Compliance Scorecard: Medical Labs Could See Changes as a Result of Proposed HHS Rule

In September, Department of Health and Human Services (HSS) Secretary Kathleen Sebelius announced a proposed rule that could impact IT security and privacy requirements for medical laboratories.

Under existing Clinical Laboratory Improvement Amendments (CLIA) regulations, a lab may release patient test results directly to the patient only if the ordering physician expressly authorizes it or state law expressly allows for it.Twenty-six states do not have such laws, and 13 states prohibit patients from having direct access to lab results. Thus, most U.S. healthcare patients only have access to their lab results through the ordering provider.

While HIPAA privacy rules generally provide individuals the right to inspect and obtain a copy of their protected health information, in the case of labs they defer to CLIA exceptions and exemptions. The HHS proposes to amend the CLIA and HIPAA to preempt contrary state laws governing access to lab result reports, requiring labs covered by HIPAA to securely provide test results to patients or their personal representatives.

The proposal states that “covered entities, including CLIA and CLIA-exempt laboratories...must satisfy the verification requirement of 164.514(h) before providing an individual with access. This requirement is consistent with the proposed change to the CLIA requirements, which would allow a laboratory to provide patients with access to test reports when the laboratory can authenticate that the test report pertains to the patient.”

Authentication is one gray area some labs may see in the proposed rule. There is no guidance regarding authentication or verification in the proposed rule; in fact, the wording of the proposal seems to imply that existing lab authentication processes should be sufficient to authenticate patient requests for information. Whether or not this is the case has likely come up during the comment period, which ended November 14.

The proposal states that “that there are a total of 22,671 laboratories which provide approximately 6.1 billion tests annually in the 39 States and territories impacted by this rule . . . If the proposals contained in this rule are finalized, most of these 22,671 laboratories will need to develop processes and procedures to provide direct patient access to test reports.” Those responsible for HIPAA compliance at these facilities should follow the progress of this proposed rule to determine the impact on their procedures and organizations. To view the proposal’s September 14 entry in the Federal Register, visit


The Security Executive Council ( is aleading problem-solving research and services organization focused on helping businesses effectively manage and mitigate risk. Drawing on the knowledge of a large community of security practitioners, subject matter experts, and strategic partners, the Council provides strategy, insight and proven practices. Our research, services, and tools work to help security leaders initiate, enhance or innovate security programs; build their leadership skills; and bring quantifiable value to their organizations.