HHS Final Rule Lab Results Feb 2014

8/12/2019 HHS Final Rule Lab Results Feb 2014

1/27

7290 Federal Register / Vol. 79, No. 25/ Thursday, February 6, 2014 / Rules and Regulations

DEPARTMENT OF HEALTH ANDHUMAN SERVICES

Centers for Medicare & MedicaidServices

42 CFR Part 493

Office of the Secretary

45 CFR Part 164

[CMS2319F]

RIN 0938AQ38

CLIA Program and HIPAA PrivacyRule; Patients Access to Test Reports

AGENCY : Centers for Medicare &Medicaid Services (CMS), HHS; Centersfor Disease Control and Prevention(CDC), HHS; Office for Civil Rights(OCR), HHS.ACTION : Final rule.

SUMMARY : This final rule amends theClinical Laboratory ImprovementAmendments of 1988 (CLIA) regulationsto specify that, upon the request of apatient (or the patients personalrepresentative), laboratories subject toCLIA may provide the patient, thepatients personal representative, or aperson designated by the patient, asapplicable, with copies of completedtest reports that, using the laboratorysauthentication process, can be identifiedas belonging to that patient. Subject toconforming amendments, the final ruleretains the existing provisions that

require release of test reports only toauthorized persons and, if applicable, tothe persons responsible for using thetest reports and to the laboratory thatinitially requested the test. In addition,this final rule amends the HealthInsurance Portability andAccountability Act of 1996 (HIPAA)Privacy Rule to provide individuals (ortheir personal representatives) with theright to access test reports directly fromlaboratories subject to HIPAA (and todirect that copies of those test reports betransmitted to persons or entitiesdesignated by the individual) byremoving the exceptions for CLIA-certified laboratories and CLIA-exemptlaboratories from the provision thatprovides individuals with the right ofaccess to their protected healthinformation. These changes to the CLIAregulations and the HIPAA Privacy Ruleprovide individuals with a greaterability to access their healthinformation, empowering them to take amore active role in managing theirhealth and health care.DATES : Effective Date: These regulationsare effective on April 7, 2014.

HIPAA covered entities must complywith the applicable requirements of thisfinal rule by October 6, 2014.FOR FURTHER INFORMATION CONTACT :

For CLIA regulations: NancyAnderson, CDC, (404) 4982280. JudithYost, CMS, (410) 7863531.

For HIPAA Privacy Rule: AndraWicks, OCR, (202) 2052292.SUPPLEMENTARY INFORMATION :

I. Background

A. CLIA Statute and RegulationsThe Clinical Laboratory Improvement

Amendments of 1988 (CLIA) and theimplementing regulations establishednationwide quality standards to ensurethe accuracy, reliability and timelinessof clinical laboratories test results. Thestandards vary based on the complexityof the laboratory test method; that is, themore complicated the test method, themore stringent the requirements for thelaboratory.

The CLIA regulations establishedthree categories of testing based oncomplexity level. In increasing order ofcomplexity, these categories are waived,moderate complexity (which includesthe subcategory of provider-performedmicroscopy (PPM)), and highcomplexity. Laboratories must hold aCLIA certificate for the most complexform of CLIA-regulated testing that theyperform.

The CLIA regulations cover all phasesof laboratory testing, including thereporting of test results. The CLIAregulatory limitations that govern to

whom a laboratory may issue a testreport have become a point of concern.The requirements for a laboratory testreport are set forth in 42 CFR 493.1291.

Under the current CLIA regulations at 493.1291(f), a CLIA laboratory mayonly disclose laboratory test results tothree categories of individuals orentities: The authorized person, theperson responsible for using the testresults in the treatment context, and thelaboratory that initially requested thetest. Authorized person is defined in 493.2 as the individual authorizedunder state law to order or receive test

results, or both. In states that do notallow individuals to access their owntest results, the individuals must receivetheir test results through their healthcare providers.

Title XIII of Division A and Title IVof Division B of the American Recoveryand Reinvestment Act of 2009 (TheRecovery Act), which was enacted onFebruary 17, 2009, incorporated theHealth Information Technology forEconomic and Clinical Health (HITECH)Act. The HITECH Act created a Federaladvisory committee known as the

Health Information Technology (HIT)Policy Committee. The HIT PolicyCommittee has broad representationfrom major health care constituenciesand provides recommendations to theDepartments Office of the NationalCoordinator for Health InformationTechnology (ONC) on issues relating tothe implementation of an interoperable,nationwide health informationinfrastructure. The HIT PolicyCommittee has sought to identify

barriers to the adoption and use ofhealth information technology.According to the HIT Policy Committee,some stakeholders perceive the CLIAregulations as imposing barriers to theexchange of health information. Thesestakeholders include large and mediumsized laboratories, public healthlaboratories, electronic health record(EHR) system vendors, health policyexperts, health information exchangeorganizations (HIOs), and health careproviders who believe that theindividuals access to his or her ownrecords is impeded, preventing patientsfrom having a more active role in theirpersonal health care decisions.

We believe these concerns, as well asthe advent of certain health reformconcepts (for example, personalizedmedicine, an individuals activeinvolvement in his or her own healthcare, and the Departments work towardthe widespread adoption of EHRs), callfor revisiting barriers or challenges toindividuals gaining access to theirhealth information.

The Centers for Medicare & MedicaidServices (CMS) worked with ONC, theCenters for Disease Control andPrevention (CDC), and the Office forCivil Rights (OCR) to propose changes tothe CLIA regulations and to the HealthInsurance Portability andAccountability Act of 1996 (HIPAA)Privacy Rule to remove barriers to anindividuals direct access to his or herown test reports from laboratories. SeeCLIA Program and HIPAA Privacy Rule;Patients Access to Test Reports, 76 Fed.Reg. 56712, September 14, 2011. TheDepartment believes that this right iscrucial to provide individuals with vitalinformation to empower them to bettermanage their health and take action toprevent and control disease. In addition,removing barriers in this area supportsthe commitments and goals of theSecretary of the Department of Healthand Human Services (the Department)and the Administrator of CMS regardingpersonalized medicine, an individualsactive involvement in his or her ownhealth care, and the widespreadadoption of EHRs by 2014.

VerDate Mar2010 18:25 Feb 05, 2014 Jkt 232001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:\FR\FM\06FER2.SGM 06FER2m

D

K

Q

VN

RODw

RU


2/27

7291Federal Register / Vol. 79, No. 25/ Thursday, February 6, 2014 / Rules and Regulations

B. HIPAA Statute and Privacy RuleThe Health Insurance Portability and

Accountability Act of 1996, Title II,subtitle FAdministrativeSimplification, Public Law 104191,110 Stat., 2021, provided for theestablishment of national standards toprotect the privacy and security ofcertain individually identifiable healthinformation. The AdministrativeSimplification provisions of HIPAA andtheir implementing regulations apply tothree types of entities, which are knownas covered entities: Health careproviders who conduct covered healthcare transactions electronically, healthplans, and health care clearinghouses.

A laboratory, as a health careprovider, is only a covered entity if itconducts one or more coveredtransactions electronically, such astransmitting health care claims orequivalent encounter information to ahealth plan, requesting priorauthorization from a health plan for ahealth care item or service it wishes toprovide to an individual with coverageunder the plan, or sending an eligibilityinquiry to a health plan to confirm anindividuals coverage under that plan.

If a laboratory does not conduct anyof these or the other HIPAA standardtransactions electronically (either

because it does not conduct thetransactions at all or because it does sovia paper), then the laboratory is notsubject to the HIPAA Privacy Rule (45CFR Part 160 and Part 164, subparts Aand E). Any laboratory that conducts a

single electronic transaction for whichthere is a HIPAA standard under theHIPAA Transactions and Code Sets Rule

becomes a covered entity and is subjectto the Privacy Rule with respect to allprotected health information that itcreates or maintains (that is, theapplication of the Privacy Rule is notlimited to the individuals or recordsassociated with an electronictransaction). This final rule does notalter the requirements for what makes alaboratory a HIPAA covered entity.

The Privacy Rule at 164.524provides individuals with a general

right of access to inspect and obtain acopy of protected health informationabout the individual in a designatedrecord set maintained by or for acovered entity. A designated recordset is defined at 45 CFR 164.501 asa group of records maintained by or fora covered entity that is comprised of:The medical records and billing recordsabout individuals maintained by or fora covered health care provider; theenrollment, payment, claimsadjudication, and case or medicalmanagement record systems maintained

by or for a health plan; or other recordsthat are used, in whole or in part, by orfor the covered entity to make decisionsabout individuals.

The term record means any item,collection, or grouping of informationthat includes protected healthinformation and is maintained,collected, used or disseminated by or fora covered entity. Laboratory testreports that are maintained by or for alaboratory that is a covered entity arepart of a designated record set.

The HIPAA Privacy Rule requires aHIPAA covered entity to provide theindividual with a copy of theinformation in his or her designatedrecord set in the form and formatrequested by the individual, if a copy inthat form and format is readilyproducible. Where the information inthe designated record set is maintainedelectronically, and the individualrequests an electronic copy of theinformation, the covered entity mustprovide the individual with access tothe information in the requestedelectronic form and format, if it isreadily producible in that form andformat. When it is not readilyproducible in the electronic form andformat requested, then the coveredentity must provide the copy in analternative readable electronic format asagreed to by the covered entity and theindividual (see 164.524(c)(2)(ii)).

The right of access under 164.524extends not only to individuals, but alsoto individuals personal representatives,who generally are persons authorizedunder applicable law to make healthcare decisions for the individual. Therules governing who may act as apersonal representative under thePrivacy Rule are set forth at 164.502(g). Additionally, under 164.524(c)(3)(ii), if requested by anindividual who is exercising his or herright of access, a covered entity musttransmit the copy of protected healthinformation directly to another personor entity designated by the individual.

However, while individuals (andpersonal representatives) generally havethe right to inspect and obtain a copy of

their protected health information in adesignated record set, the currentPrivacy Rule includes a set ofexceptions related to CLIA. Specifically,the right of access under 164.524 ofthe Privacy Rule does not apply to:Protected health informationmaintained by a covered entity that is(1) subject to CLIA to the extent theprovision of access to the individualwould be prohibited by law; or (2)exempt from CLIA. These exceptions,found at 164.524(a)(1)(iii)(A) and (B)of the Privacy Rule, cover test reports

and other protected health informationonly at CLIA and CLIA-exemptlaboratories. The individual has a rightto access this information when held byany other type of covered entity (forexample, a hospital or treatingphysician).

These exceptions were included inthe Privacy Rule because theDepartment wanted to avoid a conflictwith the CLIA regulatory requirementsthat limited patient access to test reports(65 FR 82485, December 28, 2000).However, because CMS proposed toamend the CLIA regulations to allowCLIA-certified laboratories to providepatients with direct access to their testreports, the Department simultaneouslyproposed to remove the exceptions forCLIA and CLIA-exempt laboratoriesfrom the right of access at 164.524 sothat HIPAA-covered laboratories would

be required by HIPAA to provideindividuals, upon request, with accessto their completed test reports.II. Summary of the Proposed Changesto the CLIA Regulations (493.1291)

On September 14, 2011, we publisheda proposed rule in the Federal Registerentitled, Patients Access to TestReports (76 FR 56712) that, if finalized,would amend 493.1291 of the CLIAregulations. Specifically, we proposedto add at 42 CFR 493.1291(l) to specifythat, upon a patients request (or uponthe request of the patients personalrepresentative), the laboratory mayprovide a patient with access to his or

her completed test reports that, usingthe laboratorys authenticationprocesses, can be identified as belongingto that patient. While we proposed touse the word may, we highlighted theimportance of reading the proposedamendments to the CLIA regulations inconcert with the proposed changes tothe HIPAA Privacy Rule (discussed

below), which would require coveredentity laboratories to provide patientswith access to test reports. We did notpropose to specify in the CLIAregulations the mechanism by whichpatient requests for access would besubmitted, processed, or responded to

by the laboratories. In providing thislatitude, we intended to allow patientsand their personal representativesaccess to patient test reports inaccordance with the requirements of theHIPAA Privacy Rule. Subject toconforming amendments, we proposedto retain the existing requirements at 493.1291(f) that otherwise limit therelease of test reports to authorizedpersons and, if applicable, theindividuals (or their personalrepresentatives) responsible for using


D

K

Q

VN

RODw

RU


3/27


1 See https://www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/ index.html .

the test reports and the laboratory thatinitially requested the test.III. Summary of the Proposed Changesto the HIPAA Privacy Rule ( 164.524)

The Department also proposed toamend the HIPAA Privacy Rule at 45CFR 164.524(a)(1)(iii)(A) and (B) toremove the exceptions to an

individuals right of access that relate toCLIA and CLIA-exempt laboratories toalign the Privacy Rule with CMSproposed changes to the CLIAregulations and the Departments goal ofimproving individuals access to theirhealth information.

Under the proposal, HIPAA coveredentities that are laboratories subject toCLIA, as well as those that are exemptfrom CLIA, would have the sameobligations as other types of coveredhealth care providers with respect toproviding individuals (or their personalrepresentatives) with access to theirprotected health information inaccordance with 164.524.

Consistent with the proposed changeto the CLIA regulatory requirements,which would allow a laboratory toprovide patients and their personalrepresentatives with direct access tocompleted test reports when thelaboratory can authenticate that the testreport pertains to the patient, we alsoclarified that CLIA and CLIA-exemptlaboratories that are HIPAA coveredentities would have to satisfy theverification requirement of 164.514(h)of the Privacy Rule before providing anindividual with access. We recognizedthat a laboratory could receive a testorder with only an anonymousidentifier and be unable to identify theindividual who is the subject of the testreport. We noted that it was not ourintent to discourage anonymous testing.As we discussed in the proposed rule,a laboratory that received a request foraccess from an individual where thelaboratory could not authenticate thatthe requesting individual is the subjectof a test report would be under noobligation to provide access.

The proposed rule also explained thatthe changes to the HIPAA Privacy Rule

would result in the preemption of anumber of state laws that prohibit alaboratory from releasing a test reportdirectly to the individual or thatprohibit the release without the orderingproviders consent because the statelaws now would be contrary to theaccess provision of the HIPAA PrivacyRule mandating direct access by theindividual.

Finally, we explained that it was ourintent that HIPAA-covered laboratorieswould be required to comply with therevised individual access requirements

of the Privacy Rule by no later than 180days after the effective date of any finalrule. The effective date of the final rulewould be 60 days after publication inthe Federal Register , so laboratoriessubject to HIPAA would have a total of240 days after publication of the finalrule to come into compliance.

IV. Provisions of the Final RegulationsThis final rule adopts the proposed

changes to both the CLIA regulationsand the HIPAA Privacy Rule, withminor clarifications and conformingchanges, which are explained below inthe relevant responses to comments.These modifications broadenindividuals rights to access theirprotected health information directlyfrom laboratories subject to HIPAA. Inaddition, the changes remove federal

barriers to direct access for laboratoriesnot subject to HIPAA. With respect tothe CLIA regulations, this final rule

allows laboratories subject to CLIA,upon the request of a patient (or thepatients personal representative) toprovide access to completed test reportsthat, using the laboratorysauthentication process, can be identifiedas belonging to that patient. The finalrule also clarifies that laboratoriessubject to CLIA may provide a copy ofthe patients test reports to a person orentity designated by the patient toreceive such reports in accordance withthe HIPAA Privacy Rule at 164.524(c)(3)(ii). Subject to certainconforming amendments, this final rule

retains the CLIA regulatory provisionthat requires the release of test reportsonly to authorized persons, to thepersons responsible for using the testreports, and to the laboratory thatinitially requested the test. These CLIAregulatory modifications take effect 60days after publication of this final rulein the Federal Register .

With respect to the Privacy Rule, thefinal rule removes the exceptions to anindividuals right of access at 164.524(a)(1)(iii) related to CLIA andCLIA-exempt laboratories. Thus, as ofthe compliance date of this final rule,HIPAA-covered laboratories will berequired to provide an individual (or theindividuals personal representative)with access, upon request, to theindividuals completed test reports (andother information maintained in adesignated record set) in accordancewith the provisions of 164.524 of thePrivacy Rule. The compliance date ofthis rule is October 6, 2014.

The Departments rationale foradopting the proposed provisions in thisfinal rule, along with furtherclarifications and interpretations of the

provisions, is explained below in theresponses to the public comments.

V. Analysis of and Responses to PublicComments

In response to the September 2011proposed rule, we received over 160timely public comments on variousissues related to the rule. Interestedparties that submitted commentsincluded health care consumers andpatient advocacy organizations;laboratories, hospitals, and other healthcare providers and their associations;information technology organizations;governmental organizations, and others.We have analyzed these comments anddetermined that it is appropriate tofinalize the provisions as set forth in theproposed rule. The comments wereceived on these provisions and ourresponses are set forth below.

A. Right of Direct Access to LaboratoryTest Reports

Comment: A number of providers andlaboratories expressed concerns aboutgiving individuals a way to receivelaboratory test reports without the

benefit of provider interpretation andwithout contextual knowledge that may

be necessary to properly read andunderstand the reports. For example,commenters expressed concern thatpatients might receive and act uponresults that appear to be abnormal(showing false positives or falsenegatives, or results that are out of thenormal range for the general population)

but may be normal for that particularpatient due to his or her medicalconditions. Commenters also requestedthat the Department clarify that thelaboratories themselves would not berequired to interpret test reports forindividuals.

Other commenters stated that theproposed rule was redundant, andwould add significant burden without acommensurate benefit to individuals, asexisting HIPAA and HITECH Act( 13405(e)) laws already provideindividuals with a comprehensive rightto access their protected healthinformation, including test reports,through their physicians. Further, somecommenters stated that the Medicareand Medicaid Electronic Health Record(EHR) Incentive Programs, 1 whichinclude criteria to ensure that certainlaboratory test reports becomestandardized elements in a certifiedEHR, are a better mechanism than theproposed rule to ensure more timelyaccess to all health information. The


D

K

Q

VN

RODw

RU
https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.htmlhttps://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.htmlhttps://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.htmlhttps://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.htmlhttps://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.htmlhttps://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.htmlhttps://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.html


4/27


commenters also stated that theinformation provided to individualsthrough the Medicare and MedicaidEHR Incentive Programs requirementswill be in a more consistent, more user-friendly, and more interoperable formatthan that obtained directly from alaboratory. Furthermore, commentersstated that many providers have alreadyinvested significant dollars andresources in secure patient portals toprovide for individual access to healthinformation directly from theseproviders.

In contrast, other commenters,including certain laboratories,consumers, and consumer advocates,generally supported expanding anindividuals right of access to includereceiving test reports directly fromlaboratories. These commenters statedthat providing individuals with theability to access their laboratory testreports directly from laboratories would

provide individuals with an increasedability to play a more active role in theirhealth care and have more informedconversations with their health careproviders, resulting in better healthoutcomes. Some commenters alsothought that the proposals wouldremove barriers to the electronicexchange of individually identifiablehealth information.

Further, in response to concernsregarding instances in which patientsmight misunderstand or becomedistressed over the results of laboratorytests due to the lack of treating providerinterpretation or counseling, somecommenters stated that they would notanticipate that many patients willrequest direct access to any test reportsthat they do not feel prepared to reviewon their own. Rather, the commentersindicated that the proposals wouldencourage doctors to more proactivelydiscuss the range of possible results andthe consequences of each before testsare ordered. One laboratory noted that,in its experience, many patients do notrequest access to their test results untilthey have spoken to a physician aboutthem. Some commenters challengedwhat they termed to be a paternalistic

notion that patients are unable tounderstand their health data withoutphysician explanation. Thesecommenters stated that if patients wantadditional information from, orconsultation with, their physicians, theywill follow up with their physiciansdirectly.

Response: We appreciate all of thecomments that we received with regardto the right of individuals to access theirlaboratory test reports directly fromlaboratories. We agree with thosecommenters who stated that the rule is

necessary to ensure patients have betterand more complete access to theirhealth information, which will enablepatients to be more proactive and moreinformed with regard to their healthcare. However, we disagree with thosecommenters who argued that the rulewould be redundant. While individualsdo have a right of access to their healthinformation under the HIPAA PrivacyRule, there may be circumstances whenan ordering or treating provider is notsubject to the HIPAA Privacy Rule (forexample, because the provider does not

bill health plans electronically) and,thus, is not required to provide anindividual with access to his or herhealth information. Further, somestudies have found that physicianpractices failed to inform patients ofabnormal test results about sevenpercent of the time, resulting in asubstantial number of patients not beinginformed by their providers of clinically

significant tests results. See Casalino LP,Dunham D, Chin MH, et al. Frequencyof Failure To Inform Patients ofClinically Significant Outpatient TestResults, Arch Intern Med., June 22,2009, 169 (12): 11231129. The rulestrengthens individuals current abilityto have access to completed test reports

by ensuring they are able to access themdirectly from HIPAA-coveredlaboratories.

Finally comments regarding theprovision of access through themechanisms established by EHRIncentive Programs failed to recognizethe voluntary nature of the programs orthe fact that the programs requirementsdo not pertain to laboratories.

Furthermore, the rule does notdiminish the investment health careproviders have made to provideindividuals with access to their healthinformation through patient portals, asthose portals provide patients withaccess to a much broader range of healthinformation than just test results. Therule provides an additional avenue foran individual to obtain test reportsdirectly from laboratories, which weexpect will reduce the chances ofpatients not being informed of

laboratory test results and potentiallyreduce the numbers of patients who failto seek appropriate care. We also agreewith commenters that increased patientaccess to laboratory test reports, whichcan then be shared with the patientsother providers, will help reduceunnecessary and duplicative testing.

With respect to those commentsconcerned about patients receiving testreports without the benefit of providerinterpretation, we emphasize that thisrule does not alter the role of theordering or treating provider in

reporting and explaining test results topatients. We expect that patients willcontinue to obtain test results andadvice about what those test resultsmean, through their ordering or treatingproviders. Further, as noted above, forthose individuals who do or will requestaccess to test reports from a laboratory,it was the experience of one largelaboratory that many patients do notrequest access to their test reports froma laboratory until they have spoken withtheir physicians. We expect this trend tocontinue to generally be the case. Wealso agree with commenters that the rulewill further encourage ordering andtreating providers to more proactivelydiscuss with patients the range ofpossible test results and what the resultsmay mean for the particular patient

before or at the time the test is ordered.Further, under the HIPAA Privacy

Rule, in most cases, laboratories will berequired to provide individuals with

access to their laboratory test reportswithin 30 days of the request (see 164.524(b)(2)(i)). As discussed morefully below, in cases where anindividual requests access to completedtest reports, we believe 30 days willgenerally be sufficient to allow theordering or treating provider to receivethe test report in advance of thepatients receipt of the report, and tocommunicate the result to the patient,and counsel the patient as necessarywith regard to the result.

Finally, we clarify that this final ruledoes not require that laboratoriesinterpret test results for patients.Patients merely have the right to inspectand receive a copy of their completedtest reports and other individuallyidentifiable health informationmaintained in a designated record set bya HIPAA-covered laboratory.Laboratories may continue to referpatients with questions about the testresults back to their ordering or treatingproviders.

Comment: Some commentersindicated they would support changesto the regulations, which would permit,

but not require, laboratories to provideindividuals with access to their

completed test reports. One commenterstated that the proposed rule wasunclear as to whether laboratories willhave the discretion to provide access, orwhether they will be required to provideaccess, to individuals who request theirtest reports. Other commenters wereconcerned about the differentialapplication of the rule to HIPAA-covered versus non-HIPAA-coveredlaboratories, stating that this constructwill create confusion and frustrationamong patients who may expect to beable to access their test reports from any


D

K

Q

VN

RODw

RU


5/27


laboratory and who may not understandthe distinction among laboratories basedon HIPAA covered entity status.

Response: Laboratories that areHIPAA covered entities are required bythis final rule to provide, upon request

by an individual or the individualspersonal representative, access to theprotected health information about theindividual maintained in a designatedrecord set in accordance with theHIPAA Privacy Rule at 164.524. CLIAlaboratories that are not subject toHIPAA will have discretion to providepatients with direct access to theirlaboratory test reports, subject to anyapplicable state laws that may constrainaccess.

We do not believe it is appropriate toonly permit rather than require HIPAA-covered laboratories to provideindividuals with access to their testreports. This may not significantlyexpand individuals ability to accesstheir health information, as somelaboratories not currently providingindividuals with direct access to theirtest reports might choose not to beginproviding direct access. Further, in anumber of states, state law prohibitslaboratories from providing individualswith direct access to their test reports.If the HIPAA Privacy Rule merelypermitted access, it would not preemptthose state laws that prohibit directaccess, because a permissive federalrequirement is not contrary to aprohibitive state law (see 160.202). Asof the effective date of this final rule, theCLIA regulations will expressly permitthe disclosure of test reports to theindividual. The combination of thechange in the HIPAA Privacy Rule,combined with the change to the CLIAregulations, will result in HIPAA-covered laboratories being required todisclose test reports to patients, in mostcases, within 30 days of a request.

Comment: A few commenters statedthat the rule should only apply to theprimary laboratory to which thespecimen was submitted, as opposed toreference laboratories that may performsome or all of the testing. Thesecommenters stated that reference

laboratories have no relationship withthe individual and have either limitedor inadequate information about theindividual to enable the laboratory toprovide individuals with access. A fewcommenters indicated that, whileapplying the rule to hospitallaboratories with respect to the testreports of the hospitals own patientsmay not be a significant challenge,applying the rule to hospitallaboratories in their role as referencelaboratories for other providers, such ascommunity physicians and other

laboratories, would raise significantoperational challenges.

In contrast, one laboratory commenterrecommended that no laboratories beexempt from the individual accessrequirements, stressing the importanceof uniform application of the rule anda patients ability to access his or hertest report from whatever laboratoryperformed the test.Response: We appreciate thecommenters concerns regardinglaboratory contact with individuals;however, we do not agree that limitedinformation about the individual who isthe subject of a test report is a sufficientreason to exempt reference laboratoriesfrom the access requirements of theHIPAA Privacy Rule. We believeapplying the access requirements as

broadly and uniformly as possible bestfurthers the Departments goal ofincreasing direct individual accessrights to health information. To theextent that reference laboratories arecovered entities under HIPAA, they will

be required, upon the compliance dateof this rule, to provide individuals withaccess to test reports in compliance with 164.524 of the Privacy Rule. Referencelaboratories that are not subject toHIPAA will not be under any federalobligation to provide access, but theywill be permitted to do so under Federallaw. However, we expect that, in mostcases, individuals will continue torequest access to their healthinformation either from their treatingprovider, or from the referringlaboratories. This expectation is basedon our understanding that many, if notmost, individuals will not be aware ofthe identity of the reference laboratory,or may not know that a referencelaboratory is conducting all or part ofthe ordered tests. Therefore, we do notexpect reference laboratories toencounter many individual requests foraccess. Furthermore, in the limitedcircumstances where a patient mayrequest access to test reports from alaboratory acting as a referencelaboratory with respect to that patient,the reference laboratory need onlyprovide the individual with the

requested access to the extent thelaboratory can authenticate the testreport as belonging to that patient. Thesame applies for hospital laboratoriesthat also act as reference laboratories.Finally, we do not believe that therewill be significant operational issues forhospital laboratories as hospitalsalready have policies and procedures inplace to comply with the existingHIPAA Privacy Rule access provisionsand the hospital laboratories can usethese policies and procedures forpurposes of this rule.

B. Scope of Information to Which anIndividual Has Access

Comment: A number of commentersindicated that the rule should applyonly to tests administered after the finalrule is published or becomes effective.These commenters expressed concernwith laboratories having to retrievecopies of old test reports that have beenarchived and may exist offsite. Forexample, commenters stated that manylaboratories have archived test reportsthat exist on paper or on backup tapes,and that it would be costly and

burdensome to retrieve and transfer thearchived test reports to other suitablemedia to transmit to an individual.

A few commenters asked that the rulenot require laboratories to provide testreports that have been kept beyond theretention date(s) required in the CLIAregulations. One commenter indicatedthat the rule should specify a timeframeafter a test report is first generated

beyond which an individual would nothave a right to access the test reportdirectly from the laboratory.

Response: While we appreciate thecommenters concerns, as with anyother HIPAA covered entity, under thisfinal rule, an individual has a right toaccess information about the individualin one or more designated record setsmaintained by a HIPAA-coveredlaboratory, for as long as the informationis maintained by the laboratory (see 164.524(a)(1)). This right extends totest reports and other information aboutthe individual in a designated record set

maintained offsite, archived, or created before the publication or effective dateof this final rule. We do not agree thatinformation created before the effectivedate of this final rule should be exemptfrom the access requirement. Thereasons for granting individuals accessto health information pertaining to themdo not vary with the date theinformation was created. In cases whereretrieving records that have beenarchived may take longer than 30 daysfrom the individuals request, a coveredlaboratory may request one 30-dayextension, if it provides the reason for

the delay in writing to the requestingindividual. See the Privacy Rulerequirements for timely action on accessrequests at 164.524(b)(2).

We also clarify that this final ruledoes not impose any new recordretention requirements for laboratorytest reports. These obligations areestablished under CLIA and otherapplicable Federal and state laws. See,for example, 42 CFR 493.1105. Rather,it provides an individual with a right toaccess protected health information inthe designated record set of a HIPAA-


D

K

Q

VN

RODw

RU


6/27


7/27


necessarily in the best interest of thepatient.

Response: Under the HIPAA PrivacyRule, an individual generally has a

broad right of access to any or all of hisor her health information maintained ina designated record set. In this finalrule, we extend that broad right to thelaboratory setting. With a very limitedexception, covered entities may notdeny an individual access to his or herhealth information based on theinformations sensitive nature orpotential for causing distress to theindividual. The limited exception is forcases where a licensed health careprofessional has determined, in theexercise of professional judgment, thatthe access requested is reasonably likelyto endanger the life or physical safety ofthe individual or another person, andthe individual is provided a right tohave the denial of access reviewed by anunaffiliated health care professional (see

164.524(a)(3)(i)).As we discuss elsewhere in this finalrule, we do not believe that this rulewill eliminate or interfere with the roleor obligation of the treating or orderingprovider to report and counsel patientson laboratory test results. The ruleprovides ample time to ensure providersreceive sensitive test reports before thepatient and to allow providers tocounsel individuals on the test reports.In addition, as indicated above, we

believe the rule will further encourageproviders, at the time the test is ordered,to counsel patients on the potentialoutcomes of a test and what they maymean for the patient, given his or hermedical history.

Finally, we agree with commenterswho stated that categorizing laboratorytesting into sensitive and non-sensitive categories would be asubjective endeavor that would notnecessarily result in policies that are inthe patients best interest. This endeavoralso would result in a lack of uniformityacross states and laboratories withrespect to the types of information towhich an individual has access underthe rule. This outcome would be toocomplex and burdensome for

laboratories to administer and confusingfor individuals attempting to exercisetheir rights.

Comment: A few commenters, whilein general support of the proposed rule,raised specific concerns about providinglaboratory test reports directly to certainmental health patients (for example,those who may be suffering frommedical conditions such as paranoia).These commenters were concerned thatdirect access to laboratory test reportswithout any involvement of thetreatment team could have a very

negative impact on the mental health ofthese patients. Some commenters askedthat the current provision in the HIPAAPrivacy Rule allowing the denial ofaccess to protected health informationwhen the access is reasonably likely toendanger the life or physical safety ofthe individual or another person alsoapply to access made available underthis final rule. They suggested that thiswould allow providers to determinewhen prior provider review andapproval would be required before therelease of given laboratory test reports tomentally ill patients.

Response: We believe the existingexceptions to access in the Privacy Ruleappropriately balance an individualsright to access his or her healthinformation with other considerations,such as the potential for harm.Therefore, we decline to provide aspecific exception to the right of accessfor mental health patients. A laboratory

is subject to the same requirementsunder the HIPAA Privacy Rule as othercovered entities to generally provide allindividuals with access to their healthinformation. As previously discussed,we believe the 30 day time-frame (plusone 30 day extension) provideslaboratories with sufficient time toensure treating or ordering physiciansreceive test reports before the patientsreceipt of the test report, which willallow them to counsel the patient withrespect to the test result.

As noted above, the HIPAA PrivacyRule at 164.524(a)(3)(i) provides that acovered entity may deny access to anindividual if a licensed health careprofessional has determined, in theexercise of professional judgment, thatthe access requested by the individual isreasonably likely to endanger the life orphysical safety of the individual oranother person. However, this is alimited exception to an individualsright of access and applies only withrespect to endangerment of the life orphysical safety of the individual oranother person; thus, concerns aboutpsychological or emotional harm are notsufficient to justify denial of access.Furthermore, a HIPAA-covered

laboratory that wishes to deny access tothe individual based on a determination by a licensed health care professionalmust provide the individual with anopportunity to have the denial reviewed

by a licensed health care professionalwho is designated by the laboratory toact as a reviewing official and who didnot participate in the original decisionto deny. The HIPAA-covered laboratorymust promptly refer a request for reviewto the reviewing official, who mustdetermine, within a reasonable amountof time, whether or not to deny the

access requested. See 164.524(d). Thelaboratory would then be required toprovide or deny access in accordancewith the determination of the reviewingofficial (see 164.524(a)(4)).

Comment: Two commenters requestedclarification on whether the expandedright of individual access would applyto food or environmental test reportsmaintained by a laboratory, that are theresult, for example, of testing done afteran outbreak of disease, and that may belinked to particular patients. A publichealth laboratory requested clarificationon how this rule applies to publichealth surveillance or outbreak testreports. One commenter requestedclarification as to whether individualswould have a right to employment-related test results, such as testing fordrug and alcohol use. Finally, anothercommenter asked that patient access tolaboratory results be expanded toinclude the results of radiologic

assessments.Response: This final rule is intendedto remove barriers in the HIPAA Privacyand CLIA regulations to individualaccess to test reports maintained bylaboratories subject to or exempt fromCLIA. If the samples tested are not of thehuman body, the entity conducting thetesting is not subject to CLIA forpurposes of that testing or those testresults. Furthermore, if the testing is notfor the purpose of providing informationfor the diagnosis, prevention, ortreatment of any disease or impairmentof, or the assessment of the health ofhuman beings, that testing and thosetest results are also not subject to CLIA.Some outbreak and surveillanceactivities may involve testing samplesfrom humans and thus be subject toCLIA if individual patient-specific testresults are reported to orderingproviders. However, CLIA does notapply to test results that are only usedfor epidemiological studies or reportedin the aggregate without patientidentifiers.

As for employment-related testing, theCLIA regulations are not applicable toan employer or entity that performssubstance abuse testing strictly for the

purpose of employment screeningwhere test results are merely used todetermine compliance with conditionsof employment, as opposed tocounseling or some other form oftreatment. Substance abuse testing aspart of a treatment program is covered

by CLIA.Even if CLIA does not apply to the

conduct of certain types of laboratorytests, HIPAA may still apply to requireaccess to certain test reports to theextent the laboratory is a HIPAAcovered entity and the information to


D

K

Q

VN

RODw

RU


8/27


which an individual is requesting accessis protected health information underHIPAA. Individuals have a right toaccess test reports in designated recordsets held by or for HIPAA-coveredlaboratories that constitute protectedhealth information under the HIPAAPrivacy Rulethat is, those reports thatrelate to the past, present, or futurephysical or mental health or conditionof an individual or the provision ofhealth care to an individual (whichwould include testing for the presenceof alcohol or drugs) and that identify theindividual, or with respect to whichthere is a reasonable basis to believe thatinformation in the test report can beused to identify the individual. See thedefinitions of individually identifiablehealth information and protectedhealth information at 160.103. Food,environmental, or other test reports thatdo not identify or relate to an individualare not protected health information for

purposes of the HIPAA Privacy Rule.Although the CLIA regulations do notcover radiologic testing or assessments,these tests and assessments have always

been subject to an individuals right ofaccess under the HIPAA Privacy Rule tothe extent they are maintained by ahospital or other HIPAA covered entity.C. Access by Personal Representativesand Designated Third Parties

Comment: Several commenters raisedconcerns regarding access to anindividuals sensitive laboratory testreports, such as those concerningreproductive health, by the individualsparents, spouse, partner, or otherpersons, when the individual may notwant these persons to see the test report.

Response: We understandcommenters concerns and provide thefollowing guidance to HIPAA-coveredlaboratories regarding how the PrivacyRule ensures that only persons withappropriate authority are providedaccess. With respect to adultindividuals, the only persons that havea right to access an individuals testreports directly from a HIPAA coveredentity are those persons who qualify asa personal representative of the

individual. A personal representativefor purposes of the Privacy Rulegenerally is a person who has authorityunder applicable law to make healthcare decisions for the individual (see 164.502(g)). Before providing access toa person other than the individual whois requesting access, a HIPAA-coveredlaboratory is required under 164.514(h) of the Privacy Rule toverify both the identity and authority ofthe person to have access to theindividuals protected healthinformation. In order to conduct the

required verification, a coveredlaboratory may need to obtaindocumentation that the personrequesting access to the individualsprotected health information qualifies asthe individuals personal representative,for example, by having the personpresent a written health care power ofattorney or, general power of attorney ordurable power of attorney that includesthe power to make health caredecisions, or other evidence of thepersons authority to act as a personalrepresentative.

With respect to an unemancipatedminor, in most cases, a parent is thepersonal representative of the minor,

because the parent usually has theauthority under state law to make healthcare decisions about his or her minorchild. However, there are limitedexceptions in the HIPAA Privacy Ruleto the parent being a personalrepresentative of his or her minor child,

which generally apply in circumstanceswhere minors are able to obtainspecified health care services withoutparental consent under state or otherlaws, or standards of professionalpractice. Additional information onthese circumstances is available athttp://www.hhs.gov/ocr/privacy/hipaa/ understanding/coveredentities/

personalreps.html. Regardless, however, of whether a

parent is the personal representative ofa minor child, the Privacy Rule defersto state or other applicable laws thatexpressly address the ability of theparent to obtain health informationabout the minor child. In doing so, thePrivacy Rule permits a covered entity toprovide the parent with access to aminor childs protected healthinformation when and to the extent it ispermitted or required by state or otherlaws (including relevant case law).Likewise, the Privacy Rule prohibits acovered entity from providing a parentwith access to a minor childs protectedhealth information, when and to theextent it is prohibited under state orother laws (including relevant case law).If state or other applicable law is silentconcerning parental access to the

minors protected health information,and a parent is not the personalrepresentative of a minor child based onone of the exceptional circumstancesdescribed above, a covered entity hasdiscretion to provide or deny the parentaccess to the minors healthinformation, if doing so is consistentwith state or other applicable law, andprovided the decision is made by alicensed health care professional in theexercise of professional judgment. Forexample, where a minor is able understate law to consent and obtain

treatment for a reproductive health careservice that involves laboratory testing,and the state law is otherwise silent onparental access to a minors protectedhealth information, a testing laboratorythat has received a parents request foraccess to this test report of the minorchild may wish to take into account anyinstructions of the treating medicalprofessional in determining whether togrant or deny access to the parent of theminor.

In general, we expect personalrepresentatives will continue to obtainaccess to individuals healthinformation through the individualstreating providers, with whom manypersonal representatives will alreadyhave established a relationship and beknown to the provider. Therefore, we donot expect HIPAA-covered laboratorieswill receive many requests from personsrequesting access as a personalrepresentative of the individual.

With respect to laboratories that arenot HIPAA covered entities, the changesto the CLIA regulations in this final rulemerely permit, not require, thedisclosure of completed test reports toan individuals personal representative.Thus, laboratories not subject to HIPAAshould exercise their judgment inproviding access to personalrepresentatives, while taking intoaccount any other applicable federal orstate laws.

Comment: A few commenters askedhow a laboratory should determinewhether a person requesting access toanother individuals completed testreports has the appropriate legalauthority to act on behalf of theindividual, and, by virtue of thatauthority, is a personal representativefor the individual. Commentersindicated that the laboratory test orderfrom the ordering provider does notinclude this information. Thesecommenters also expressed concernabout the costs to determine whether aparticular person had authority toaccess an individuals laboratory testreports.

Response: As indicated above, aHIPAA-covered laboratory is required to

verify the identity and authority of anyperson requesting access to laboratorytest reports as a personal representativeof an individual. Depending on thecircumstances, a HIPAA-coveredlaboratory could verify a personsauthority by asking for documentationof a health care power of attorney, orgeneral power or durable power ofattorney that includes the power tomake health care decisions, proof oflegal guardianship, or, in the case of aparent, information that establishes therelationship of the person to the minor


D

K

Q

VN

RODw

RU
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html


9/27


individual. A HIPAA-covered laboratorymay also contact the treating provider toinquire whether the treating providercan provide documentation of thepersons status as a personalrepresentative of the individual.

We address the costs that a HIPAA-covered laboratory may incur in theverification process, in section VII

below. We note here as we did above,however, that we do not anticipateHIPAA-covered laboratories will receivemany requests from persons requestingaccess as a personal representative ofthe individual. Thus, we do not expectHIPAA-covered laboratories will incursignificant costs for verification of suchpersons. Several clinical laboratorycommenters indicated that mostpatients or personal representatives donot know what laboratory conducted thelaboratory tests. Based on thesecomments, we expect personalrepresentatives, like individuals

themselves, generally will continue toobtain access to the individuals healthinformation through the individualstreating providers, with whom manypersonal representatives will alreadyhave established a relationship for thepurposes of obtaining access.

Comment: One commenter requestedthat the same requirements for denyingaccess to protected health information

by a personal representative in caseswhere access may cause substantialharm to the individual (for example, incases of spousal abuse) should also beavailable when personal representativesrequest direct access to an individualstest reports from laboratories.Response: As described above, thePrivacy Rules access and personalrepresentative provisions apply in thesame manner to HIPAA-coveredlaboratories as to other types of coveredentities. Section 164.524(a)(3)(iii) of thePrivacy Rule permits a covered entity todeny a personal representative access toan individuals protected healthinformation when a licensed health careprofessional has determined, in theexercise of professional judgment, thatproviding access to the personalrepresentative is reasonably likely to

cause substantial harm to the individualor another person. Thus, a HIPAA-covered laboratory may deny a personalrepresentative access to an individualsprotected health information under thisprovision when the laboratory hasreceived and documented the requisitedetermination from a licensed healthcare professional that granting access tothe personal representative isreasonably likely to cause substantialharm to the individual or anotherperson. As was described above withrespect to individuals denied access to

their own records because of concernsof endangerment, the personalrepresentative retains the right to havethe denial reviewed by another licensedhealth care professional who isdesignated by the HIPAA-coveredlaboratory to act as a reviewing officialand who did not participate in theoriginal decision to deny. A laboratorydenying access must inform thepersonal representative of this right andhave the ability to have the denialreviewed in accordance with theserequirements.

We also note that 164.502(g)(5) ofthe Privacy Rule allows a covered entityto elect not to treat a person as thepersonal representative of an individualif the covered entity has a reasonable

belief that the individual has been ormay be subjected to domestic violence,abuse, or neglect by the person, and thecovered entity, in the exercise ofprofessional judgment, decides that it is

not in the best interests of theindividual to treat the person as theindividuals personal representative. Wedo not anticipate that this provision willfrequently apply in the circumstanceswhere a personal representative isrequesting direct access to anindividuals test report maintained by aHIPAA-covered laboratory, as mostlaboratories will not have the requisiterelationship with the individual thatwill enable them to make this type ofassessment. However, there may besituations where a HIPAA-coveredlaboratory is made aware of the dangers

by a treating provider or the individual.The HIPAA-covered laboratory shouldconsider this information in the exerciseof its own professional judgment.

Comment: One commenter stated thatit was unclear from the proposed rulewhether a patients access right wouldinclude the right to have the test reportsshared with others who do not haveindependent access rights. Thiscommenter urged the Department toamend the CLIA regulations to clarifythat the laboratory may provide accessto the patient, his or her personalrepresentative, or any other partydesignated by the patient or his or her

personal representative.Response: We clarify that, in certaincircumstances, an individuals accessright includes the right to have testreports shared with others who do nothave independent access rights. Inaddition to access by personalrepresentatives, the HITECH Actstrengthened an individuals right ofelectronic access, which included givingindividuals the right to direct that acovered entity transmit an electroniccopy of the individuals protectedhealth information directly to another

person or entity designated by theindividual (see, section 13405(e) of theHITECH Act). The regulations thatimplemented these statutory provisionswere published as part of the HIPAAPrivacy Rule on January 25, 2013, and

became effective on March 26, 2013.While Section 13405(e) of the HITECHAct is applicable to electronic copies,the Department also used its generalauthority under sections 262 and 264 ofHIPAA to implement this rightuniformly regardless of whether theaccess requested is for an electronic ora paper copy of the individualsprotected health information. Thus,upon the compliance date of this finalrule, HIPAA-covered laboratories will

be required to abide by an individualsrequest to have the laboratory transmitthe copy of the individuals protectedhealth information to another person orentity designated by the individual. ThePrivacy Rule requires that such requests

must be made in writing, signed by theindividual, clearly identify thedesignated person or entity, and provideinformation regarding where to send thecopy of the protected healthinformation. See 164.524(c)(3)(ii) andthe preamble to the final HITECH rule(78 FR 5566) for more information.

With respect to the changes to theCLIA regulations, the CLIA regulatorytext as written in this rule will besufficient to allow a laboratory to, uponthe request of a patient (or theirpersonal representative, if applicable),provide a copy of the patients testreport to a person or entity designated

by the individual in accordance withthe HIPAA Privacy Rule.

Comment: One commenter requestedthat organ procurement organizationlaboratories that perform tests ondecedent tissue and blood be exemptedfrom the rule altogether, since theoutcome of these tests would not be ofmeaningful value to the personalrepresentatives of decedents, and in thecase of blood tests, could cause undueconcern given the frequency of falsepositive results.

Response: We appreciate that OrganProcurement Organization laboratories

operate under different circumstancesthan clinical laboratories. However, wedo not believe there should be anexemption for these laboratories.Laboratories that are covered entitiesunder HIPAA are required to provideindividuals (or their personalrepresentatives) with access to protectedhealth information, including that ofdecedents (see 164.524). We do not

believe the concerns raised by thecommenter justify removing a personalrepresentatives right to access theprotected health information of a


D

K

Q

VN

RODw

RU


10/27


decedent at an Organ ProcurementOrganization laboratory that is a coveredentity. However, we do not expect manyOrgan Procurement Organizationlaboratories will be HIPAA coveredentities unless they also provide clinicalor other laboratory services that involvereimbursement by health plans. Further,we emphasize that a HIPAA-coveredlaboratory is only required to provide anindividual (or personal representative)with access when they receive a requestfor access, which we do not expect to

be a very frequent occurrence in thecontext of testing for organ procurementpurposes.

D. Requests for and Provision of Access

1. HIPAA Access Processes

Comment: Several commenterssupported allowing flexibility in howrequests for access may be submitted,processed, and responded to by

laboratories. Commenters indicated aflexible approach was important sincelaboratories vary greatly in terms of howthey interact with patients, if at all, andflexibility would allow laboratories toimplement processes that would notdisrupt operations. One commenterstated that some state laws may affectthe processes that laboratories may putin place and urged that the Departmentclarify that the authority for specifyingthe processes for handling requests foraccess lies with the laboratories ratherthan the states. Another commenterexpressed concern with the rule notspelling out the mechanisms by whichpatient requests for access would besubmitted, processed, or responded to

by laboratories. The commentersuggested that the final rule shouldrequire some type of written record,such as a signature on an office form,and verification of the identity of theperson requesting the records.

Response: We agree with thecommenters that flexibility in howlaboratories receive and respond toaccess requests is important given thevaried circumstances of each laboratory.This final rule provides laboratories

with flexibility as to how to set upsystems to receive, process, and respondto requests for access by individuals, solong as these processes comply with thetiming and other requirements foraccess in 164.524 of the HIPAAPrivacy Rule where HIPAA-coveredlaboratories are concerned. For example,some laboratories that interact directlywith individuals may give individualsthe option to request a copy of theircompleted test reports when theindividuals are physically present at thelaboratory for specimen collection.

With regard to state laws, it is unclearfrom the comments how exactly theselaws impact laboratory processes. TheHIPAA Privacy Rule only preemptscontrary provisions of state law. Thus,where a HIPAA-covered laboratory cancontinue to comply with both theHIPAA Privacy Rule and state law, itmust frame its policies and proceduresin a way that complies with both laws.Further, the HIPAA Privacy Rule doesnot preempt more stringent state laws,even if contrary to the Privacy Rule. Inthe context of individuals rights toaccess their health information, morestringent means that the state lawprovides greater rights of access.Therefore, a HIPAA-covered laboratorymust continue to abide by state lawsthat provide the individual with agreater right of access. For example, ifa state law requires individual access totest reports within a shorter timeframethan the Privacy Rule requires, access

must be provided within that shortertimeframe. Finally, as noted above anddiscussed more fully below, while theHIPAA Privacy Rule provides someflexibility to HIPAA-coveredlaboratories in how their accessprocesses are developed, it does havespecific requirements for verification ofidentity and authority of the individualrequesting access, as well as timelinessand the form of access provided, amongother requirements, that must befollowed in providing access toindividuals. With respect to the form ofthe individuals request, the PrivacyRule does permit covered entities torequire that individuals make requestsfor access in writing (see 164.524(b)(1)).

Comment: Some commenters askedfor clarification as to whether hospitallaboratories may continue to rely onexisting hospital HIPAA accessprocesses, which may have beenimplemented through their healthinformation management departments,to provide individuals with access totheir test reports, rather than having tocreate an additional process outside thenormal customary practices followed byhospitals to comply with the access

requirements of the HIPAA PrivacyRule. A few commenters specificallynoted that some hospitals have patientportals in place to provide individualswith access to their protected healthinformation, including laboratoryresults.

Response: Laboratories that operate aspart of a larger legal entity that is ahospital or that are part of an affiliatedcovered entity or organized health carearrangement with a hospital (see thedefinition of organized health carearrangement in the HIPAA Rules at

160.103, and the provisions foraffiliated covered entities at 164.105(b)), may continue to utilizethe hospitals already establishedmechanisms for providing access toindividuals requesting their test reportsfrom the hospital laboratories, providedthat the established mechanisms arecompliant with the access provisions ofthe HIPAA Privacy Rule. This includesproviding individuals with access totheir test reports through a patientportal to the extent the individuals haveagreed to receive access in this manner.However, laboratories that are not partof a hospital need to establish their ownprocess for providing individuals withdirect access to their protected healthinformation in accordance with thePrivacy Rule, even if the laboratoriestest reports are otherwise available to anindividual through an unaffiliatedtreating hospital or providers patientportal or other access mechanism.

Comment: One commenter askedwhether a patient will be expected tomake a request for access from thelaboratory to test reports at the time thepatient is in the treating providersoffice, or whether patients have a rightto contact the laboratory directly foraccess. Another commenter askedwhether, with regard to the referral ofspecimens from one laboratory toanother, a patient will need to requestaccess to the test reports of bothlaboratories or just request access fromone of the laboratories to obtain all ofthe test results.

Response: Under this final rule,individuals have a right to makerequests for access to their protectedhealth information directly to HIPAA-covered laboratories. Laboratories maynot require individuals to make requeststhrough their providers. Whilelaboratories cannot require individualsto submit requests for access toprotected health informationmaintained by the laboratories throughtheir treating providers, individuals maydo so if that is one avenue the laboratoryuses to receive requests for access fromindividuals. Laboratories, however, mayrequire that individuals make access

requests directly to the laboratory.With respect to laboratories that referspecimens to another laboratory, anindividual has a right to access his orher protected health informationmaintained in a designated record set ateither laboratory. However, where onelaboratory refers only one part of a testto another laboratory, the individualmay need to request access from thereferring laboratory to obtain access to acomplete set of test results. Asexplained above, a HIPAA-coveredlaboratory is required to provide an


D

K

Q

VN

RODw

RU


11/27


individual with access only to thatprotected health informationmaintained by the laboratory in itsdesignated record sets.2. Time Frame for Providing Access

Comment: Some commenters wereconcerned that the required 30-daytimeframe in the HIPAA Privacy Rule

for providing an individual with accessto laboratory test reports may not besufficient to ensure that a providerreceives the report before the patient.The commenters believe this isparticularly problematic in the case ofsensitive test results. One commentersuggested that laboratories should havethe option of using up to two 30-dayextensions when a licensed health careprofessional has determined, in theexercise of professional judgment, thatthe ordering provider should haveadditional time to receive and reviewthe test report before the patient isprovided access. Another commenterstated that the rule should not requirelaboratories to release a test report to apatient before a treating provider, exceptin emergency circumstances. Othercommenters suggested that there should

be a defined delay or lag time, such as48 or 72 hours, between when alaboratory provides a test report to atreating provider and when thelaboratory provides the test report to thepatient.

In contrast, other commenters wereagainst providing a defined delay

between when the provider and thepatient could obtain the test report.Some commenters stated that thePrivacy Rules 30-day timeframe forproviding access affords ampleopportunity for a provider to receive atest report and consult with the patient

before the patient receives the testreport he or she requested directly fromthe laboratory. For example, onecommenter suggested that the 30-dayperiod provides laboratories withsufficient flexibility to release routinetest results within a few days, whiledelaying the results of more sensitivetests to allow more time for consultation

between the provider and the patient.

Response: We believe 30-days isgenerally sufficient time to allow atreating provider to receive a test reportin advance of the patients receipt of thereport and to communicate the result toand counsel the patient as necessarywith regard to the result. Specifically,requests to a laboratory for access may

be made some time after the providerhas ordered the test or even after theprovider has received the completed testreport. In cases where the end of theinitial 30-day period after anindividuals request for access is

approaching and, due to the nature ofthe test, the laboratory is justcompleting the test report, thelaboratory may delay providing accessto the individual to ensure thecompleted test report is provided first tothe individuals provider, so long as thedelay is no more than 30 days and theindividual is informed in writing of thereason for the delay and the date bywhich the laboratory will provide theindividual with access. However,laboratories may have only oneextension (see 164.524(b)(2)(iii)). Sincewe believe the timeframes provided inthe HIPAA Privacy Rule generally aresufficient to enable laboratories toprovide test reports to orderingproviders before patients, we decline tospecify a specific lag time or to allow anadditional 30-day extension beyond theone 30-day extension currentlypermitted.

Comment: A few commenters

expressed concern that the 30-dayperiod (and one 30-day extension) forproviding access may not be sufficientfor all laboratory test reports to becompleted. One commenter suggestedthat the 30-day period to provide theindividual with a copy of the test reportshould begin from the time of theindividuals request for access, or testcompletion, whichever is later.

Response: We understand thecommenters concerns; however, we donot believe it is necessary to establishthe completion of the test report as thetrigger for the beginning of the 30-dayperiod if the completion of the testreport is later than the individualsrequest for access, or to otherwise createa timeliness requirement for laboratoriesthat is different than the requirement forother types of covered entities. Asdiscussed above in the section onScope of Information to Which anIndividual Has Access, the PrivacyRule provides sufficient flexibility inmost cases to enable laboratories toprovide individuals with access to thecompleted test reports they request. Inthose rare cases where a test report isnot completed, and therefore is notavailable, within the HIPAA timeframe

for responding to requests and theindividual is not willing to withdrawhis or her request so that he or she willreceive a completed test report, thePrivacy Rule requires only that thelaboratory provide access to the existingprotected health information in itsdesignated record set(s) about theindividual, which would not includethe completed test report requested. We

believe that uniformity of the timelinessrequirement in the Privacy Rule for allcovered entities, including laboratories,is important to ensure consumer

understanding and covered entitycompliance.E. Allowable Fees for Copying

Comment: Several commenters statedthat laboratories should be permitted tocharge individuals that request a copy ofone or more test reports an additionalfee along with the current fee permitted

by the HIPAA Privacy Rule. A numberof commenters were specificallyconcerned with the costs of retrievingarchived test reports, which may only

be available on paper or limited media,and transferring them to a suitablemedium for distribution to the patient.A few commenters suggested that alaboratory should be able to recoup thefull costs of providing reports to theindividual, including costs associatedwith retrieval of the information,copying, verification, documentation,liability insurance, and otheradministrative costs.

In contrast, a number of commentersstated that individuals should notencounter any additional fee to receivecopies of test reports from laboratories,other than the costs associated withcompleting the tests.

Response: We appreciate thecomments on this issue. The feeprovisions in the Privacy Rule arecarefully balanced to reduce costs tocovered entities while at the same timeavoid being an impediment toindividuals ability to receive copies oftheir protected health information.Therefore, we decline to expand the feesthat may be charged to individuals or to

disallow any fees that are currentlyprovided for under the HIPAA PrivacyRule. HIPAA-covered laboratories mustcomply with the same fee limitations at 164.524(c)(4) of the Privacy Rule asother HIPAA covered entities inproviding individuals with copies oftheir health information. This means aHIPAA-covered laboratory may chargean individual a reasonable, cost-basedfee that includes only the cost of: (1)Labor for copying the protected healthinformation requested by the individual,whether in paper or electronic form; (2)supplies for creating the paper copy or

electronic media if the individualrequests that the electronic copy beprovided on portable media; (3) postage,when the individual has requested thecopy be mailed; and (4) preparation ofan explanation or summary of theprotected health information, if agreedto by the individual. HIPAA-coveredlaboratories may not charge fees toreflect the costs they incur in searchingfor and retrieving the information that isthe subject of the individuals request.Further, fees for costs associated withverification, documentation, liability


D

K

Q

VN

RODw

RU


12/27


insurance, maintaining systems, andother similar activities are notpermissible fees under this provision.

Comment: One commenter asked for amore definitive framework of what is anappropriate fee.

Response: We are unable to provide amore definitive framework of what is anappropriate fee, given that costs willvary depending on a number ofcircumstances, such as the form of thecopy requested (paper versuselectronic), the amount of informationto be included in the copy, and whetherthe individual has requested the copy to

be placed on electronic media ormailed. Covered entities may take intoaccount all of these factors indetermining what is a reasonable, cost-

based fee. However, we consider feesexpressly permitted under state law forcopying and postage to be reasonable (aslong as they do not include amountsassociated with fees not provided forunder the HIPAA Privacy Rule, such asthe fees for the cost of search andretrieval or other costs).

F. Form and Format of Access

Comment: Some commenters statedthat HIPAA-covered laboratories should

be able to limit the types of electronicformats in which patients could receivecopies of their completed test reports,and that the format provided should not

be controlled solely by patientpreference. These commenters wereconcerned with requiring laboratories tohave the capability to convert test

reports to all types of universal formats(for example, Microsoft (MS) Word, MSExcel, or Portable Document Format(PDF)). One commenter stated it is notpracticable to reproduce all of the dataof the official report into some formats,such as MS Excel. A few commentersexpressed concern that HIPAA-coveredlaboratories will be required to invest innew technology to allow for patientportals into laboratory systems so thatpatients can view their test reportsonline. Certain commenters werespecifically concerned about theresources involved with having toconvert final laboratory reports thatexist only on paper to PDF or otherelectronic format.

Other commenters advocated for theuse of patient portals and personalhealth records (PHRs) to deliver testreports to patients in a readable andsecure manner. One commenter statedthat the rule should ensure laboratoriesare not allowed to provide test reportsexclusively through proprietary formatsthat require expensive proprietarysoftware to view, interpret, or processthe results. Finally, one commenter

asked who makes the determinationabout which format is acceptable.

Response: The Privacy Rule does notrequire that a HIPAA-covered laboratoryhave the capability to produce a copy ofa completed test report in whateverelectronic format or manner theindividual requests. Rather, the PrivacyRule requires a covered entity toprovide the individual with a copy ofthe requested information in the formand format requested by the individual,if a copy in that form or format isreadily producible. With respect toprotected health informationmaintained by the covered entity onlyin paper form, the Privacy Rule requiresthe covered entity to provide theindividual with a copy of the protectedhealth information in the form andformat requested by the individual, if itis readily producible. If not, the copymust be either a readable hard copy orin another form or format as agreed to

by the covered entity and the individual(see 164.524(c)(2)(i)). Thus, where anindividual requests an electronic copyof test reports that a HIPAA-coveredlaboratory maintains only on paper, thelaboratory is required to provide theindividual with the type of electroniccopy requested if it is readily producibleelectronically and in the formatrequested. For example, a HIPAA-covered laboratory maintaining therequested test reports on paper may beable to readily produce a scanned PDFversion of the report but not therequested Word version. In this case, thelaboratory may provide the individualwith the PDF version if the individualagrees to accept the PDF version. If theindividual declines to accept the PDFversion, or if the laboratory is not ableto readily produce a PDF version of thetest reports, the laboratory may providethe individual with hard copies of thereports such as photocopies of theoriginal reports.

However, when the protected healthinformation to which the individualseeks access is maintainedelectronically by the covered entity andthe individual requests an electroniccopy of the information, the Privacy

Rule requires the covered entity toprovide the individual with access tothe information in the requestedelectronic form and format if it isreadily producible in that form andformat. When it is not readilyproducible in the electronic form andformat requested, then the coveredentity must provide the copy in analternative readable electronic format asagreed to by the covered entity and theindividual (see 164.524(c)(2)(ii)). Inshort, this means that any HIPAA-covered laboratory that maintains

protected health information about anindividual in one or more designatedrecord sets electronically must have thecapability to provide the individualwith some form of electronic copy of theindividuals protected healthinformation. For example, this wouldinclude providing the individual withan electronic copy of the protectedhealth information in the format of MSWord or Excel, text, HTML, or text-

based PDF. In addition, we encouragelaboratories to make available toindividuals, upon request, an electroniccopy of their protected healthinformation in machine-readableformats (such as in HL7), which willenable individuals to use their protectedhealth information in electronic healthinformation tools, such as PHRs, if theychoose.

We agree with the commenters thatindividuals should not have anunlimited choice in the form of

electronic copy they will receive. ThePrivacy Rule allows a coveredlaboratory to make some otheragreement with individuals as analternative means to provide a readableelectronic copy to the individual wherethe covered laboratory is not able toreadily provide the form of electroniccopy requested. If an individualrequests a form of electronic copy thatthe HIPAA-covered laboratory is unableto produce, the laboratory must offer theindividual other electronic formats thatare available on its systems. If theindividual declines to accept any of theelectronic formats that are readilyproducible by the HIPAA-coveredlaboratory, the laboratory must providea hard copy as an option to fulfill theaccess request. We remain neutral onthe type of technology that coveredentities may adopt. We note that a PDFis a widely recognized format thatwould satisfy the electronic accessrequirement if it is the individualsrequested format or if the individualagrees to accept a PDF instead of theindividuals requested format.Alternatively, there may becircumstances where an individualprefers a simple text or rich text file and

the laboratory is able to accommodatethis preference. In this case, a hard copyof the individuals protected healthinformation would not satisfy theelectronic access requirement. However,a hard copy may be provided if theindividual decides not to accept any ofthe electronic formats offered by thecovered entity.

For example, if a HIPAA-coveredlaboratory receives a request from anindividual to have access to test reportsthrough a web-based portal, but the onlyreadily producible version of the


D

K

Q

VN

RODw

RU


13/27


2 http://www.cms.gov/Medicare/Provider- Enrollment-and-Certification/ SurveyCertificationGenInfo/downloads/SCLetter10- 12.pdf .

protected health information by thelaboratory is in PDF, the Privacy Rulerequires the laboratory to provide theindividual with the PDF copy of theprotected health information, if theindividual agrees to receive it in thatform. If the individual declines toreceive the PDF copy, the laboratorymay provide the individual with a hardcopy of the information.Further, while we encouragelaboratories to offer patients the abilityto access their test reports throughpatient portals maintained by thelaboratories, the HIPAA Privacy Ruledoes not require covered entities to havethis capability. We recognize that whatis available in a readable electronic formand format will vary by system andtechnological capabilities will improveover time. Therefore, the Privacy Ruleallows covered entities the flexibility toprovide individuals with electroniccopies of protected health information

that are currently readily producibleand available on their various systems.A HIPAA-covered laboratory is notrequired to purchase new software orsystems in order to accommodate anelectronic copy request for a specificform that is not readily producible bythe laboratory at the time of the request,provided the laboratory is able toprovide some form of electronic copy.We note that providing the individualwith an electronic copy of a test reportin a proprietary format that will requirethe purchase or acquisition by theindividual of proprietary software toview the report would not satisfy theseaccess requirements.

Comment: A few commenterssuggested that any electronic copiesprovided to individuals should includea digital signature to provide assurancethat test results had not been modified.

Response: HIPAA-coveredlaboratories may include digitalsignatures on electronic copies of testreports given to individuals, providedthe electronic copy is still in a formatthat has either been requested by theindividual or is an alternative that has

been agreed to by the individual and thelaboratory.

Comment: Some commenters wereconcerned about the ability oflaboratories to transmit electroniccopies of test reports to individuals ina secure manner, and asked for guidanceon how test reports should betransmitted to patients. A fewcommenters were concerned withtransmitting test reports to patients viaunencrypted email. One commenterexpressed concern about being foundresponsible for a breach if a HIPAA-covered laboratory sent test reports inan unsecure manner after a specific

request by the individual to send themin that manner. Other commenterssuggested that any method oftransmitting test reports to individualsshould be acceptable, whether it be bymail, email, transmission to a PHR orpatient portal, or other method.

Response: How a test report istransmitted to an individual will varydepending on the circumstances and therequest of the individual. In cases wherean individual is in close proximity ofthe laboratory, the individual may wishto come and pick up the test report

Documents

HHS Final Rule Lab Results Feb 2014