Until last year, the traditional healthcare model in this country placed the physician (or appropriate ordering provider) in control of determining what diagnostic and therapeutic monitoring (including laboratory tests) were to be performed on a patient. In addition, all results of tests and procedures were reported to the physician who assumed the responsibility of communicating the information to the patient. This model was reinforced by Medicare and Medicaid regulations and the laws of a number of states. The general public, however, was introduced to the concept of being directly involved in their own laboratory testing as early as the 1950’s with the availability of over-the-counter urine glucose and ketone tests. As the number of individuals with diabetes continued to increase, these patients were encouraged to closely monitor their glycemic status in an attempt to decrease the incidence of complications. With diabetes mellitus leading the way, an expansion of over-the-counter testing technology, and a movement for more empowerment of consumers to take responsibility for their own healthcare, a major paradigm shift in healthcare has occurred, moving from a physician focus to a consumer focus.

The Institute of Medicine, in its 2001 publication “Crossing the Quality Chasm: A New Health System for the 21st Century”, suggested a redesign of the system which would include (a) the patient as the source of control, (b) unfettered access for patients to their own medical information and to clinical knowledge, and (c) evidence-based decision making. Television, the print media and the internet, coupled with an aging, more educated and informed population of healthcare consumers, has produced consumers with access to a great deal of medical information.

A representative of the People’s Medical Society, a medical consumer advocacy organization, provided a perspective at a March 2003 meeting of the Clinical Laboratory Improvement Advisory Committee (CLIAC). He described today’s healthcare consumer as “empowered, educated, demanding, critical of the healthcare system and providers, and the driving force for changes in healthcare.”

Physicians recognized  that patients have a right to their medical information .  There is also hope that by providing the information (directly)  will allow patients to be more engaged, to be better partners, to be more compliant in their healthcare.

These generational and societal changes, focused on individual empowerment  and  personalized medical care,  created the momentum for  revisions to the traditional way that laboratory results were made available to patients.   Direct access by patients to their own test results was made official policy in 2014.

The New Rule

On February 6, 2014, the  Department of Health and Human Services (HHS), announced a final rule amending the Department’s Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations, and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, to give patients direct access to laboratory test results. Until then, CLIA and CLIA-exempt laboratories were reporting results only to an “authorized person,” defined as a person authorized under state law to either order, or receive, test results. In most states, that limited reporting of test results to the treating physician or the laboratory that initially requested the test. However, the HHS final rule now requires laboratories to also report those results directly to the patient, or his or her personal representative, upon request. It l preempts state laws to the contrary.

While patients can continue to get access to their laboratory test reports from their doctors, these changes give patients a new option to obtain their test reports directly from the laboratory while maintaining strong protections for patients’ privacy.

“The right to access personal health information is a cornerstone of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule,” said HHS Secretary Kathleen Sebelius. “Information like lab results can empower patients to track their health progress, make decisions with their health care professionals, and adhere to important treatment plans.”   Indeed, the final rule states that patients’ right to access test reports “is crucial to provide individuals with vital information to empower them to better manage their health and take action to prevent and control disease.”

This final rule was issued jointly by CMS, which is generally responsible for laboratory regulation under CLIA, and two other agencies within HHS: the Centers for Disease Control and Prevention (CDC), which provides scientific and technical advice to CMS related to CLIA, and the Office for Civil Rights (OCR), which is responsible for enforcing the HIPAA Privacy Rule.

Under the HIPAA Privacy Rule, patients, patient’s designees and patient’s personal representatives can see or be given a copy of the patient’s protected health information, including an electronic copy, with limited exceptions. The laboratory will have to have an authentication process to verify the identity of the person making the request.  The patient or the personal representative may have to put their request in writing and pay for the cost of copying, mailing, or electronic media on which the information is provided, such as a CD or flash drive. In most cases, copies must be given to the patient within 30 days of his or her request.

Key Implementation Questions and Answers To Assist Your Laboratory

  1. What do the changes to the CLIA regulations at §493.1291 mean for laboratories?

The changes to §493.1291 allow an individual or an individual’s personal representative to receive completed test reports directly from the laboratories upon request. Laboratories will need to identify the test reports as belonging to the individual by using their authentication processes.

  1. Since laboratories vary greatly in terms of how they interact with individuals that request access to their laboratory test reports, is there any flexibility in how requests for access to test reports can be submitted, processed and responded to by laboratories?

This rule provides laboratories with flexibility as to how to set up systems to receive,    process, and respond to access requests. These processes must comply with the requirements for access in 45 CFR § 164.524 of the HIPAA Privacy Rule, which addresses HIPAA-covered laboratories.

  1. Will laboratories be permitted to charge individuals who request copies of test reports a fee for providing access?

Laboratories can charge individuals a reasonable, cost-based fee that includes only the cost of labor and supplies for creating the paper or electronic copy; postage, if the results are mailed; and if requested, the preparation of an explanation or summary of the individual’s protected health information. HIPAA-covered laboratories can’t charge fees to reflect the costs they incur in searching for and retrieving the information related to the individual’s request.

  1. Do the new rules have any impact on the Medicare and Medicaid EHR Incentive Program meaningful use program?

Under meaningful use, many EHR systems include patient portals which allow patients direct access to their health information, including laboratory results. In addition, state, local, regional, and payer-based health information exchanges (HIEs) allow providers, including laboratories, to securely share patient information both between providers and, in some cases, with patients.

If a laboratory shares a patient’s lab results with a provider’s EHR through an HIE, or directly, that information can be incorporated automatically into the patient record and, usually with physician approval, made available on the (Providers Health Records)PHR or sent to a patient’s secure email address. Providers (or PHR systems automatically) may also send patients email notifications that there is new data available in the PHR/portal, reminding them to log in and review their lab results.  These technologies not only facilitate patient access to lab information, but can make it easier for lab providers to share that information securely and at little or no cost. The changes preempt any contrary State laws that prohibit the HIPAA-covered laboratory from directly providing access to the individual.

  1. Must a laboratory have an electronic health record (EHR) system, patient portal or be a part of a health information exchange (HIE) to meet this new requirement for patient access to test results?

A laboratory does not need to have an EHR system, patient portal or be a part of an HIE to meet the requirement for patient access to test results. However, we would anticipate that as EHRs, portals and HIEs become more commonplace, laboratories will develop processes to handle patient requests via these systems.

  1. There are concerns regarding the laboratory giving individuals their laboratory test reports without the individual having the benefit of health care provider interpretation. Patients will not necessarily have the contextual knowledge to read and understand the reports they receive. Laboratories feel they may be required to interpret test reports for patients.

This rule does not diminish the role of the health care provider in interpreting the laboratory test reports for his/her patient in the context of the patient’s medical condition. We expect that individuals will continue to obtain their test reports and the interpretation of those test reports from their health care provider. Laboratories are required to provide individuals with access to their completed test reports. The rule does not require laboratories to interpret test reports. Laboratories can refer an individual back to their health care provider for this information.

  1. Who can have access to an individual’s sensitive laboratory test reports? An individual may not want a parent, spouse, partner or other person to see their test reports.

An individual has generally been granted an absolute right to access his or her own completed laboratory test reports when those reports are held by a HIPAA-covered laboratory. The only persons other than the individual that have a right to access such test reports directly from a HIPAA-covered laboratory are those persons who qualify as a person designated by the individual in accordance with the HIPAA Privacy Rule at §164.524(c)(3)(ii) or a “personal representative” of the individual. For the purposes of the Privacy Rule, a “personal representative” is defined at 45 CFR § 164.502(g) and, in certain contexts, includes a person who has authority under applicable law to make health care decisions for the individual. Such authority is generally determined under state law. HIPAA-covered laboratories are required under 45 CFR § 164.514(h) of the Privacy Rule to verify both the identity and authority of the person requesting an individual’s protected health information.

These are only part of the Frequently Asked Questions that laboratories have about the new Direct Access Test Results rule.   A more complete compendium of questions and answers is available at :

http://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-14-11.pdf