Patient Access to Test Results

Compliance Date

By October 4, 2014,  all HIPAA-covered laboratories must be in compliance with this law

Important Regulatory Distinction:

CLIA and CLIA-exempt laboratories that are HIPAA-covered entities: Will be required to provide patient access to their laboratory test results


CLIA laboratories that are NOT HIPAA-covered entities: Will have discretion to provide patients with direct access to their laboratory test reports, subject to any applicable state laws that may constrain access


Definition of “HIPAA-covered Entities:”  Entities that conduct health care transactions electronically, for example, filing electronic claims for payment

Role of the Referring Physician

The rule provides ample time to ensure providers receive sensitive test reports before the patient and to allow providers to counsel individuals on the test reports

Scope of Information to Which an Individual Has Access

An individual has a right to access information about the individual in one or more designated record sets maintained by a HIPAA-covered laboratory, for as long as the information is maintained by the laboratory (including offsite and archived records)


Example Types of Information: Completed test reports, test orders, ordering provider information, billing information, insurance information, etc.

Limited Exception for Denial of Requests

Exception: Cases where a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person


Right to Review: The individual is provided a right to have the denial of access reviewed by an unaffiliated health care professional

Exempt Laboratory Test Types (Cases where the entity conducting the testing is not subject to CLIA for purposes of that testing or those test results)

·         Public Health Surveillance or Outbreak Test Reports: (1) If the samples tested are not of the human body; (2) if the testing is not for the purpose of providing information for the diagnosis, prevention, or treatment of any disease or impairment of, or the assessment of the health of human beings; (3) test results that are only used for epidemiological studies or reported in the aggregate without patient identifiers

·         Employment-related Testing: Substance abuse testing strictly for the purpose of employment screening where test results are merely used to determine compliance with conditions of employment, as opposed to counseling or some other form of treatment

·         Food, environmental, or other test reports that do not identify or relate to an individual


Important Note: Even if CLIA does not apply to the conduct of certain types of laboratory tests, HIPAA may still apply to require access to certain test reports to the extent the laboratory is a HIPAA-covered entity and the information to which an individual is requesting access is protected health information under HIPAA.

Exempt Laboratory Types

Certificate of Waiver laboratories and Certificate of PPM laboratories would not be impacted because the tests are usually performed in these sites during a patient's visit

Access by Personal Representatives and Designated Third Parties

HIPAA Privacy Rule definition: A person who has authority under applicable law to make health care decisions for the individual


Deference to State Law: Regardless of whether a parent is the personal representative of a minor child, the Privacy Rule defers to state or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child


Laboratory Verification Obligation: a HIPAA-covered laboratory is required to verify the identity and authority of any person requesting access to laboratory test reports as a personal representative of an individual


Patient Request for Electronic Transmission of Test Results

HIPAA-covered laboratories will be required to abide by an individual's request to have the laboratory transmit the copy of the individual's protected health information to another person or entity designated by the individual

Request for and

Provision of Access


HIPAA Access Processes: This final rule provides laboratories with flexibility as to how to set up systems to receive, process, and respond to requests for access by individuals, so long as these processes comply with the timing and other requirements for access in the HIPAA Privacy Rule where HIPAA-covered laboratories are concerned


HIPAA Privacy Rule and State Laws: The HIPAA Privacy Rule only preempts contrary provisions of state law; it does not preempt more stringent state laws (providing greater rights of access), even if contrary to the Privacy Rule


Hospital-based Laboratories: May continue to utilize the hospital's already established mechanisms for providing access to individuals requesting their test reports from the hospital laboratories, provided that the established mechanisms are compliant with the access provisions of the HIPAA Privacy Rule


Time Frame for Providing Access: In most cases, copies must be given to the patient within 30-days of request; A HIPAA-covered lab may request one 30-day extension if it provides the reason for the delay in writing to the requesting individual


Limitations: (1) Laboratories may not require individuals to make requests through their providers, though they can allow it; (2) where one laboratory refers only one part of a test to another laboratory, the individual may need to request access from the referring laboratory to obtain access to a complete set of test results.

Allowable Patient Fees

HIPAA Privacy Rule: Permits covered entities to impose on the individual a reasonable, cost-based fee for providing access to their health information, including the cost of supplies for and labor of copying the requested information

Permissible Fees:

(1)    Labor for copying the protected health information requested by the individual, whether in paper or electronic form;

(2)    Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media;

(3)    Postage, when the individual has requested the copy be mailed;

(4)    Preparation of an explanation or summary of the protected health information, if agreed to by the individual

Non-Permissible Fees:

(1)    Costs labs incur in searching for and retrieving the information that is the subject of the individual's request.

(2)    Costs associated with verification, documentation, liability insurance, maintaining systems, and other similar activities are not permissible fees under this provision

Form and Format of Access

HIPAA Privacy Rule: Requires a covered entity to provide the individual with a copy of the requested information in the form and format requested by the individual, if a copy in that form or format is readily producible

Note: If not readily producible in the requested form/format, the copy must be either a readable hard copy or in another form or format as agreed to by the covered entity and the individual


HIPAA Security Rule: When emailing/electronically transmitting test reports to individuals, HIPAA covered entities must comply with this rule and implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network (e.g. via encryption)


CLIA Guidance on Electronic Formats: Provided as part of the March 2010 revision to the CLIA State Operations Manual Appendix C—Survey Procedures and Interpretive Guidelines for Laboratories and Laboratory Services (see, CMS Ref: S&C-10-12-CLIA)


Note: Though not required, CMS encourages laboratories to offer individuals access to their test reports and other health information through secure patient portals or PHRs

Content of Test Report, Educational Materials, and Standard Statements

Content: The final rule does not require laboratories to interpret test reports for individuals


Educational Materials: While not required, a laboratory may provide additional educational/explanatory materials regarding  test results to individuals if it chooses to do so


Standard Statement: Because this Rule is not intended to supplant the treatment conversation a health care provider has with a patient about the patient's test results, CMS does not think a regulatory requirement for a standard statement is warranted

Verification of Identity and Authentication

HIPAA Privacy Rule: A covered entity is required to take reasonable steps to verify the identity of the individual making a request for access


HIPAA Security Rule: Laboratories using patient portals to provide access must assure that the portal is set up with the appropriate authentication controls to ensure that the person seeking access is the one claimed


Type and Manner of Verification: Left to the discretion and professional judgment of the covered entity; May vary depending on: (1) how the individual is to receive access (2) the form of the request; and (3) whether the covered entity is requiring that all requests for access be made in writing or permitting oral requests for access


Note: The rule makes clear that a laboratory is only required to provide an individual with access to test reports that can be identified as belonging to the individual who has requested access, based on the laboratory's authentication processes

Informing Individuals of Their New Right of Access

Provider Responsibility: CMS encourages, but does not require, treating health care providers to inform individuals of their right to receive test reports directly from HIPAA-covered laboratories; When providers send specimens to the lab, they are encouraged to provide the patient with the lab’s name and information


HIPAA-covered Laboratory Responsibility: CMS requires HIPAA-covered entities to promptly revise their HIPAA Notice of Privacy Practices to inform patients of their rights to access their protected health information directly from the lab, including a brief description of how to exercise this right


Operational Impact


Four State-Level Categories of CLIA-Certified Laboratories Impacted by this Rule:

(1)    Laboratories in states and territories where there is no law regarding who can receive test reports (N=26)

(2)    Laboratories in states and territories where test reports can only be given to the provider (N=13)

(3)    Laboratories in states and territories that allow test reports to go directly to the patient through some means or mechanism (N=9)

(4)    Laboratories in states and territories that allow the test reports to go to the patient with provider approval (N=7)


Laboratories impacted by the Patient Access Provision (Categories 1 & 2): 22,816 across 39 states and territories will have to develop mechanisms for handling requests and providing access


Laboratories impacted by the HIPAA Notice Update Provision (Categories 1, 2, & 3): 33,087 laboratories across 46 states and territories will need to revise their notices of privacy practices to reflect the right of individuals to obtain test reports directly from laboratories


Quantifiable Impacts


Reference Table 6: The CMS  Online Survey, Certification, and Reporting (OSCAR) database includes 22,816 laboratories in the 39 states and territories that will be impacted and the corresponding number of annual tests in these laboratories is approximately 7 billion


Anticipated Proportion of Test Reports Requested: An assumed range of from 1 in 2,000 (0.05 percent) to 1 in 200 (0.50 percent)

Test Report Request Process Time: In the range of 10 minutes (0.17 hours) to 30 minutes (0.5 hours)- (1) Receipt of the request from the individual; (2) authentication of the identification of the individual; (3) retrieval of test reports; (4) verification of how and where the individual wants the test report to be delivered and provision of the report by mail, fax, email or other electronic means; and (5) documentation of test report issuance



Total Cost to Process All Test Report Requests (in 2013): Annual cost ranges from $898,487 to $52,851,911

Per Lab Cost: Will vary based on the (1) the form of the copy requested- paper vs. electronic; (2) the amount of information to be included in the copy; (3) whether the individual has requested the copy to be placed on electronic media or mailed

Total One-Time Cost to Develop and Implement a Policy and Process to Receive and Respond to Patient Requests: When applied to the estimated 22,816 laboratories impacted, the cost ranges from $2,284,338 to $10,279,521

Per Lab Cost: Ranges from $100.12 to $450.54

Non-Quantifiable Impacts

Laboratory Contact Information:  The provider may need to provide laboratory contact information to the patient so he or she may request the test report


Provider Distribution of Test Report: The provider may give the patient a copy of the test report rather than referring the patient to the laboratory for the information

Collection of Information Requirements:

The Office of Management and Budget has three years to approve/adjust CMS-derived cost estimates based on collection of public information


If you comment on these information collection and recordkeeping requirements, please submit your comments to the Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: CMS Desk Officer, [CMS-2319-F] Fax: (202) 395-6974; or Email:

Annual Requirements & Burden Estimates

(Pending OMB Approval)


Reference Table 8: Summary of Annual Requirements and Burden Estimates


One-time Development Cost Estimate: The range of costs for laboratories to develop the necessary processes and procedures for handling patient requests

 Average annual cost over three-year OMB approval period: Ranges from $761,446 to $3,426,507

Assumptions: (1) one-time burden of 2 to 9 hours; (2) an hourly rate for a management-level employee of $50.06


Annual Number of Test Reports that May be Requested: Ranges from 351,292,082 to 702,584,165 test reports/year

Note: Laboratory test reports are commonly understood to contain multiple test results with many laboratory tests being ordered as panels of tests

o   Number of Tests Per Year (of the 22,816 laboratories nationwide that are impacted by new individual access provisions):  7,025,841,649

o   Assumption:  Range of 10 to 20 test results in a test report


Annual Number of Patient Requests: Ranges from 175,646 to 3,512,921 patient requests per year

Assumptions: (1) 1 in 2,000 patients (0.05%) to 1 in 200 patients (0.50%) will request direct access; (2) Range of 351,292,082 to 702,584,165 test reports/year

Anticipated Benefits

·         Provider Workload: Reduced workload for the health care provider's office

·         Patient Knowledge: Reduced chance of a patient not being informed of a laboratory test result

·         Follow-Up Treatment: (1) Reduced numbers of patients who fail to seek appropriate medical care; (2) Increased patient participation in treatment programs, such as those that involve monitoring of chronic diseases; and (3) The ability of patients to identify and treat health risks sooner and more effectively