule regarding: timeliness of providing access; the form and format of the provision of access; allowable fees; and verification of the identity of the individual.
5. Does CLIA prescribe the process by which patients would obtain access to their reports?
The CLIA regulations do not spell out the specific process by which patient requests for access would be submitted, processed, or responded to by laboratories. Laboratories that are HIPAA covered entities would be required to comply with the HIPAA Privacy Rule’s provisions regarding: timeliness of providing access; the form and format of the provision of access; allowable fees; and verification of the identity of the individual.
6. Do the proposed changes to CLIA and the HIPAA Privacy Rule affect State laws?
The HIPAA Privacy Rule currently includes a set of exceptions related to CLIA. The right of access under §164.524 of the HIPAA Privacy Rule does not apply to protected health information maintained by a covered entity that is: subject to CLIA to the extent the provision of access to the individual would be prohibited by law, or exempt from CLIA. These exceptions were included in the HIPAA Privacy Rule to avoid a conflict with the CLIA requirements that limited patient access to test reports.
Under this proposed rule, CMS would amend the CLIA regulations to allow CLIA-certified laboratories to provide patients with direct access to their test reports. Thus, there is no longer a need for the exceptions at §164.524 for CLIA and CLIA-exempt laboratories.
Because the exceptions would be removed, §164.524 of the HIPAA Privacy Rule would preempt any contrary provisions of State law. A provision of State law is “contrary” to a provision of the HIPAA Rules if a covered entity would find it impossible to comply with both the state and federal requirements; or the provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Social Security Act or section 254 of Pub.L.104-191, as applicable.
Pursuant to section 264(c)(2) of HIPAA, the HIPAA Privacy Rule includes an exception from this general preemption if “the provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.” However, with respect to a State law pertaining to an individual’s right to access his or her protected health information, a State law is more stringent than the Privacy Rule if the State law “permits greater rights of access or amendment, as applicable” (§160.202).
A number of States have laws that prohibit a laboratory from releasing a test report directly to the patient or that prohibit the release without the ordering provider’s consent. If adopted, the proposed changes to §164.524 would preempt any contrary State laws that prohibit the HIPAA-covered laboratory from directly providing access to the individual.
7. Must a laboratory have an electronic health record (EHR) system or be a part of a health information exchange (HIE) to meet this new requirement for patient access to test results?
A laboratory does not need to have an EHR system or be a part of an HIE to meet the requirement for patient access to test results. However, we would anticipate that as EHRs and HIEs become more commonplace, laboratories will develop processes to handle patient requests via these systems.