By: David Hirshfeld
In an effort to help individuals access their health information so that they can become more actively involved in managing their own health care, several agencies within the Department of Health and Human Services promulgated a rule that modifies the Clinical Laboratory Improvement Amendments (“CLIA”) and the Health Insurance Portability and Accountability Act (“HIPAA”) in a way that supersedes Florida State laws governing the disclosure of laboratory test results directly to patients.
Beginning October 4, 2014 clinical labs that are “covered entities” within HIPAA must provide identifiable test results directly to patients or their personal representatives upon request. Until now, in Florida patients were unable to access their test results directly from labs without the consent of the person who requested the test.[1]
Under the existing CLIA regulation, a lab is only allowed to disclose its test results to: (i) individuals authorized under state law to order or receive test results, or both (so-called “Authorized Persons”); (ii) the person responsible for using the test results to treat the patient; or (iii) the lab that had originally requested the test.[2] By virtue of Florida law, Authorized Persons did not include the patient from whom the specimen was derived (with the exception of individuals who submit their own blood pursuant to a home access HIV test kit).[3]
Under the amended CLIA regulation, labs may provide the patient, the patient’s personal representative, or a person designated by the patient, with copies of complete test reports that can be identified as belonging to the patient.[4] The identification requirement is important so as to not to upset laboratories’ ability to conduct and protect anonymous testing. The amended language of the CLIA regulation uses the word “may;” and thereby permits, but does not require, labs to provide results directly to patients. However, the new CLIA regulation must be read in conjunction with the amended HIPAA privacy rule.
The existing HIPAA privacy rule excepts clinical laboratories from the types of health care providers that must give patients direct access to their records.[5] The amended privacy rule removes this exception so that clinical laboratories will be obligated to provide patients, or their personal representatives, access to their protected health information upon request. The privacy rule only imposes this obligation upon “covered entities.” A laboratory is a “covered entity” if it performs at least one covered transaction electronically, such as transmitting health care claims to a health plan, requesting prior authorization to provide a service from a health plan, or confirming the membership of a patient in a health care plan.
These amendments to the CLIA regulations and the HIPAA privacy rule are the government’s latest step in its effort to empower patients to take a more meaningful role in their own health care. Clinical lab providers are advised to revisit their compliance plans so that they are ready evaluate and respond to patients requests for protected health information prior to the October 4, 2014 implementation date of these important new rules.