On February 6, 2014, the Centers for Medicare and Medicaid Services (CMS) and the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) issued a final rule amending the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to provide individuals the right to access test reports directly from laboratories subject to HIPAA. The goal of the final rule is to provide individuals with a greater ability to access their health information, empowering them to take a more active role in managing their health and healthcare.

Under the final rule, HIPAA-covered labs must:

  • Disclose lab test results to individuals, in most cases, within 30 days of a request for such information. Labs are not required to disclose results to an individual if the individual did not request disclosure.
  • Comply with an individual's request to have the lab transmit a copy of Protected Health Information (PHI) to another person or entity appropriately designated by the individual.
  • Verify the identity and authority of any person requesting access to lab test results as a personal representative of the individual. If the lab cannot verify the identity and authority, it may not release the test report.
  • Disclose test reports that the lab maintains even if the test report was created before the effective date of the final rules.
  • Subject to a narrow limitation, disclose test reports to the individual upon request even if the lab test is considered "sensitive," i.e., tests for sexually transmitted disease, pregnancy test, etc...
  • Allow individuals to make requests for test reports directly to the lab and not require the individual to make the request to the healthcare provider.
  • Charge only the reasonable, cost-based copy fee permitted under the HIPAA Privacy Rule. HIPAA covered labs may not charge fees for verification, documentation, liability insurance, maintaining systems and other similar activities.
  • Revise their Notice of Privacy Practices by October 6, 2014 to inform individuals of their right to access PHI directly from HIPAA covered labs, include a brief description of how to exercise this right, and remove any contrary statements from the existing notice. Ordering providers are not required to update their privacy notices.
  • Not withhold an individual's PHI because the individual has not paid the lab for services provided.

The Final Rule also explains what is not required:

With respect to employment-related testing, the CLIA regulations do not apply to the employer or entity that performs substance abuse testing for the purpose of employment screening where the results are merely used to determine compliance with conditions of employment.

CLIA labs that are not subject to HIPAA have discretion to provide individuals with direct access to lab test reports, subject to any applicable state laws that may limit access.

The final rule does not require labs to interpret test reports for individuals, although labs may provide additional education material regarding the test results if they choose to do so.