[Federal Register Volume 79, Number 25 (Thursday, February 6, 2014)]
[Rules and Regulations]
[Pages 7289-7316]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-02280]



[[Page 7289]]

Vol. 79

Thursday,

No. 25

February 6, 2014

Part II





Department of Health and Human Services





-----------------------------------------------------------------------





Centers for Medicare & Medicaid Services





-----------------------------------------------------------------------





42 CFR Part 493





Office of the Secretary





-----------------------------------------------------------------------

45 CFR Part 164





 CLIA Program and HIPAA Privacy Rule; Patients' Access to Test Reports; 
Final Rule

Federal Register / Vol. 79 , No. 25 / Thursday, February 6, 2014 / 
Rules and Regulations

[[Page 7290]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Centers for Medicare & Medicaid Services

42 CFR Part 493

Office of the Secretary

45 CFR Part 164

[CMS-2319-F]
RIN 0938-AQ38


CLIA Program and HIPAA Privacy Rule; Patients' Access to Test 
Reports

AGENCY: Centers for Medicare & Medicaid Services (CMS), HHS; Centers 
for Disease Control and Prevention (CDC), HHS; Office for Civil Rights 
(OCR), HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule amends the Clinical Laboratory Improvement 
Amendments of 1988 (CLIA) regulations to specify that, upon the request 
of a patient (or the patient's personal representative), laboratories 
subject to CLIA may provide the patient, the patient's personal 
representative, or a person designated by the patient, as applicable, 
with copies of completed test reports that, using the laboratory's 
authentication process, can be identified as belonging to that patient. 
Subject to conforming amendments, the final rule retains the existing 
provisions that require release of test reports only to authorized 
persons and, if applicable, to the persons responsible for using the 
test reports and to the laboratory that initially requested the test. 
In addition, this final rule amends the Health Insurance Portability 
and Accountability Act of 1996 (HIPAA) Privacy Rule to provide 
individuals (or their personal representatives) with the right to 
access test reports directly from laboratories subject to HIPAA (and to 
direct that copies of those test reports be transmitted to persons or 
entities designated by the individual) by removing the exceptions for 
CLIA-certified laboratories and CLIA-exempt laboratories from the 
provision that provides individuals with the right of access to their 
protected health information. These changes to the CLIA regulations and 
the HIPAA Privacy Rule provide individuals with a greater ability to 
access their health information, empowering them to take a more active 
role in managing their health and health care.

DATES: Effective Date: These regulations are effective on April 7, 
2014.
    HIPAA covered entities must comply with the applicable requirements 
of this final rule by October 6, 2014.

FOR FURTHER INFORMATION CONTACT: 
    For CLIA regulations: Nancy Anderson, CDC, (404) 498-2280. Judith 
Yost, CMS, (410) 786-3531.
    For HIPAA Privacy Rule: Andra Wicks, OCR, (202) 205-2292.

SUPPLEMENTARY INFORMATION: 

I. Background

A. CLIA Statute and Regulations

    The Clinical Laboratory Improvement Amendments of 1988 (CLIA) and 
the implementing regulations established nationwide quality standards 
to ensure the accuracy, reliability and timeliness of clinical 
laboratories' test results. The standards vary based on the complexity 
of the laboratory test method; that is, the more complicated the test 
method, the more stringent the requirements for the laboratory.
    The CLIA regulations established three categories of testing based 
on complexity level. In increasing order of complexity, these 
categories are waived, moderate complexity (which includes the 
subcategory of provider-performed microscopy (PPM)), and high 
complexity. Laboratories must hold a CLIA certificate for the most 
complex form of CLIA-regulated testing that they perform.
    The CLIA regulations cover all phases of laboratory testing, 
including the reporting of test results. The CLIA regulatory 
limitations that govern to whom a laboratory may issue a test report 
have become a point of concern. The requirements for a laboratory test 
report are set forth in 42 CFR 493.1291.
    Under the current CLIA regulations at Sec.  493.1291(f), a CLIA 
laboratory may only disclose laboratory test results to three 
categories of individuals or entities: The ``authorized person,'' the 
person responsible for using the test results in the treatment context, 
and the laboratory that initially requested the test. ``Authorized 
person'' is defined in Sec.  493.2 as the individual authorized under 
state law to order or receive test results, or both. In states that do 
not allow individuals to access their own test results, the individuals 
must receive their test results through their health care providers.
    Title XIII of Division A and Title IV of Division B of the American 
Recovery and Reinvestment Act of 2009 (The Recovery Act), which was 
enacted on February 17, 2009, incorporated the Health Information 
Technology for Economic and Clinical Health (HITECH) Act. The HITECH 
Act created a Federal advisory committee known as the Health 
Information Technology (HIT) Policy Committee. The HIT Policy Committee 
has broad representation from major health care constituencies and 
provides recommendations to the Department's Office of the National 
Coordinator for Health Information Technology (ONC) on issues relating 
to the implementation of an interoperable, nationwide health 
information infrastructure. The HIT Policy Committee has sought to 
identify barriers to the adoption and use of health information 
technology. According to the HIT Policy Committee, some stakeholders 
perceive the CLIA regulations as imposing barriers to the exchange of 
health information. These stakeholders include large and medium sized 
laboratories, public health laboratories, electronic health record 
(EHR) system vendors, health policy experts, health information 
exchange organizations (HIOs), and health care providers who believe 
that the individual's access to his or her own records is impeded, 
preventing patients from having a more active role in their personal 
health care decisions.
    We believe these concerns, as well as the advent of certain health 
reform concepts (for example, personalized medicine, an individual's 
active involvement in his or her own health care, and the Department's 
work toward the widespread adoption of EHRs), call for revisiting 
barriers or challenges to individuals' gaining access to their health 
information.
    The Centers for Medicare & Medicaid Services (CMS) worked with ONC, 
the Centers for Disease Control and Prevention (CDC), and the Office 
for Civil Rights (OCR) to propose changes to the CLIA regulations and 
to the Health Insurance Portability and Accountability Act of 1996 
(HIPAA) Privacy Rule to remove barriers to an individual's direct 
access to his or her own test reports from laboratories. See CLIA 
Program and HIPAA Privacy Rule; Patients' Access to Test Reports, 76 
Fed. Reg. 56712, September 14, 2011. The Department believes that this 
right is crucial to provide individuals with vital information to 
empower them to better manage their health and take action to prevent 
and control disease. In addition, removing barriers in this area 
supports the commitments and goals of the Secretary of the Department 
of Health and Human Services (the Department) and the Administrator of 
CMS regarding personalized medicine, an individual's active involvement 
in his or her own health care, and the widespread adoption of EHRs by 
2014.

[[Page 7291]]

B. HIPAA Statute and Privacy Rule

    The Health Insurance Portability and Accountability Act of 1996, 
Title II, subtitle F--Administrative Simplification, Public Law 104-
191, 110 Stat., 2021, provided for the establishment of national 
standards to protect the privacy and security of certain individually 
identifiable health information. The Administrative Simplification 
provisions of HIPAA and their implementing regulations apply to three 
types of entities, which are known as ``covered entities'': Health care 
providers who conduct covered health care transactions electronically, 
health plans, and health care clearinghouses.
    A laboratory, as a health care provider, is only a covered entity 
if it conducts one or more covered transactions electronically, such as 
transmitting health care claims or equivalent encounter information to 
a health plan, requesting prior authorization from a health plan for a 
health care item or service it wishes to provide to an individual with 
coverage under the plan, or sending an eligibility inquiry to a health 
plan to confirm an individual's coverage under that plan.
    If a laboratory does not conduct any of these or the other HIPAA 
standard transactions electronically (either because it does not 
conduct the transactions at all or because it does so via paper), then 
the laboratory is not subject to the HIPAA Privacy Rule (45 CFR Part 
160 and Part 164, subparts A and E). Any laboratory that conducts a 
single electronic transaction for which there is a HIPAA standard under 
the HIPAA Transactions and Code Sets Rule becomes a covered entity and 
is subject to the Privacy Rule with respect to all protected health 
information that it creates or maintains (that is, the application of 
the Privacy Rule is not limited to the individuals or records 
associated with an electronic transaction). This final rule does not 
alter the requirements for what makes a laboratory a HIPAA covered 
entity.
    The Privacy Rule at Sec.  164.524 provides individuals with a 
general right of access to inspect and obtain a copy of protected 
health information about the individual in a designated record set 
maintained by or for a covered entity. A ``designated record set'' is 
defined at 45 CFR Sec.  164.501 as a group of records maintained by or 
for a covered entity that is comprised of: The medical records and 
billing records about individuals maintained by or for a covered health 
care provider; the enrollment, payment, claims adjudication, and case 
or medical management record systems maintained by or for a health 
plan; or other records that are used, in whole or in part, by or for 
the covered entity to make decisions about individuals.
    The term ``record'' means ``any item, collection, or grouping of 
information that includes protected health information and is 
maintained, collected, used or disseminated by or for a covered 
entity.'' Laboratory test reports that are maintained by or for a 
laboratory that is a covered entity are part of a designated record 
set.
    The HIPAA Privacy Rule requires a HIPAA covered entity to provide 
the individual with a copy of the information in his or her designated 
record set in the form and format requested by the individual, if a 
copy in that form and format is readily producible. Where the 
information in the designated record set is maintained electronically, 
and the individual requests an electronic copy of the information, the 
covered entity must provide the individual with access to the 
information in the requested electronic form and format, if it is 
readily producible in that form and format. When it is not readily 
producible in the electronic form and format requested, then the 
covered entity must provide the copy in an alternative readable 
electronic format as agreed to by the covered entity and the individual 
(see Sec.  164.524(c)(2)(ii)).
    The right of access under Sec.  164.524 extends not only to 
individuals, but also to individuals' personal representatives, who 
generally are persons authorized under applicable law to make health 
care decisions for the individual. The rules governing who may act as a 
personal representative under the Privacy Rule are set forth at Sec.  
164.502(g). Additionally, under Sec.  164.524(c)(3)(ii), if requested 
by an individual who is exercising his or her right of access, a 
covered entity must transmit the copy of protected health information 
directly to another person or entity designated by the individual.
    However, while individuals (and personal representatives) generally 
have the right to inspect and obtain a copy of their protected health 
information in a designated record set, the current Privacy Rule 
includes a set of exceptions related to CLIA. Specifically, the right 
of access under Sec.  164.524 of the Privacy Rule does not apply to: 
Protected health information maintained by a covered entity that is--
(1) subject to CLIA to the extent the provision of access to the 
individual would be prohibited by law; or (2) exempt from CLIA. These 
exceptions, found at Sec.  164.524(a)(1)(iii)(A) and (B) of the Privacy 
Rule, cover test reports and other protected health information only at 
CLIA and CLIA-exempt laboratories. The individual has a right to access 
this information when held by any other type of covered entity (for 
example, a hospital or treating physician).
    These exceptions were included in the Privacy Rule because the 
Department wanted to avoid a conflict with the CLIA regulatory 
requirements that limited patient access to test reports (65 FR 82485, 
December 28, 2000). However, because CMS proposed to amend the CLIA 
regulations to allow CLIA-certified laboratories to provide patients 
with direct access to their test reports, the Department simultaneously 
proposed to remove the exceptions for CLIA and CLIA-exempt laboratories 
from the right of access at Sec.  164.524 so that HIPAA-covered 
laboratories would be required by HIPAA to provide individuals, upon 
request, with access to their completed test reports.

II. Summary of the Proposed Changes to the CLIA Regulations (Sec.  
493.1291)

    On September 14, 2011, we published a proposed rule in the Federal 
Register entitled, ``Patients' Access to Test Reports'' (76 FR 56712) 
that, if finalized, would amend Sec.  493.1291 of the CLIA regulations. 
Specifically, we proposed to add at 42 CFR 493.1291(l) to specify that, 
upon a patient's request (or upon the request of the patient's personal 
representative), the laboratory may provide a patient with access to 
his or her completed test reports that, using the laboratory's 
authentication processes, can be identified as belonging to that 
patient. While we proposed to use the word ``may,'' we highlighted the 
importance of reading the proposed amendments to the CLIA regulations 
in concert with the proposed changes to the HIPAA Privacy Rule 
(discussed below), which would require covered entity laboratories to 
provide patients with access to test reports. We did not propose to 
specify in the CLIA regulations the mechanism by which patient requests 
for access would be submitted, processed, or responded to by the 
laboratories. In providing this latitude, we intended to allow patients 
and their personal representatives access to patient test reports in 
accordance with the requirements of the HIPAA Privacy Rule. Subject to 
conforming amendments, we proposed to retain the existing requirements 
at Sec.  493.1291(f) that otherwise limit the release of test reports 
to authorized persons and, if applicable, the individuals (or their 
personal representatives) responsible for using

[[Page 7292]]

the test reports and the laboratory that initially requested the test.

III. Summary of the Proposed Changes to the HIPAA Privacy Rule (Sec.  
164.524)

    The Department also proposed to amend the HIPAA Privacy Rule at 45 
CFR 164.524(a)(1)(iii)(A) and (B) to remove the exceptions to an 
individual's right of access that relate to CLIA and CLIA-exempt 
laboratories to align the Privacy Rule with CMS' proposed changes to 
the CLIA regulations and the Department's goal of improving 
individuals' access to their health information.
    Under the proposal, HIPAA covered entities that are laboratories 
subject to CLIA, as well as those that are exempt from CLIA, would have 
the same obligations as other types of covered health care providers 
with respect to providing individuals (or their personal 
representatives) with access to their protected health information in 
accordance with Sec.  164.524.
    Consistent with the proposed change to the CLIA regulatory 
requirements, which would allow a laboratory to provide patients and 
their personal representatives with direct access to completed test 
reports when the laboratory can authenticate that the test report 
pertains to the patient, we also clarified that CLIA and CLIA-exempt 
laboratories that are HIPAA covered entities would have to satisfy the 
verification requirement of Sec.  164.514(h) of the Privacy Rule before 
providing an individual with access. We recognized that a laboratory 
could receive a test order with only an anonymous identifier and be 
unable to identify the individual who is the subject of the test 
report. We noted that it was not our intent to discourage anonymous 
testing. As we discussed in the proposed rule, a laboratory that 
received a request for access from an individual where the laboratory 
could not authenticate that the requesting individual is the subject of 
a test report would be under no obligation to provide access.
    The proposed rule also explained that the changes to the HIPAA 
Privacy Rule would result in the preemption of a number of state laws 
that prohibit a laboratory from releasing a test report directly to the 
individual or that prohibit the release without the ordering provider's 
consent because the state laws now would be contrary to the access 
provision of the HIPAA Privacy Rule mandating direct access by the 
individual.
    Finally, we explained that it was our intent that HIPAA-covered 
laboratories would be required to comply with the revised individual 
access requirements of the Privacy Rule by no later than 180 days after 
the effective date of any final rule. The effective date of the final 
rule would be 60 days after publication in the Federal Register, so 
laboratories subject to HIPAA would have a total of 240 days after 
publication of the final rule to come into compliance.

IV. Provisions of the Final Regulations

    This final rule adopts the proposed changes to both the CLIA 
regulations and the HIPAA Privacy Rule, with minor clarifications and 
conforming changes, which are explained below in the relevant responses 
to comments. These modifications broaden individuals' rights to access 
their protected health information directly from laboratories subject 
to HIPAA. In addition, the changes remove federal barriers to direct 
access for laboratories not subject to HIPAA. With respect to the CLIA 
regulations, this final rule allows laboratories subject to CLIA, upon 
the request of a patient (or the patient's personal representative) to 
provide access to completed test reports that, using the laboratory's 
authentication process, can be identified as belonging to that patient. 
The final rule also clarifies that laboratories subject to CLIA may 
provide a copy of the patient's test reports to a person or entity 
designated by the patient to receive such reports in accordance with 
the HIPAA Privacy Rule at Sec.  164.524(c)(3)(ii). Subject to certain 
conforming amendments, this final rule retains the CLIA regulatory 
provision that requires the release of test reports only to authorized 
persons, to the persons responsible for using the test reports, and to 
the laboratory that initially requested the test. These CLIA regulatory 
modifications take effect 60 days after publication of this final rule 
in the Federal Register.
    With respect to the Privacy Rule, the final rule removes the 
exceptions to an individual's right of access at Sec.  
164.524(a)(1)(iii) related to CLIA and CLIA-exempt laboratories. Thus, 
as of the compliance date of this final rule, HIPAA-covered 
laboratories will be required to provide an individual (or the 
individual's personal representative) with access, upon request, to the 
individual's completed test reports (and other information maintained 
in a designated record set) in accordance with the provisions of Sec.  
164.524 of the Privacy Rule. The compliance date of this rule is 
October 6, 2014.
    The Department's rationale for adopting the proposed provisions in 
this final rule, along with further clarifications and interpretations 
of the provisions, is explained below in the responses to the public 
comments.

V. Analysis of and Responses to Public Comments

    In response to the September 2011 proposed rule, we received over 
160 timely public comments on various issues related to the rule. 
Interested parties that submitted comments included health care 
consumers and patient advocacy organizations; laboratories, hospitals, 
and other health care providers and their associations; information 
technology organizations; governmental organizations, and others. We 
have analyzed these comments and determined that it is appropriate to 
finalize the provisions as set forth in the proposed rule. The comments 
we received on these provisions and our responses are set forth below.

A. Right of Direct Access to Laboratory Test Reports

    Comment: A number of providers and laboratories expressed concerns 
about giving individuals a way to receive laboratory test reports 
without the benefit of provider interpretation and without contextual 
knowledge that may be necessary to properly read and understand the 
reports. For example, commenters expressed concern that patients might 
receive and act upon results that appear to be abnormal (showing false 
positives or false negatives, or results that are out of the normal 
range for the general population) but may be normal for that particular 
patient due to his or her medical conditions. Commenters also requested 
that the Department clarify that the laboratories themselves would not 
be required to interpret test reports for individuals.
    Other commenters stated that the proposed rule was redundant, and 
would add significant burden without a commensurate benefit to 
individuals, as existing HIPAA and HITECH Act (Sec.  13405(e)) laws 
already provide individuals with a comprehensive right to access their 
protected health information, including test reports, through their 
physicians. Further, some commenters stated that the Medicare and 
Medicaid Electronic Health Record (EHR) Incentive Programs,\1\ which 
include criteria to ensure that certain laboratory test reports become 
standardized elements in a certified EHR, are a better mechanism than 
the proposed rule to ensure more timely access to all health 
information. The

[[Page 7293]]

commenters also stated that the information provided to individuals 
through the Medicare and Medicaid EHR Incentive Programs' requirements 
will be in a more consistent, more user-friendly, and more 
interoperable format than that obtained directly from a laboratory. 
Furthermore, commenters stated that many providers have already 
invested significant dollars and resources in secure patient portals to 
provide for individual access to health information directly from these 
providers.
---------------------------------------------------------------------------

    \1\ See https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/index.html.
---------------------------------------------------------------------------

    In contrast, other commenters, including certain laboratories, 
consumers, and consumer advocates, generally supported expanding an 
individual's right of access to include receiving test reports directly 
from laboratories. These commenters stated that providing individuals 
with the ability to access their laboratory test reports directly from 
laboratories would provide individuals with an increased ability to 
play a more active role in their health care and have more informed 
conversations with their health care providers, resulting in better 
health outcomes. Some commenters also thought that the proposals would 
remove barriers to the electronic exchange of individually identifiable 
health information.
    Further, in response to concerns regarding instances in which 
patients might misunderstand or become distressed over the results of 
laboratory tests due to the lack of treating provider interpretation or 
counseling, some commenters stated that they would not anticipate that 
many patients will request direct access to any test reports that they 
do not feel prepared to review on their own. Rather, the commenters 
indicated that the proposals would encourage doctors to more 
proactively discuss the range of possible results and the consequences 
of each before tests are ordered. One laboratory noted that, in its 
experience, many patients do not request access to their test results 
until they have spoken to a physician about them. Some commenters 
challenged what they termed to be a ``paternalistic'' notion that 
patients are unable to understand their health data without physician 
explanation. These commenters stated that if patients want additional 
information from, or consultation with, their physicians, they will 
follow up with their physicians directly.
    Response: We appreciate all of the comments that we received with 
regard to the right of individuals to access their laboratory test 
reports directly from laboratories. We agree with those commenters who 
stated that the rule is necessary to ensure patients have better and 
more complete access to their health information, which will enable 
patients to be more proactive and more informed with regard to their 
health care. However, we disagree with those commenters who argued that 
the rule would be redundant. While individuals do have a right of 
access to their health information under the HIPAA Privacy Rule, there 
may be circumstances when an ordering or treating provider is not 
subject to the HIPAA Privacy Rule (for example, because the provider 
does not bill health plans electronically) and, thus, is not required 
to provide an individual with access to his or her health information. 
Further, some studies have found that physician practices failed to 
inform patients of abnormal test results about seven percent of the 
time, resulting in a substantial number of patients not being informed 
by their providers of clinically significant tests results. See 
Casalino LP, Dunham D, Chin MH, et al. Frequency of Failure To Inform 
Patients of Clinically Significant Outpatient Test Results, Arch Intern 
Med., June 22, 2009, 169 (12): 1123-1129. The rule strengthens 
individuals' current ability to have access to completed test reports 
by ensuring they are able to access them directly from HIPAA-covered 
laboratories.
    Finally comments regarding the provision of access through the 
mechanisms established by EHR Incentive Programs failed to recognize 
the voluntary nature of the programs or the fact that the programs' 
requirements do not pertain to laboratories.
    Furthermore, the rule does not diminish the investment health care 
providers have made to provide individuals with access to their health 
information through patient portals, as those portals provide patients 
with access to a much broader range of health information than just 
test results. The rule provides an additional avenue for an individual 
to obtain test reports directly from laboratories, which we expect will 
reduce the chances of patients not being informed of laboratory test 
results and potentially reduce the numbers of patients who fail to seek 
appropriate care. We also agree with commenters that increased patient 
access to laboratory test reports, which can then be shared with the 
patient's other providers, will help reduce unnecessary and duplicative 
testing.
    With respect to those comments concerned about patients receiving 
test reports without the benefit of provider interpretation, we 
emphasize that this rule does not alter the role of the ordering or 
treating provider in reporting and explaining test results to patients. 
We expect that patients will continue to obtain test results and advice 
about what those test results mean, through their ordering or treating 
providers. Further, as noted above, for those individuals who do or 
will request access to test reports from a laboratory, it was the 
experience of one large laboratory that many patients do not request 
access to their test reports from a laboratory until they have spoken 
with their physicians. We expect this trend to continue to generally be 
the case. We also agree with commenters that the rule will further 
encourage ordering and treating providers to more proactively discuss 
with patients the range of possible test results and what the results 
may mean for the particular patient before or at the time the test is 
ordered.
    Further, under the HIPAA Privacy Rule, in most cases, laboratories 
will be required to provide individuals with access to their laboratory 
test reports within 30 days of the request (see Sec.  
164.524(b)(2)(i)). As discussed more fully below, in cases where an 
individual requests access to completed test reports, we believe 30 
days will generally be sufficient to allow the ordering or treating 
provider to receive the test report in advance of the patient's receipt 
of the report, and to communicate the result to the patient, and 
counsel the patient as necessary with regard to the result.
    Finally, we clarify that this final rule does not require that 
laboratories interpret test results for patients. Patients merely have 
the right to inspect and receive a copy of their completed test reports 
and other individually identifiable health information maintained in a 
designated record set by a HIPAA-covered laboratory. Laboratories may 
continue to refer patients with questions about the test results back 
to their ordering or treating providers.
    Comment: Some commenters indicated they would support changes to 
the regulations, which would permit, but not require, laboratories to 
provide individuals with access to their completed test reports. One 
commenter stated that the proposed rule was unclear as to whether 
laboratories will have the discretion to provide access, or whether 
they will be required to provide access, to individuals who request 
their test reports. Other commenters were concerned about the 
differential application of the rule to HIPAA-covered versus non-HIPAA-
covered laboratories, stating that this construct will create confusion 
and frustration among patients who may expect to be able to access 
their test reports from any

[[Page 7294]]

laboratory and who may not understand the distinction among 
laboratories based on HIPAA covered entity status.
    Response: Laboratories that are HIPAA covered entities are required 
by this final rule to provide, upon request by an individual or the 
individual's personal representative, access to the protected health 
information about the individual maintained in a designated record set 
in accordance with the HIPAA Privacy Rule at Sec.  164.524. CLIA 
laboratories that are not subject to HIPAA will have discretion to 
provide patients with direct access to their laboratory test reports, 
subject to any applicable state laws that may constrain access.
    We do not believe it is appropriate to only permit rather than 
require HIPAA-covered laboratories to provide individuals with access 
to their test reports. This may not significantly expand individuals' 
ability to access their health information, as some laboratories not 
currently providing individuals with direct access to their test 
reports might choose not to begin providing direct access. Further, in 
a number of states, state law prohibits laboratories from providing 
individuals with direct access to their test reports. If the HIPAA 
Privacy Rule merely permitted access, it would not preempt those state 
laws that prohibit direct access, because a permissive federal 
requirement is not contrary to a prohibitive state law (see Sec.  
160.202). As of the effective date of this final rule, the CLIA 
regulations will expressly permit the disclosure of test reports to the 
individual. The combination of the change in the HIPAA Privacy Rule, 
combined with the change to the CLIA regulations, will result in HIPAA-
covered laboratories being required to disclose test reports to 
patients, in most cases, within 30 days of a request.
    Comment: A few commenters stated that the rule should only apply to 
the primary laboratory to which the specimen was submitted, as opposed 
to reference laboratories that may perform some or all of the testing. 
These commenters stated that reference laboratories have no 
relationship with the individual and have either limited or inadequate 
information about the individual to enable the laboratory to provide 
individuals with access. A few commenters indicated that, while 
applying the rule to hospital laboratories with respect to the test 
reports of the hospital's own patients may not be a significant 
challenge, applying the rule to hospital laboratories in their role as 
reference laboratories for other providers, such as community 
physicians and other laboratories, would raise significant operational 
challenges.
    In contrast, one laboratory commenter recommended that no 
laboratories be exempt from the individual access requirements, 
stressing the importance of uniform application of the rule and a 
patient's ability to access his or her test report from whatever 
laboratory performed the test.
    Response: We appreciate the commenters' concerns regarding 
laboratory contact with individuals; however, we do not agree that 
limited information about the individual who is the subject of a test 
report is a sufficient reason to exempt reference laboratories from the 
access requirements of the HIPAA Privacy Rule. We believe applying the 
access requirements as broadly and uniformly as possible best furthers 
the Department's goal of increasing direct individual access rights to 
health information. To the extent that reference laboratories are 
covered entities under HIPAA, they will be required, upon the 
compliance date of this rule, to provide individuals with access to 
test reports in compliance with Sec.  164.524 of the Privacy Rule. 
Reference laboratories that are not subject to HIPAA will not be under 
any federal obligation to provide access, but they will be permitted to 
do so under Federal law. However, we expect that, in most cases, 
individuals will continue to request access to their health information 
either from their treating provider, or from the referring 
laboratories. This expectation is based on our understanding that many, 
if not most, individuals will not be aware of the identity of the 
reference laboratory, or may not know that a reference laboratory is 
conducting all or part of the ordered tests. Therefore, we do not 
expect reference laboratories to encounter many individual requests for 
access. Furthermore, in the limited circumstances where a patient may 
request access to test reports from a laboratory acting as a reference 
laboratory with respect to that patient, the reference laboratory need 
only provide the individual with the requested access to the extent the 
laboratory can authenticate the test report as belonging to that 
patient. The same applies for hospital laboratories that also act as 
reference laboratories. Finally, we do not believe that there will be 
significant operational issues for hospital laboratories as hospitals 
already have policies and procedures in place to comply with the 
existing HIPAA Privacy Rule access provisions and the hospital 
laboratories can use these policies and procedures for purposes of this 
rule.

B. Scope of Information to Which an Individual Has Access

    Comment: A number of commenters indicated that the rule should 
apply only to tests administered after the final rule is published or 
becomes effective. These commenters expressed concern with laboratories 
having to retrieve copies of old test reports that have been archived 
and may exist offsite. For example, commenters stated that many 
laboratories have archived test reports that exist on paper or on 
backup tapes, and that it would be costly and burdensome to retrieve 
and transfer the archived test reports to other suitable media to 
transmit to an individual.
    A few commenters asked that the rule not require laboratories to 
provide test reports that have been kept beyond the retention date(s) 
required in the CLIA regulations. One commenter indicated that the rule 
should specify a timeframe after a test report is first generated 
beyond which an individual would not have a right to access the test 
report directly from the laboratory.
    Response: While we appreciate the commenters' concerns, as with any 
other HIPAA covered entity, under this final rule, an individual has a 
right to access information about the individual in one or more 
designated record sets maintained by a HIPAA-covered laboratory, for as 
long as the information is maintained by the laboratory (see Sec.  
164.524(a)(1)). This right extends to test reports and other 
information about the individual in a designated record set maintained 
offsite, archived, or created before the publication or effective date 
of this final rule. We do not agree that information created before the 
effective date of this final rule should be exempt from the access 
requirement. The reasons for granting individuals access to health 
information pertaining to them do not vary with the date the 
information was created. In cases where retrieving records that have 
been archived may take longer than 30 days from the individual's 
request, a covered laboratory may request one 30-day extension, if it 
provides the reason for the delay in writing to the requesting 
individual. See the Privacy Rule requirements for timely action on 
access requests at Sec.  164.524(b)(2).
    We also clarify that this final rule does not impose any new record 
retention requirements for laboratory test reports. These obligations 
are established under CLIA and other applicable Federal and state laws. 
See, for example, 42 CFR Sec.  493.1105. Rather, it provides an 
individual with a right to access protected health information in the 
designated record set of a HIPAA-

[[Page 7295]]

covered laboratory for as long as the laboratory maintains the 
information (even in those cases where the information is maintained 
beyond applicable record retention requirements).
    Comment: Some commenters supported the language in the proposed 
rule at Sec.  493.1291(l) that limited patients' access to 
``completed'' test reports. Other commenters felt that additional 
guidance was needed as to what information qualified as a ``completed'' 
test report. For example, one commenter asked whether a test report is 
considered ``completed'' (and subject to the right of access) each time 
a component of a multi-step test is completed or only when all aspects 
of the ordered test are completed and recorded in a finalized report 
that is ready for issuance. The commenter also asked, in circumstances 
where a single order involves a test to be performed multiple times 
over a period of time, whether the report is considered complete each 
time the test is performed or only after the entire series of tests is 
performed. This commenter suggested that the test report should be 
considered ``complete,'' and subject to the right of access, only when 
all of the test results are final.
    Response: Under the HIPAA Privacy Rule at Sec.  164.524(a)(1), an 
individual has a general right to access the protected health 
information about the individual in a designated record set maintained 
by a covered entity or its business associate. As described above, 
laboratory test reports maintained by or for a laboratory that is a 
HIPAA covered entity fall within the definition of ``designated record 
set.'' However, test reports may be only part of a designated record 
set that a HIPAA-covered laboratory holds. To the extent an individual 
requests access to all of his or her protected health information, a 
HIPAA-covered laboratory is required to provide access to all of the 
protected health information in the entire designated record set. This 
could include, for example, completed test reports, test orders, 
ordering provider information, billing information, and insurance 
information.
    While an individual may have a right to all of this information, we 
do not expect that many individuals will request access to all of the 
protected health information about the individual that the laboratory 
may hold in a designated record set. Rather, we expect that most 
individuals will request access to test reports of discrete laboratory 
tests that they know were ordered by their providers. In these cases, 
the Privacy Rule requires a HIPAA-covered laboratory to provide the 
individual with a copy of or access to only the specific information 
requested by the individual.
    Further, a HIPAA-covered laboratory is required to provide an 
individual with access only to that information that it actually 
maintains about the individual in a designated record set at the time 
the request for access is fulfilled. For purposes of this final rule, 
we clarify that we do not consider test reports to be part of the 
designated record set until they are ``complete.'' To maintain 
consistency with CLIA, we consider a test report to be complete when 
all results associated with an ordered test are finalized and ready for 
release.
    If an individual requests access to a particular test report, we 
expect that the HIPAA Privacy Rule's time allowance of 30 days from the 
request to provide access will be sufficient in most cases to provide 
the individual with access to the completed test report as we expect 
many requests for access will be made days after the order has been 
placed by the physician or even after the patient has discussed a 
particular result with his or her physician. In those limited cases 
where 30 days may not be sufficient to complete the test report, due to 
the nature of the tests to be performed, and the laboratory knows this 
at the time the individual requests access, we expect a covered entity 
laboratory to explain this circumstance to the individual. Upon 
informing individuals when they request access that the test report 
they are seeking will take longer than 30 days to complete, the 
individuals are likely to be willing to withdraw or hold their request 
until a later time to ensure that they get access to what they want or 
need. If an individual chooses not to withdraw his or her request for 
access, the individual will then have a right only to obtain the 
protected health information in the designated record set at the time 
the request is fulfilled, which may not include a particular test 
report because it is not yet complete. If a laboratory determines, 
after it has accepted a request, that the requested test will take more 
than 30 days to analyze and complete, it may notify the individual in 
writing within the initial 30-day period of the need and specific 
reason for the delay in providing access to the completed test result 
and the date by which the laboratory will complete its action on the 
request, in accordance with Sec.  164.524(b)(2)(iii) of the HIPAA 
Privacy Rule. We note, however, that the HIPAA Privacy Rule allows only 
one extension on an access request. In the rare circumstance where 60 
days is not sufficient to provide the individual with access to a 
completed test report, the covered laboratory must provide the 
individual with only the existing protected health information that is 
part of the designated record set within that time (for example, other 
completed test reports or test requisitions), which would then not 
include the test report requested by the individual, because the test 
report is not yet complete.
    In general, we expect the initial 30-day period allowed by the 
Privacy Rule to provide sufficient time to provide individuals with 
access to completed test reports. However, we acknowledge there may be 
rare circumstances when it would not be, and we expect covered 
laboratories to communicate and work with individuals concerning these 
limitations.
    Comment: Some providers and laboratories objected to individuals 
having direct access to laboratory test reports they characterize as 
``sensitive,'' including genetic, cancer, pregnancy, sexually-
transmitted disease, and mental health test results. Commenters stated 
there are tests for which it is acceptable to release results to the 
patient without physician involvement (for example, cholesterol test 
results) and there are tests for which it is not (for example, cancer 
or HIV test results). One commenter stated, for example, that under 
California law, before the disclosure of HIV test results, the 
physician has a duty to discuss what the results may mean and offer the 
patient appropriate education and psychological counseling. Some 
commenters recommended giving ordering and treating providers ample 
discretion to determine when it is in the patient's best interest to 
receive test reports without the benefit of a physician's 
interpretation. Others recommended that laboratories be permitted to 
identify tests or categories of tests that may only be released to the 
physician and to limit an individual's direct access to the reports.
    In contrast, some commenters stated that all test reports should be 
treated equally, providing several reasons, including: Patients today 
are much better informed and have access to interpretative information 
on laboratory results from many sources, including the internet; given 
the timeframes allowed for providing access under the HIPAA Privacy 
Rule, it is likely that the ordering or treating provider will receive 
results well before the patient and will have adequate time to discuss 
the result and what it means in terms of the patient's health care with 
the patient; and trying to identify which tests are sensitive is 
subjective and not

[[Page 7296]]

necessarily in the best interest of the patient.
    Response: Under the HIPAA Privacy Rule, an individual generally has 
a broad right of access to any or all of his or her health information 
maintained in a designated record set. In this final rule, we extend 
that broad right to the laboratory setting. With a very limited 
exception, covered entities may not deny an individual access to his or 
her health information based on the information's sensitive nature or 
potential for causing distress to the individual. The limited exception 
is for cases where a licensed health care professional has determined, 
in the exercise of professional judgment, that the access requested is 
reasonably likely to endanger the life or physical safety of the 
individual or another person, and the individual is provided a right to 
have the denial of access reviewed by an unaffiliated health care 
professional (see Sec.  164.524(a)(3)(i)).
    As we discuss elsewhere in this final rule, we do not believe that 
this rule will eliminate or interfere with the role or obligation of 
the treating or ordering provider to report and counsel patients on 
laboratory test results. The rule provides ample time to ensure 
providers receive sensitive test reports before the patient and to 
allow providers to counsel individuals on the test reports. In 
addition, as indicated above, we believe the rule will further 
encourage providers, at the time the test is ordered, to counsel 
patients on the potential outcomes of a test and what they may mean for 
the patient, given his or her medical history.
    Finally, we agree with commenters who stated that categorizing 
laboratory testing into ``sensitive'' and ``non-sensitive'' categories 
would be a subjective endeavor that would not necessarily result in 
policies that are in the patient's best interest. This endeavor also 
would result in a lack of uniformity across states and laboratories 
with respect to the types of information to which an individual has 
access under the rule. This outcome would be too complex and burdensome 
for laboratories to administer and confusing for individuals attempting 
to exercise their rights.
    Comment: A few commenters, while in general support of the proposed 
rule, raised specific concerns about providing laboratory test reports 
directly to certain mental health patients (for example, those who may 
be suffering from medical conditions such as paranoia). These 
commenters were concerned that direct access to laboratory test reports 
without any involvement of the treatment team could have a very 
negative impact on the mental health of these patients. Some commenters 
asked that the current provision in the HIPAA Privacy Rule allowing the 
denial of access to protected health information when the access is 
reasonably likely to endanger the life or physical safety of the 
individual or another person also apply to access made available under 
this final rule. They suggested that this would allow providers to 
determine when prior provider review and approval would be required 
before the release of given laboratory test reports to mentally ill 
patients.
    Response: We believe the existing exceptions to access in the 
Privacy Rule appropriately balance an individual's right to access his 
or her health information with other considerations, such as the 
potential for harm. Therefore, we decline to provide a specific 
exception to the right of access for mental health patients. A 
laboratory is subject to the same requirements under the HIPAA Privacy 
Rule as other covered entities to generally provide all individuals 
with access to their health information. As previously discussed, we 
believe the 30 day time-frame (plus one 30 day extension) provides 
laboratories with sufficient time to ensure treating or ordering 
physicians receive test reports before the patient's receipt of the 
test report, which will allow them to counsel the patient with respect 
to the test result.
    As noted above, the HIPAA Privacy Rule at Sec.  164.524(a)(3)(i) 
provides that a covered entity may deny access to an individual if a 
``licensed health care professional'' has determined, in the exercise 
of professional judgment, that the access requested by the individual 
is reasonably likely to endanger the life or physical safety of the 
individual or another person. However, this is a limited exception to 
an individual's right of access and applies only with respect to 
endangerment of the life or physical safety of the individual or 
another person; thus, concerns about psychological or emotional harm 
are not sufficient to justify denial of access. Furthermore, a HIPAA-
covered laboratory that wishes to deny access to the individual based 
on a determination by a licensed health care professional must provide 
the individual with an opportunity to have the denial reviewed by a 
licensed health care professional who is designated by the laboratory 
to act as a reviewing official and who did not participate in the 
original decision to deny. The HIPAA-covered laboratory must promptly 
refer a request for review to the reviewing official, who must 
determine, within a reasonable amount of time, whether or not to deny 
the access requested. See Sec.  164.524(d). The laboratory would then 
be required to provide or deny access in accordance with the 
determination of the reviewing official (see Sec.  164.524(a)(4)).
    Comment: Two commenters requested clarification on whether the 
expanded right of individual access would apply to food or 
environmental test reports maintained by a laboratory, that are the 
result, for example, of testing done after an outbreak of disease, and 
that may be linked to particular patients. A public health laboratory 
requested clarification on how this rule applies to public health 
surveillance or outbreak test reports. One commenter requested 
clarification as to whether individuals would have a right to 
employment-related test results, such as testing for drug and alcohol 
use. Finally, another commenter asked that patient access to laboratory 
results be expanded to include the results of radiologic assessments.
    Response: This final rule is intended to remove barriers in the 
HIPAA Privacy and CLIA regulations to individual access to test reports 
maintained by laboratories subject to or exempt from CLIA. If the 
samples tested are not of the human body, the entity conducting the 
testing is not subject to CLIA for purposes of that testing or those 
test results. Furthermore, if the testing is not for the purpose of 
providing information for the diagnosis, prevention, or treatment of 
any disease or impairment of, or the assessment of the health of human 
beings, that testing and those test results are also not subject to 
CLIA. Some outbreak and surveillance activities may involve testing 
samples from humans and thus be subject to CLIA if individual patient-
specific test results are reported to ordering providers. However, CLIA 
does not apply to test results that are only used for epidemiological 
studies or reported in the aggregate without patient identifiers.
    As for employment-related testing, the CLIA regulations are not 
applicable to an employer or entity that performs substance abuse 
testing strictly for the purpose of employment screening where test 
results are merely used to determine compliance with conditions of 
employment, as opposed to counseling or some other form of treatment. 
Substance abuse testing as part of a treatment program is covered by 
CLIA.
    Even if CLIA does not apply to the conduct of certain types of 
laboratory tests, HIPAA may still apply to require access to certain 
test reports to the extent the laboratory is a HIPAA covered entity and 
the information to

[[Page 7297]]

which an individual is requesting access is protected health 
information under HIPAA. Individuals have a right to access test 
reports in designated record sets held by or for HIPAA-covered 
laboratories that constitute protected health information under the 
HIPAA Privacy Rule--that is, those reports that relate to the past, 
present, or future physical or mental health or condition of an 
individual or the provision of health care to an individual (which 
would include testing for the presence of alcohol or drugs) and that 
identify the individual, or with respect to which there is a reasonable 
basis to believe that information in the test report can be used to 
identify the individual. See the definitions of ``individually 
identifiable health information'' and ``protected health information'' 
at Sec.  160.103. Food, environmental, or other test reports that do 
not identify or relate to an individual are not protected health 
information for purposes of the HIPAA Privacy Rule.
    Although the CLIA regulations do not cover radiologic testing or 
assessments, these tests and assessments have always been subject to an 
individual's right of access under the HIPAA Privacy Rule to the extent 
they are maintained by a hospital or other HIPAA covered entity.

C. Access by Personal Representatives and Designated Third Parties

    Comment: Several commenters raised concerns regarding access to an 
individual's sensitive laboratory test reports, such as those 
concerning reproductive health, by the individual's parents, spouse, 
partner, or other persons, when the individual may not want these 
persons to see the test report.
    Response: We understand commenters' concerns and provide the 
following guidance to HIPAA-covered laboratories regarding how the 
Privacy Rule ensures that only persons with appropriate authority are 
provided access. With respect to adult individuals, the only persons 
that have a right to access an individual's test reports directly from 
a HIPAA covered entity are those persons who qualify as a personal 
representative of the individual. A personal representative for 
purposes of the Privacy Rule generally is a person who has authority 
under applicable law to make health care decisions for the individual 
(see Sec.  164.502(g)). Before providing access to a person other than 
the individual who is requesting access, a HIPAA-covered laboratory is 
required under Sec.  164.514(h) of the Privacy Rule to verify both the 
identity and authority of the person to have access to the individual's 
protected health information. In order to conduct the required 
verification, a covered laboratory may need to obtain documentation 
that the person requesting access to the individual's protected health 
information qualifies as the individual's personal representative, for 
example, by having the person present a written health care power of 
attorney or, general power of attorney or durable power of attorney 
that includes the power to make health care decisions, or other 
evidence of the person's authority to act as a personal representative.
    With respect to an unemancipated minor, in most cases, a parent is 
the personal representative of the minor, because the parent usually 
has the authority under state law to make health care decisions about 
his or her minor child. However, there are limited exceptions in the 
HIPAA Privacy Rule to the parent being a personal representative of his 
or her minor child, which generally apply in circumstances where minors 
are able to obtain specified health care services without parental 
consent under state or other laws, or standards of professional 
practice. Additional information on these circumstances is available at 
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html.
    Regardless, however, of whether a parent is the personal 
representative of a minor child, the Privacy Rule defers to state or 
other applicable laws that expressly address the ability of the parent 
to obtain health information about the minor child. In doing so, the 
Privacy Rule permits a covered entity to provide the parent with access 
to a minor child's protected health information when and to the extent 
it is permitted or required by state or other laws (including relevant 
case law). Likewise, the Privacy Rule prohibits a covered entity from 
providing a parent with access to a minor child's protected health 
information, when and to the extent it is prohibited under state or 
other laws (including relevant case law). If state or other applicable 
law is silent concerning parental access to the minor's protected 
health information, and a parent is not the personal representative of 
a minor child based on one of the exceptional circumstances described 
above, a covered entity has discretion to provide or deny the parent 
access to the minor's health information, if doing so is consistent 
with state or other applicable law, and provided the decision is made 
by a licensed health care professional in the exercise of professional 
judgment. For example, where a minor is able under state law to consent 
and obtain treatment for a reproductive health care service that 
involves laboratory testing, and the state law is otherwise silent on 
parental access to a minor's protected health information, a testing 
laboratory that has received a parent's request for access to this test 
report of the minor child may wish to take into account any 
instructions of the treating medical professional in determining 
whether to grant or deny access to the parent of the minor.
    In general, we expect personal representatives will continue to 
obtain access to individuals' health information through the 
individual's treating providers, with whom many personal 
representatives will already have established a relationship and be 
known to the provider. Therefore, we do not expect HIPAA-covered 
laboratories will receive many requests from persons requesting access 
as a personal representative of the individual.
    With respect to laboratories that are not HIPAA covered entities, 
the changes to the CLIA regulations in this final rule merely permit, 
not require, the disclosure of completed test reports to an 
individual's personal representative. Thus, laboratories not subject to 
HIPAA should exercise their judgment in providing access to personal 
representatives, while taking into account any other applicable federal 
or state laws.
    Comment: A few commenters asked how a laboratory should determine 
whether a person requesting access to another individual's completed 
test reports has the appropriate legal authority to act on behalf of 
the individual, and, by virtue of that authority, is a personal 
representative for the individual. Commenters indicated that the 
laboratory test order from the ordering provider does not include this 
information. These commenters also expressed concern about the costs to 
determine whether a particular person had authority to access an 
individual's laboratory test reports.
    Response: As indicated above, a HIPAA-covered laboratory is 
required to verify the identity and authority of any person requesting 
access to laboratory test reports as a personal representative of an 
individual. Depending on the circumstances, a HIPAA-covered laboratory 
could verify a person's authority by asking for documentation of a 
health care power of attorney, or general power or durable power of 
attorney that includes the power to make health care decisions, proof 
of legal guardianship, or, in the case of a parent, information that 
establishes the relationship of the person to the minor

[[Page 7298]]

individual. A HIPAA-covered laboratory may also contact the treating 
provider to inquire whether the treating provider can provide 
documentation of the person's status as a personal representative of 
the individual.
    We address the costs that a HIPAA-covered laboratory may incur in 
the verification process, in section VII below. We note here as we did 
above, however, that we do not anticipate HIPAA-covered laboratories 
will receive many requests from persons requesting access as a personal 
representative of the individual. Thus, we do not expect HIPAA-covered 
laboratories will incur significant costs for verification of such 
persons. Several clinical laboratory commenters indicated that most 
patients or personal representatives do not know what laboratory 
conducted the laboratory tests. Based on these comments, we expect 
personal representatives, like individuals themselves, generally will 
continue to obtain access to the individuals' health information 
through the individuals' treating providers, with whom many personal 
representatives will already have established a relationship for the 
purposes of obtaining access.
    Comment: One commenter requested that the same requirements for 
denying access to protected health information by a personal 
representative in cases where access may cause substantial harm to the 
individual (for example, in cases of spousal abuse) should also be 
available when personal representatives request direct access to an 
individual's test reports from laboratories.
    Response: As described above, the Privacy Rule's access and 
personal representative provisions apply in the same manner to HIPAA-
covered laboratories as to other types of covered entities. Section 
164.524(a)(3)(iii) of the Privacy Rule permits a covered entity to deny 
a personal representative access to an individual's protected health 
information when a licensed health care professional has determined, in 
the exercise of professional judgment, that providing access to the 
personal representative is reasonably likely to cause substantial harm 
to the individual or another person. Thus, a HIPAA-covered laboratory 
may deny a personal representative access to an individual's protected 
health information under this provision when the laboratory has 
received and documented the requisite determination from a licensed 
health care professional that granting access to the personal 
representative is reasonably likely to cause substantial harm to the 
individual or another person. As was described above with respect to 
individuals denied access to their own records because of concerns of 
endangerment, the personal representative retains the right to have the 
denial reviewed by another licensed health care professional who is 
designated by the HIPAA-covered laboratory to act as a reviewing 
official and who did not participate in the original decision to deny. 
A laboratory denying access must inform the personal representative of 
this right and have the ability to have the denial reviewed in 
accordance with these requirements.
    We also note that Sec.  164.502(g)(5) of the Privacy Rule allows a 
covered entity to elect not to treat a person as the personal 
representative of an individual if the covered entity has a reasonable 
belief that the individual has been or may be subjected to domestic 
violence, abuse, or neglect by the person, and the covered entity, in 
the exercise of professional judgment, decides that it is not in the 
best interests of the individual to treat the person as the 
individual's personal representative. We do not anticipate that this 
provision will frequently apply in the circumstances where a personal 
representative is requesting direct access to an individual's test 
report maintained by a HIPAA-covered laboratory, as most laboratories 
will not have the requisite relationship with the individual that will 
enable them to make this type of assessment. However, there may be 
situations where a HIPAA-covered laboratory is made aware of the 
dangers by a treating provider or the individual. The HIPAA-covered 
laboratory should consider this information in the exercise of its own 
professional judgment.
    Comment: One commenter stated that it was unclear from the proposed 
rule whether a patient's access right would include the right to have 
the test reports shared with others who do not have independent access 
rights. This commenter urged the Department to amend the CLIA 
regulations to clarify that the laboratory may provide access to the 
patient, his or her personal representative, or any other party 
designated by the patient or his or her personal representative.
    Response: We clarify that, in certain circumstances, an 
individual's access right includes the right to have test reports 
shared with others who do not have independent access rights. In 
addition to access by personal representatives, the HITECH Act 
strengthened an individual's right of electronic access, which included 
giving individuals the right to direct that a covered entity transmit 
an electronic copy of the individual's protected health information 
directly to another person or entity designated by the individual (see, 
section 13405(e) of the HITECH Act). The regulations that implemented 
these statutory provisions were published as part of the HIPAA Privacy 
Rule on January 25, 2013, and became effective on March 26, 2013. While 
Section 13405(e) of the HITECH Act is applicable to electronic copies, 
the Department also used its general authority under sections 262 and 
264 of HIPAA to implement this right uniformly regardless of whether 
the access requested is for an electronic or a paper copy of the 
individual's protected health information. Thus, upon the compliance 
date of this final rule, HIPAA-covered laboratories will be required to 
abide by an individual's request to have the laboratory transmit the 
copy of the individual's protected health information to another person 
or entity designated by the individual. The Privacy Rule requires that 
such requests must be made in writing, signed by the individual, 
clearly identify the designated person or entity, and provide 
information regarding where to send the copy of the protected health 
information. See Sec.  164.524(c)(3)(ii) and the preamble to the final 
HITECH rule (78 FR 5566) for more information.
    With respect to the changes to the CLIA regulations, the CLIA 
regulatory text as written in this rule will be sufficient to allow a 
laboratory to, upon the request of a patient (or their personal 
representative, if applicable), provide a copy of the patient's test 
report to a person or entity designated by the individual in accordance 
with the HIPAA Privacy Rule.
    Comment: One commenter requested that organ procurement 
organization laboratories that perform tests on decedent tissue and 
blood be exempted from the rule altogether, since the outcome of these 
tests would not be of meaningful value to the personal representatives 
of decedents, and in the case of blood tests, could cause undue concern 
given the frequency of false positive results.
    Response: We appreciate that Organ Procurement Organization 
laboratories operate under different circumstances than clinical 
laboratories. However, we do not believe there should be an exemption 
for these laboratories. Laboratories that are covered entities under 
HIPAA are required to provide individuals (or their personal 
representatives) with access to protected health information, including 
that of decedents (see Sec.  164.524). We do not believe the concerns 
raised by the commenter justify removing a personal representative's 
right to access the protected health information of a

[[Page 7299]]

decedent at an Organ Procurement Organization laboratory that is a 
covered entity. However, we do not expect many Organ Procurement 
Organization laboratories will be HIPAA covered entities unless they 
also provide clinical or other laboratory services that involve 
reimbursement by health plans. Further, we emphasize that a HIPAA-
covered laboratory is only required to provide an individual (or 
personal representative) with access when they receive a request for 
access, which we do not expect to be a very frequent occurrence in the 
context of testing for organ procurement purposes.

D. Requests for and Provision of Access

1. HIPAA Access Processes
    Comment: Several commenters supported allowing flexibility in how 
requests for access may be submitted, processed, and responded to by 
laboratories. Commenters indicated a flexible approach was important 
since laboratories vary greatly in terms of how they interact with 
patients, if at all, and flexibility would allow laboratories to 
implement processes that would not disrupt operations. One commenter 
stated that some state laws may affect the processes that laboratories 
may put in place and urged that the Department clarify that the 
authority for specifying the processes for handling requests for access 
lies with the laboratories rather than the states. Another commenter 
expressed concern with the rule not spelling out the mechanisms by 
which patient requests for access would be submitted, processed, or 
responded to by laboratories. The commenter suggested that the final 
rule should require some type of written record, such as a signature on 
an office form, and verification of the identity of the person 
requesting the records.
    Response: We agree with the commenters that flexibility in how 
laboratories receive and respond to access requests is important given 
the varied circumstances of each laboratory. This final rule provides 
laboratories with flexibility as to how to set up systems to receive, 
process, and respond to requests for access by individuals, so long as 
these processes comply with the timing and other requirements for 
access in Sec.  164.524 of the HIPAA Privacy Rule where HIPAA-covered 
laboratories are concerned. For example, some laboratories that 
interact directly with individuals may give individuals the option to 
request a copy of their completed test reports when the individuals are 
physically present at the laboratory for specimen collection.
    With regard to state laws, it is unclear from the comments how 
exactly these laws impact laboratory processes. The HIPAA Privacy Rule 
only preempts contrary provisions of state law. Thus, where a HIPAA-
covered laboratory can continue to comply with both the HIPAA Privacy 
Rule and state law, it must frame its policies and procedures in a way 
that complies with both laws. Further, the HIPAA Privacy Rule does not 
preempt more stringent state laws, even if contrary to the Privacy 
Rule. In the context of individuals' rights to access their health 
information, ``more stringent'' means that the state law provides 
greater rights of access. Therefore, a HIPAA-covered laboratory must 
continue to abide by state laws that provide the individual with a 
greater right of access. For example, if a state law requires 
individual access to test reports within a shorter timeframe than the 
Privacy Rule requires, access must be provided within that shorter 
timeframe. Finally, as noted above and discussed more fully below, 
while the HIPAA Privacy Rule provides some flexibility to HIPAA-covered 
laboratories in how their access processes are developed, it does have 
specific requirements for verification of identity and authority of the 
individual requesting access, as well as timeliness and the form of 
access provided, among other requirements, that must be followed in 
providing access to individuals. With respect to the form of the 
individual's request, the Privacy Rule does permit covered entities to 
require that individuals make requests for access in writing (see Sec.  
164.524(b)(1)).
    Comment: Some commenters asked for clarification as to whether 
hospital laboratories may continue to rely on existing hospital HIPAA 
access processes, which may have been implemented through their health 
information management departments, to provide individuals with access 
to their test reports, rather than having to create an additional 
process outside the normal customary practices followed by hospitals to 
comply with the access requirements of the HIPAA Privacy Rule. A few 
commenters specifically noted that some hospitals have patient portals 
in place to provide individuals with access to their protected health 
information, including laboratory results.
    Response: Laboratories that operate as part of a larger legal 
entity that is a hospital or that are part of an affiliated covered 
entity or organized health care arrangement with a hospital (see the 
definition of ``organized health care arrangement'' in the HIPAA Rules 
at Sec.  160.103, and the provisions for affiliated covered entities at 
Sec.  164.105(b)), may continue to utilize the hospital's already 
established mechanisms for providing access to individuals requesting 
their test reports from the hospital laboratories, provided that the 
established mechanisms are compliant with the access provisions of the 
HIPAA Privacy Rule. This includes providing individuals with access to 
their test reports through a patient portal to the extent the 
individuals have agreed to receive access in this manner. However, 
laboratories that are not part of a hospital need to establish their 
own process for providing individuals with direct access to their 
protected health information in accordance with the Privacy Rule, even 
if the laboratories' test reports are otherwise available to an 
individual through an unaffiliated treating hospital or provider's 
patient portal or other access mechanism.
    Comment: One commenter asked whether a patient will be expected to 
make a request for access from the laboratory to test reports at the 
time the patient is in the treating provider's office, or whether 
patients have a right to contact the laboratory directly for access. 
Another commenter asked whether, with regard to the referral of 
specimens from one laboratory to another, a patient will need to 
request access to the test reports of both laboratories or just request 
access from one of the laboratories to obtain all of the test results.
    Response: Under this final rule, individuals have a right to make 
requests for access to their protected health information directly to 
HIPAA-covered laboratories. Laboratories may not require individuals to 
make requests through their providers. While laboratories cannot 
require individuals to submit requests for access to protected health 
information maintained by the laboratories through their treating 
providers, individuals may do so if that is one avenue the laboratory 
uses to receive requests for access from individuals. Laboratories, 
however, may require that individuals make access requests directly to 
the laboratory.
    With respect to laboratories that refer specimens to another 
laboratory, an individual has a right to access his or her protected 
health information maintained in a designated record set at either 
laboratory. However, where one laboratory refers only one part of a 
test to another laboratory, the individual may need to request access 
from the referring laboratory to obtain access to a complete set of 
test results. As explained above, a HIPAA-covered laboratory is 
required to provide an

[[Page 7300]]

individual with access only to that protected health information 
maintained by the laboratory in its designated record sets.
2. Time Frame for Providing Access
    Comment: Some commenters were concerned that the required 30-day 
timeframe in the HIPAA Privacy Rule for providing an individual with 
access to laboratory test reports may not be sufficient to ensure that 
a provider receives the report before the patient. The commenters 
believe this is particularly problematic in the case of ``sensitive'' 
test results. One commenter suggested that laboratories should have the 
option of using up to two 30-day extensions when a licensed health care 
professional has determined, in the exercise of professional judgment, 
that the ordering provider should have additional time to receive and 
review the test report before the patient is provided access. Another 
commenter stated that the rule should not require laboratories to 
release a test report to a patient before a treating provider, except 
in emergency circumstances. Other commenters suggested that there 
should be a defined delay or lag time, such as 48 or 72 hours, between 
when a laboratory provides a test report to a treating provider and 
when the laboratory provides the test report to the patient.
    In contrast, other commenters were against providing a defined 
delay between when the provider and the patient could obtain the test 
report. Some commenters stated that the Privacy Rule's 30-day timeframe 
for providing access affords ample opportunity for a provider to 
receive a test report and consult with the patient before the patient 
receives the test report he or she requested directly from the 
laboratory. For example, one commenter suggested that the 30-day period 
provides laboratories with sufficient flexibility to release routine 
test results within a few days, while delaying the results of more 
sensitive tests to allow more time for consultation between the 
provider and the patient.
    Response: We believe 30-days is generally sufficient time to allow 
a treating provider to receive a test report in advance of the 
patient's receipt of the report and to communicate the result to and 
counsel the patient as necessary with regard to the result. 
Specifically, requests to a laboratory for access may be made some time 
after the provider has ordered the test or even after the provider has 
received the completed test report. In cases where the end of the 
initial 30-day period after an individual's request for access is 
approaching and, due to the nature of the test, the laboratory is just 
completing the test report, the laboratory may delay providing access 
to the individual to ensure the completed test report is provided first 
to the individual's provider, so long as the delay is no more than 30 
days and the individual is informed in writing of the reason for the 
delay and the date by which the laboratory will provide the individual 
with access. However, laboratories may have only one extension (see 
Sec.  164.524(b)(2)(iii)). Since we believe the timeframes provided in 
the HIPAA Privacy Rule generally are sufficient to enable laboratories 
to provide test reports to ordering providers before patients, we 
decline to specify a specific lag time or to allow an additional 30-day 
extension beyond the one 30-day extension currently permitted.
    Comment: A few commenters expressed concern that the 30-day period 
(and one 30-day extension) for providing access may not be sufficient 
for all laboratory test reports to be completed. One commenter 
suggested that the 30-day period to provide the individual with a copy 
of the test report should begin from the time of the individual's 
request for access, or test completion, whichever is later.
    Response: We understand the commenters' concerns; however, we do 
not believe it is necessary to establish the completion of the test 
report as the trigger for the beginning of the 30-day period if the 
completion of the test report is later than the individual's request 
for access, or to otherwise create a timeliness requirement for 
laboratories that is different than the requirement for other types of 
covered entities. As discussed above in the section on ``Scope of 
Information to Which an Individual Has Access,'' the Privacy Rule 
provides sufficient flexibility in most cases to enable laboratories to 
provide individuals with access to the completed test reports they 
request. In those rare cases where a test report is not completed, and 
therefore is not available, within the HIPAA timeframe for responding 
to requests and the individual is not willing to withdraw his or her 
request so that he or she will receive a completed test report, the 
Privacy Rule requires only that the laboratory provide access to the 
existing protected health information in its designated record set(s) 
about the individual, which would not include the completed test report 
requested. We believe that uniformity of the timeliness requirement in 
the Privacy Rule for all covered entities, including laboratories, is 
important to ensure consumer understanding and covered entity 
compliance.

E. Allowable Fees for Copying

    Comment: Several commenters stated that laboratories should be 
permitted to charge individuals that request a copy of one or more test 
reports an additional fee along with the current fee permitted by the 
HIPAA Privacy Rule. A number of commenters were specifically concerned 
with the costs of retrieving archived test reports, which may only be 
available on paper or limited media, and transferring them to a 
suitable medium for distribution to the patient. A few commenters 
suggested that a laboratory should be able to recoup the full costs of 
providing reports to the individual, including costs associated with 
retrieval of the information, copying, verification, documentation, 
liability insurance, and other administrative costs.
    In contrast, a number of commenters stated that individuals should 
not encounter any additional fee to receive copies of test reports from 
laboratories, other than the costs associated with completing the 
tests.
    Response: We appreciate the comments on this issue. The fee 
provisions in the Privacy Rule are carefully balanced to reduce costs 
to covered entities while at the same time avoid being an impediment to 
individuals' ability to receive copies of their protected health 
information. Therefore, we decline to expand the fees that may be 
charged to individuals or to disallow any fees that are currently 
provided for under the HIPAA Privacy Rule. HIPAA-covered laboratories 
must comply with the same fee limitations at Sec.  164.524(c)(4) of the 
Privacy Rule as other HIPAA covered entities in providing individuals 
with copies of their health information. This means a HIPAA-covered 
laboratory may charge an individual a reasonable, cost-based fee that 
includes only the cost of: (1) Labor for copying the protected health 
information requested by the individual, whether in paper or electronic 
form; (2) supplies for creating the paper copy or electronic media if 
the individual requests that the electronic copy be provided on 
portable media; (3) postage, when the individual has requested the copy 
be mailed; and (4) preparation of an explanation or summary of the 
protected health information, if agreed to by the individual. HIPAA-
covered laboratories may not charge fees to reflect the costs they 
incur in searching for and retrieving the information that is the 
subject of the individual's request. Further, fees for costs associated 
with verification, documentation, liability

[[Page 7301]]

insurance, maintaining systems, and other similar activities are not 
permissible fees under this provision.
    Comment: One commenter asked for a more definitive framework of 
what is an appropriate fee.
    Response: We are unable to provide a more definitive framework of 
what is an appropriate fee, given that costs will vary depending on a 
number of circumstances, such as the form of the copy requested (paper 
versus electronic), the amount of information to be included in the 
copy, and whether the individual has requested the copy to be placed on 
electronic media or mailed. Covered entities may take into account all 
of these factors in determining what is a reasonable, cost-based fee. 
However, we consider fees expressly permitted under state law for 
copying and postage to be reasonable (as long as they do not include 
amounts associated with fees not provided for under the HIPAA Privacy 
Rule, such as the fees for the cost of search and retrieval or other 
costs).

F. Form and Format of Access

    Comment: Some commenters stated that HIPAA-covered laboratories 
should be able to limit the types of electronic formats in which 
patients could receive copies of their completed test reports, and that 
the format provided should not be controlled solely by patient 
preference. These commenters were concerned with requiring laboratories 
to have the capability to convert test reports to all types of 
universal formats (for example, Microsoft (MS) Word, MS Excel, or 
Portable Document Format (PDF)). One commenter stated it is not 
practicable to reproduce all of the data of the official report into 
some formats, such as MS Excel. A few commenters expressed concern that 
HIPAA-covered laboratories will be required to invest in new technology 
to allow for patient portals into laboratory systems so that patients 
can view their test reports online. Certain commenters were 
specifically concerned about the resources involved with having to 
convert final laboratory reports that exist only on paper to PDF or 
other electronic format.
    Other commenters advocated for the use of patient portals and 
personal health records (PHRs) to deliver test reports to patients in a 
readable and secure manner. One commenter stated that the rule should 
ensure laboratories are not allowed to provide test reports exclusively 
through proprietary formats that require expensive proprietary software 
to view, interpret, or process the results. Finally, one commenter 
asked who makes the determination about which format is acceptable.
    Response: The Privacy Rule does not require that a HIPAA-covered 
laboratory have the capability to produce a copy of a completed test 
report in whatever electronic format or manner the individual requests. 
Rather, the Privacy Rule requires a covered entity to provide the 
individual with a copy of the requested information in the form and 
format requested by the individual, if a copy in that form or format is 
readily producible. With respect to protected health information 
maintained by the covered entity only in paper form, the Privacy Rule 
requires the covered entity to provide the individual with a copy of 
the protected health information in the form and format requested by 
the individual, if it is readily producible. If not, the copy must be 
either a readable hard copy or in another form or format as agreed to 
by the covered entity and the individual (see Sec.  164.524(c)(2)(i)). 
Thus, where an individual requests an electronic copy of test reports 
that a HIPAA-covered laboratory maintains only on paper, the laboratory 
is required to provide the individual with the type of electronic copy 
requested if it is readily producible electronically and in the format 
requested. For example, a HIPAA-covered laboratory maintaining the 
requested test reports on paper may be able to readily produce a 
scanned PDF version of the report but not the requested Word version. 
In this case, the laboratory may provide the individual with the PDF 
version if the individual agrees to accept the PDF version. If the 
individual declines to accept the PDF version, or if the laboratory is 
not able to readily produce a PDF version of the test reports, the 
laboratory may provide the individual with hard copies of the reports 
such as photocopies of the original reports.
    However, when the protected health information to which the 
individual seeks access is maintained electronically by the covered 
entity and the individual requests an electronic copy of the 
information, the Privacy Rule requires the covered entity to provide 
the individual with access to the information in the requested 
electronic form and format if it is readily producible in that form and 
format. When it is not readily producible in the electronic form and 
format requested, then the covered entity must provide the copy in an 
alternative readable electronic format as agreed to by the covered 
entity and the individual (see Sec.  164.524(c)(2)(ii)). In short, this 
means that any HIPAA-covered laboratory that maintains protected health 
information about an individual in one or more designated record sets 
electronically must have the capability to provide the individual with 
some form of electronic copy of the individual's protected health 
information. For example, this would include providing the individual 
with an electronic copy of the protected health information in the 
format of MS Word or Excel, text, HTML, or text-based PDF. In addition, 
we encourage laboratories to make available to individuals, upon 
request, an electronic copy of their protected health information in 
machine-readable formats (such as in HL7), which will enable 
individuals to use their protected health information in electronic 
health information tools, such as PHRs, if they choose.
    We agree with the commenters that individuals should not have an 
unlimited choice in the form of electronic copy they will receive. The 
Privacy Rule allows a covered laboratory to make some other agreement 
with individuals as an alternative means to provide a readable 
electronic copy to the individual where the covered laboratory is not 
able to readily provide the form of electronic copy requested. If an 
individual requests a form of electronic copy that the HIPAA-covered 
laboratory is unable to produce, the laboratory must offer the 
individual other electronic formats that are available on its systems. 
If the individual declines to accept any of the electronic formats that 
are readily producible by the HIPAA-covered laboratory, the laboratory 
must provide a hard copy as an option to fulfill the access request. We 
remain neutral on the type of technology that covered entities may 
adopt. We note that a PDF is a widely recognized format that would 
satisfy the electronic access requirement if it is the individual's 
requested format or if the individual agrees to accept a PDF instead of 
the individual's requested format. Alternatively, there may be 
circumstances where an individual prefers a simple text or rich text 
file and the laboratory is able to accommodate this preference. In this 
case, a hard copy of the individual's protected health information 
would not satisfy the electronic access requirement. However, a hard 
copy may be provided if the individual decides not to accept any of the 
electronic formats offered by the covered entity.
    For example, if a HIPAA-covered laboratory receives a request from 
an individual to have access to test reports through a web-based 
portal, but the only readily producible version of the

[[Page 7302]]

protected health information by the laboratory is in PDF, the Privacy 
Rule requires the laboratory to provide the individual with the PDF 
copy of the protected health information, if the individual agrees to 
receive it in that form. If the individual declines to receive the PDF 
copy, the laboratory may provide the individual with a hard copy of the 
information.
    Further, while we encourage laboratories to offer patients the 
ability to access their test reports through patient portals maintained 
by the laboratories, the HIPAA Privacy Rule does not require covered 
entities to have this capability. We recognize that what is available 
in a readable electronic form and format will vary by system and 
technological capabilities will improve over time. Therefore, the 
Privacy Rule allows covered entities the flexibility to provide 
individuals with electronic copies of protected health information that 
are currently readily producible and available on their various 
systems. A HIPAA-covered laboratory is not required to purchase new 
software or systems in order to accommodate an electronic copy request 
for a specific form that is not readily producible by the laboratory at 
the time of the request, provided the laboratory is able to provide 
some form of electronic copy. We note that providing the individual 
with an electronic copy of a test report in a proprietary format that 
will require the purchase or acquisition by the individual of 
proprietary software to view the report would not satisfy these access 
requirements.
    Comment: A few commenters suggested that any electronic copies 
provided to individuals should include a digital signature to provide 
assurance that test results had not been modified.
    Response: HIPAA-covered laboratories may include digital signatures 
on electronic copies of test reports given to individuals, provided the 
electronic copy is still in a format that has either been requested by 
the individual or is an alternative that has been agreed to by the 
individual and the laboratory.
    Comment: Some commenters were concerned about the ability of 
laboratories to transmit electronic copies of test reports to 
individuals in a secure manner, and asked for guidance on how test 
reports should be transmitted to patients. A few commenters were 
concerned with transmitting test reports to patients via unencrypted 
email. One commenter expressed concern about being found responsible 
for a breach if a HIPAA-covered laboratory sent test reports in an 
unsecure manner after a specific request by the individual to send them 
in that manner. Other commenters suggested that any method of 
transmitting test reports to individuals should be acceptable, whether 
it be by mail, email, transmission to a PHR or patient portal, or other 
method.
    Response: How a test report is transmitted to an individual will 
vary depending on the circumstances and the request of the individual. 
In cases where an individual is in close proximity of the laboratory, 
the individual may wish to come and pick up the test report from the 
laboratory directly; however, the individual is not required to do so. 
Individuals also have a right under the Privacy Rule to have either the 
paper or electronic (for example, on compact disk) copies of their 
protected health information mailed to them, and HIPAA-covered 
laboratories may charge an individual for postage in cases where the 
individual has asked that the copy be mailed. In sending the copy to an 
individual, covered laboratories are required to reasonably safeguard 
the information (see Sec.  164.530(c)). This may include ensuring the 
packaging is securely sealed and that none of the information from the 
test reports is visible from the outside of the package.
    Individuals also may request that a laboratory email an electronic 
copy of a test report. In emailing copies of test reports to 
individuals, HIPAA-covered laboratories are required to comply with the 
HIPAA Security Rule, which, among other requirements, requires 
implementation of technical security measures to guard against 
unauthorized access to electronic protected health information that is 
being transmitted over an electronic communications network (see Sec.  
164.312(e)). As a security measure, the Security Rule requires 
encryption when transmitting electronic protected health information 
where it is reasonable and appropriate to encrypt the information. In 
general, encryption is a reasonable and appropriate measure to 
safeguard email transmissions. However, we have found that there may be 
instances when an individual may not want to receive his or her 
protected health information in an encrypted format or may be unable to 
access the information when encrypted. In these cases, a HIPAA-covered 
laboratory is permitted to send the individual copies of the test 
reports via unencrypted email, if it advises the individual of the 
risks associated with unencrypted email, and, after doing so, the 
individual still wishes to receive his or her protected health 
information via unencrypted email. A HIPAA-covered laboratory is not 
responsible for any unauthorized access that may occur while protected 
health information is in transit using the means requested by the 
individual. Further, a HIPAA-covered laboratory is not responsible for 
safeguarding protected health information once it is delivered to the 
individual.
    Finally, as mentioned above, we encourage laboratories to offer 
individuals access to their test reports and other health information 
through secure patient portals or PHRs. However, use of this method is 
not required.
    Comment: One commenter asked if CMS has the regulatory authority to 
establish minimum requirements for the provision of electronic test 
results to patients in a structured format or at least to suggest 
guidance to laboratories if the test results are to be provided in an 
electronic format.
    Response: CMS does not have current plans to establish regulations 
that would impose minimum requirements for the provision of electronic 
results in a structured format, but could examine these options going 
forward. Furthermore, CLIA guidance on electronic formats was provided 
as part of the March 2010 revision to the CLIA State Operations Manual 
Appendix C--Survey Procedures and Interpretive Guidelines for 
Laboratories and Laboratory Services (see, CMS Ref: S&C-10-12-CLIA).\2\
---------------------------------------------------------------------------

    \2\ http://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/downloads/SCLetter10-12.pdf.
---------------------------------------------------------------------------

G. Content of Test Report, Educational Materials, and Standard 
Statements

    Comment: A few commenters requested further guidance on what the 
test report that is provided to an individual should look like. 
Commenters noted that the laboratory coding schema on the official test 
report sent to the provider may need further interpretation and context 
before it would be useful to the patient. These commenters expressed 
concern with the resources and information system development that 
would be needed to provide a more understandable test report to the 
individual. Other commenters stated that the report furnished to the 
individual should be the ``official'' report furnished to the ordering 
provider rather than one that is reworded and redesigned in an effort 
to meet the needs of the individual. Otherwise, they noted, there could 
be inadvertent inconsistencies or inaccuracies when one compared the 
``official'' report to the patient-centric report.

[[Page 7303]]

    In addition, some commenters suggested that laboratories should 
provide brief explanations or patient-specific educational materials on 
the tests reported, including reference ranges, so that the individual 
can interpret the information (for example, similar to a pharmacy's 
provision of the package insert for prescription drugs).
    Response: As discussed above, the final rule does not require 
laboratories to interpret test reports for individuals. An individual 
has a right to receive a copy of the information about the individual 
maintained by or on behalf of a HIPAA-covered laboratory in a 
designated record set, which may include the official test report that 
is also provided to the individual's provider. However, while not 
required, a laboratory may also provide additional educational or 
explanatory materials regarding the test results to individuals if it 
chooses to do so.
    Comment: A number of commenters suggested that the information 
provided to individuals should include a standard statement explaining 
the limitations of the laboratory data alone in confirming or ruling 
out a diagnosis, explaining that the laboratory results are subject to 
a physician's interpretation and encouraging the individual to discuss 
the results with his or her physician, and providing the contact 
information of the physician who ordered the tests.
    Response: As we explain above, this final rule does not supplant 
the treatment conversation a health care provider has with a patient 
about the patient's test results. We expect that individuals will 
continue to obtain test results through their treating or ordering 
providers, and even when individuals request access to test reports 
directly from laboratories, we believe that, in most cases, these 
individuals will have had conversations with their treating providers 
about their test results before receiving access. Therefore, we do not 
believe a regulatory requirement for a standard statement is warranted. 
However, laboratories that wish to include one with test reports are 
free to do so.

H. Verification of Identity and Authentication

    Comment: Some commenters stated that many laboratories would have 
challenges with verifying an individual's identity because they often 
have no direct interaction with the individual and any contact 
information they receive from a health care provider can be incomplete 
or incorrect. One commenter indicated that these limitations would 
necessitate that an individual make a request for a test report in 
person. These commenters requested guidance or sample authentication 
practices for verifying an individual's identity upon receiving a 
request, whether in person, by phone, fax, or other means. One 
commenter suggested that the Department should provide guidance on the 
appropriate assurance levels for identity proofing and authentication, 
as defined by the National Institute of Standards and Technology (NIST) 
(Publication 800-63).
    Response: Under Sec.  164.514(h) of the Privacy Rule, a covered 
entity is required to take reasonable steps to verify the identity of 
the individual making a request for access. The rule does not mandate 
any particular form of verification (such as obtaining a copy of a 
driver's license), but rather leaves the type and manner of the 
verification to the discretion and professional judgment of the covered 
entity. Further, covered entities may rely on industry standards in 
developing reasonable verification processes. The type of verification 
may also vary depending on how the individual is to receive access, the 
form of the request, and whether the covered entity is requiring that 
all requests for access be made in writing, as permitted by Sec.  
164.524(b)(1), or permitting oral requests for access. For example, in 
those cases where an individual requests to pick up a copy of a test 
report directly from a laboratory, the laboratory may require that some 
form of photo identification be provided before the individual receives 
a copy. When a HIPAA-covered laboratory requires that a request for a 
copy of the test report be made on its own supplied form (whether by 
fax, email, or otherwise), the laboratory could request basic 
information on the form (date of birth, provider's name, date specimen 
was collected, etc.) to verify that the person requesting access is the 
individual who is the subject of the test report. Similarly, if a 
laboratory allows an individual to verbally request access over the 
phone, the laboratory can, at that time, request the information needed 
to verify the person is the subject individual. For those laboratories 
using patient portals to provide access, those portals should already 
be set up with appropriate authentication controls, as required by 
Sec.  164.312(d) of the HIPAA Security Rule, to ensure that the person 
seeking access is the one claimed. However, we do not prescribe 
specific levels of authentication.
    We understand that, in many cases, a laboratory may not have 
extensive contact or other information about an individual. However, 
the rule makes clear that a laboratory is only required to provide an 
individual with access to test reports that can be identified as 
belonging to the individual who has requested access, based on the 
laboratory's authentication processes. Thus, when a laboratory is able 
to authenticate a test report as belonging to a particular patient, 
that laboratory will have at least some basic information about the 
patient, such as name, date of birth, date specimen was collected, 
etc., that can also be used to verify the identity of a person 
requesting access to that test report. When a laboratory believes a 
provider may have supplied incorrect information for a patient, which 
prevents the laboratory from properly verifying the individual, the 
laboratory may contact the provider to see if correct information is 
available.
    While the Privacy Rule requires verification of the identity of the 
person requesting access, a HIPAA-covered laboratory may not impose 
unreasonable verification measures on an individual as a means to avoid 
having to provide the individual with access. For example, a HIPAA-
covered laboratory may not require an individual who wants a copy of 
his or her test reports mailed to his or her home address to physically 
come to the laboratory to request access and provide proof of identity 
in person.

I. Informing Individuals of Their New Right of Access

    Comment: A few commenters stated that providers should be required 
to inform or notify individuals of their right to receive test reports 
directly from laboratories, and to provide the information necessary 
for individuals to request test reports from the appropriate clinical 
laboratories. One commenter suggested this information could be 
included in the provider's notice of privacy practices. Another 
commenter asked if this final rule would require HIPAA-covered 
laboratories to revise their notices of privacy practices to include a 
statement regarding an individual's right to receive test results 
directly from the laboratory.
    Response: We encourage, but do not require, treating health care 
providers to inform individuals of their right to receive test reports 
directly from HIPAA-covered laboratories. We believe requiring 
providers to do so would create an unwarranted burden on providers. 
However, whenever providers send a specimen(s) to the laboratory, as 
opposed to the individual going to the laboratory himself or herself to 
provide the testing sample, we encourage providers to supply the 
individual with the name of the

[[Page 7304]]

laboratory to which the specimen is being or has been sent and the 
other information necessary for the individual to request access from 
the laboratory.
    With respect to HIPAA notices of privacy practices, a covered 
entity is required to promptly revise its notice whenever there is a 
material change to any of its privacy practices, including those 
pertaining to individuals' rights to access their protected health 
information (see Sec.  164.520(b)(3) of the Privacy Rule). This final 
rule provides individuals with a right to access their protected health 
information directly from HIPAA-covered laboratories. A change in an 
individual's access rights constitutes a material change to the privacy 
practices of HIPAA-covered laboratories. Thus, by the compliance date 
of this final rule, HIPAA-covered laboratories must revise their 
notices to inform individuals of this right and to include a brief 
description of how to exercise this right, and must remove any 
statements to the contrary (see Sec.  164.520(b)(1)(iv)(C)). Further, 
HIPAA-covered laboratories must make the revised notice available as 
required by Sec.  164.520(c). We do not require that other covered 
health care providers, such as ordering providers, revise their notices 
of privacy practices to inform individuals of their right to access 
protected health information directly from laboratories.
    The Department recognizes that HIPAA-covered laboratories are 
already required by the modifications to the HIPAA Rules that were 
published on January 25, 2013 (78 FR 5566) to revise their notices by 
September 23, 2013. To avoid HIPAA-covered laboratories having to 
modify their notices twice within the same year to comply with both the 
January 25, 2013, final rule and this rule, the Department announced on 
September 19, 2013, that it was exercising its enforcement discretion 
to allow CLIA laboratories (including CLIA-exempt laboratories) that 
are HIPAA covered entities to take until the compliance date of this 
final rule, October 6, 2014, to revise their notices to reflect both 
sets of modifications. See http://www.hhs.gov/ocr/privacy/hipaa/enforcement/clia-labs.html. Thus, CLIA and CLIA-exempt laboratories 
that are HIPAA covered entities need only update their notices once to 
comply with both rules.

J. Preemption

    Comment: A number of commenters supported the rule's general 
preemption of contrary state laws, stating that it would bring further 
harmonization of federal and state laws and ensure, regardless of where 
an individual lives, that he or she has access to laboratory test 
reports. Other commenters requested clarification with respect to 
preemption, asking whether state laws that require more timely access 
to test reports than the Privacy Rule or that would limit the types of 
identification a laboratory could ask an individual to present to 
verify identity would continue to stand. One commenter stated that the 
final rule should preempt state laws that restrict laboratory-initiated 
contact with patients for purposes of communicating laboratory results. 
This commenter stated that there can be compelling medical reasons for 
laboratories to initiate contact. Another commenter stated that the 
rule should not preempt state laws that require the provider to discuss 
the results and provide psychological counseling along with disclosure 
of HIV test results.
    Response: We agree with commenters that preemption of certain 
contrary state law is necessary to ensure that individuals' access 
rights under the Privacy Rule are strengthened. A number of states have 
laws that prohibit a laboratory from releasing a test report directly 
to the individual or that prohibit the release without the ordering 
provider's consent. Upon the effective date of this final rule, the 
Privacy Rule preempts these laws and HIPAA-covered laboratories should 
begin to come into compliance.
    With respect to those commenters requesting clarification on HIPAA 
preemption, we note that HIPAA preempts only state laws that are 
contrary to the Privacy Rule. ``Contrary'' generally means a covered 
entity would find it impossible to comply with both the state and HIPAA 
requirements. In certain cases, a contrary state law is not preempted, 
such as where a state law is more stringent than the Privacy Rule. 
``More stringent'' means, with respect to individuals' access rights, 
that the state law provides greater rights of access to individuals 
(see, 45 CFR Part 160, Subpart B). A state law that requires a 
laboratory to provide an individual with more timely access to test 
reports is not contrary to the Privacy Rule and thus, is not preempted. 
Similarly, a state law that limits the types of identification a 
laboratory can ask an individual to produce is not contrary to the 
Privacy Rule, provided the laboratory is still able to verify the 
identity of the person requesting access as required by Sec.  
164.514(h). HIPAA-covered laboratories should be able to comply with 
both sets of requirements in providing individuals with access to their 
test reports. Further, we clarify that this final rule applies only to 
laboratories. State laws that place requirements on other types of 
health care providers, such as those requiring a provider to discuss 
with and counsel a patient on HIV test results are not preempted by 
this final rule. Finally, the trigger for the access obligations under 
the Privacy Rule is a request from an individual or the individual's 
personal representative. This final rule does not impose any 
requirement or establish any permission in regard to a laboratory 
initiating contact with an individual for purposes of communicating 
test results.

K. Compliance Date

    Comment: A number of commenters advocated for a longer time period 
for HIPAA-covered laboratories to come into compliance than the 
proposed 180-day compliance period. Commenters suggested a variety of 
different compliance dates, including one year and beyond. Some 
commenters raised specific concerns with respect to laboratories that 
do not currently provide individuals with access to test reports, since 
the laboratories would need to develop all new policies, protocols, and 
mechanisms for receiving and responding to requests for access to test 
reports.
    Other commenters asked that the Department wait to finalize the 
rule until after the HITECH Act changes to the Privacy Rule become 
final so that HIPAA-covered laboratories would need to develop only one 
set of policies, protocols, and procedures one time, to comply with the 
Privacy Rule's access provisions. A few commenters requested that the 
Department implement reasonable, sequenced compliance deadlines for all 
related regulations under the HITECH Act and HIPAA, such as changes to 
the Privacy Rule, EHR Incentive Programs' requirements, and the 
implementation of HIPAA Version 5010 and ICD-10. Commenters stated that 
sequenced deadlines would better take into account the significant 
amount of financial, operational, and technological resources needed to 
fully comply with all of these new requirements.
    Response: While we appreciate the commenters' concerns regarding 
the compliance date, we decline to extend the 180-day compliance period 
for this final rule. We believe 180 days will provide HIPAA-covered 
laboratories with sufficient time to become prepared to provide 
individuals who request them with copies of test reports and will also 
ensure that individuals are afforded and able to benefit from this new 
right in a timely manner after the rule's issuance. Thus, HIPAA-covered 
laboratories are required to comply with

[[Page 7305]]

the individual access provisions of the Privacy Rule by no later than 
180 days after the effective date of the final rule. The effective date 
of the final rule is 60 days after publication in the Federal Register; 
therefore, laboratories have a total of 240 days after publication of 
this final rule to come into compliance. Moreover, in a number of 
cases, laboratories that operate in states that allow an individual to 
receive test reports directly from the laboratories will already have 
policies for providing individuals with access to test reports, which 
can then be modified as needed to be consistent with Privacy Rule 
requirements. The HITECH Act enhancements to an individual's right of 
access under the Privacy Rule were finalized and incorporated into the 
Privacy Rule on March 26, 2013. Thus, in implementing this rule and the 
HITECH Act changes, HIPAA-covered laboratories need only develop one 
set of policies. Finally, while we understand that overlapping 
compliance deadlines for different rules may be burdensome to entities 
that are subject to all of the rules, we do not believe it is feasible 
to completely sequence regulatory deadlines and still realize in a 
timely manner the benefits and protections the new requirements are 
intended to provide.

L. Other Comments

    Comment: Commenters asked whether a laboratory could be subject to 
penalties for charging more than the reasonable cost-based fee allowed 
by the Privacy Rule, for failing to comply with an individual's request 
for completed test reports within the appropriate time period, or for 
failing to comply with an individual's request altogether.
    Response: HIPAA-covered laboratories that fail to comply with the 
Privacy Rule's access provisions are subject to an enforcement action 
for noncompliance by the Department, which may include the imposition 
of civil money penalties. More information about HIPAA enforcement is 
available on the OCR Web site at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html.
    Comment: A few commenters suggested that the rule increases burden 
on individuals, by making them first call their provider's office to 
learn the name of the laboratory producing the test report and then 
making them call the laboratory for a copy of the test report, instead 
of just having them contact the provider's office for the test results.
    Response: We do not agree that this final rule increases the burden 
on individuals. As previously discussed in detail above, the rule does 
not supplant the role of the treating provider in discussing test 
results with a patient or an individual's right under the HIPAA Privacy 
Rule to access protected health information about the individual 
maintained by the provider, including laboratory test results. The rule 
merely provides an additional avenue for individuals to obtain copies 
of their test reports by allowing individuals to obtain their test 
reports directly from the laboratories.
    Comment: One commenter stated that certain third-party payers and 
insurers do not allow laboratories to bill a patient any amount in 
addition to what is paid to the laboratory for testing services by that 
third-party payer or insurer. The commenter contended that this 
prohibition would prevent a laboratory from charging an individual a 
cost-based fee for providing a copy of the test report.
    Response: First, we note that charging an individual a fee for 
access is optional and not required under the Privacy Rule. Second, the 
billing restriction described by the commenter is likely tied to the 
costs associated with the provision of health care services, and not to 
a laboratory's ability to charge an individual for reasonable costs 
associated with providing the individual access to his or her protected 
health information. It has not been our experience that covered health 
care providers subject to similar billing restrictions have been unable 
to charge individuals reasonable cost-based fees for access to their 
records.
    Comment: One commenter asked, when a patient fails to compensate 
the laboratory for services provided, whether a laboratory may withhold 
future test results from the patient until payment is made.
    Response: A covered entity may not withhold or suspend an 
individual's right under the HIPAA Privacy Rule to access his or her 
protected health information because the individual has not paid the 
covered entity for the health care services provided.
    Comment: One commenter stated that laboratories should not be 
required to provide test reports in a patient's preferred language.
    Response: A covered entity's obligations under civil rights or 
other laws to ensure equal access to health care for individuals, 
including requirements for when certain documents must be translated, 
are not diminished or disturbed by this rule.
    Comment: A few commenters suggested that laboratories should be 
required to notify the ordering provider when a patient has received, 
or will receive, copies of test reports directly from the laboratory.
    Response: We do not believe this requirement is warranted. As 
discussed above, this rule does not change the ability of an ordering 
provider to receive test reports and discuss them with the patient. 
However, a laboratory that wishes to provide notification to a provider 
that an individual will receive a copy of a test report directly may do 
so.
    Comment: One commenter stated that, by deferring to state law, the 
CLIA regulations impede disclosures of test reports to other HIPAA 
covered entities and business associates for purposes that are 
otherwise permitted by HIPAA. This commenter stated that the list of 
persons authorized to receive the reports should be expanded to include 
HIPAA covered entities and business associates. This commenter believes 
that the expansion of the list will eliminate barriers to legitimate 
disclosures to these entities, such as for treatment or quality 
improvement purposes.
    Response: The CLIA regulations at Sec.  493.1291(f) state that test 
results must be released only to authorized persons and, if applicable, 
to the persons responsible for using the test results, and to the 
laboratory that initially requested the test. ``Responsible for using'' 
would cover those HIPAA covered entities that are in a treatment 
relationship with the individual. CLIA also defines ``authorized 
person'' as an individual authorized under state law to order tests or 
receive test results, or both. State law can expand the list of 
entities that can be considered ``authorized'' persons under CLIA.

VI. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995 (PRA), we are required to 
provide 30-day notice in the Federal Register and to solicit public 
comment before a collection of information requirement is submitted to 
the Office of Management and Budget (OMB) for review and approval. In 
order to fairly evaluate whether an information collection should be 
approved by OMB, section 3506(c)(2)(A) of the PRA requires that we 
solicit comment on the following issues:
     The need for the information collection and its usefulness 
in carrying out the proper functions of our agency.
     The accuracy of our estimate of the information collection 
burden.
     The quality, utility, and clarity of the information to be 
collected.
     Recommendations to minimize the information collection 
burden on the

[[Page 7306]]

affected public, including automated collection techniques.
    In our September 14, 2011 proposed rule (76 FR 56712), we solicited 
public comment on each of these issues, as required by section 
3506(c)(2)(A) of the PRA. We did not receive any PRA-related comments.
    Except as provided in Sec.  493.1291(l), test reports must be 
released only to authorized persons and, if applicable, the individuals 
(or their personal representatives) responsible for using the test 
reports and, to the laboratory that initially requested the test. Under 
Sec.  493.1291(l), the laboratory may, upon request by the patient (or 
the patient's personal representative), provide access to the patient's 
test reports that the laboratory can identify as belonging to that 
patient. The CLIA regulations do not require that CLIA-certified 
laboratories provide this access--rather, these laboratories are 
allowed to provide for access. However, the accompanying changes to the 
HIPAA Privacy Rule in this final rule require that CLIA-certified 
laboratories that are HIPAA covered entities provide individuals with 
access in accordance with the Privacy Rule. The CLIA-certified 
laboratories that are covered entities under HIPAA will need to ensure 
that their practices conform to CLIA and HIPAA requirements.
    We have prepared the Paperwork Reduction Act and the Regulatory 
Impact Analysis (RIA) that represents the costs and benefits of the 
final rule based on an analysis of identified variables and data 
sources needed for this change. We identified known data elements 
(Table 1) and made assumptions on elements where a source could not be 
identified (Table 2). Our assumptions are based on internal discussions 
and consultation with laboratories representative of the industry.

                 Table 1--Summary of Known Data Elements
------------------------------------------------------------------------
           Variable                Data element            Source
------------------------------------------------------------------------
States/territories where                       39  Determination of this
 laboratories, as listed in                         finding is based on
 Table 3, are impacted by the                       two reports as
 new individual access                              listed here:
 provisions.                                       1. Privacy and
                                                    Security Solutions
                                                    for Interoperable
                                                    Health Information
                                                    Exchange, Releasing
                                                    Clinical Laboratory
                                                    Test Results; Report
                                                    on Survey of State
                                                    Laws prepared by Joy
                                                    Pritts, JD, for the
                                                    Agency for Health
                                                    care Research and
                                                    Quality and Office
                                                    of the National
                                                    Coordinator August
                                                    2009; RIT Project
                                                    Number
                                                    0209825.000.015.100
                                                    (Accessed July 15,
                                                    2010).
                                                   2. Electronic Release
                                                    of Clinical
                                                    Laboratory Results:
                                                    A Review of State
                                                    and Federal Policy,
                                                    prepared by Kitty
                                                    Purington, JD, for
                                                    the California
                                                    Health care
                                                    Foundations January
                                                    2010 (Accessed July
                                                    15, 2010).
Laboratories, as listed in                 22,816  Data from CLIA Online
 Table 6, impacted by the new                       Survey Certification
 individual access provisions.                      and Reporting
                                                    database (OSCAR)
                                                    database accessed
                                                    August 27, 2012.
                                                   Includes Certificate
                                                    of Compliance and
                                                    Certificate of
                                                    Accreditation in the
                                                    39 states impacted
                                                    by the patient
                                                    access provisions.
Test results in laboratories,       7,025,841,649  Data from OSCAR
 as listed in Table 6,                              database accessed
 impacted by the new                                August 27, 2012
 individual access provisions.                     Includes Certificate
                                                    of Compliance and
                                                    Certificate of
                                                    Accreditation in the
                                                    39 states impacted
                                                    by the patient
                                                    access provisions.
States/territories, as noted                   46  Determination of this
 in Table 7, where the HIPAA                        finding is based on
 Privacy Rule will pre-empt                         two reports as
 State Law \1\.                                     listed here:
                                                   1. Privacy and
                                                    Security Solutions
                                                    for Interoperable
                                                    Health Information
                                                    Exchange, Releasing
                                                    Clinical Laboratory
                                                    Test Results; Report
                                                    on Survey of State
                                                    Laws prepared by Joy
                                                    Pritts, JD, for the
                                                    Agency for Health
                                                    care Research and
                                                    Quality and Office
                                                    of the National
                                                    Coordinator August
                                                    2009; RIT Project
                                                    Number
                                                    0209825.000.015.100
                                                    (accessed July 15,
                                                    2010).
                                                   2. Electronic Release
                                                    of Clinical
                                                    Laboratory Results:
                                                    A Review of State
                                                    and Federal Policy
                                                    prepared by Kitty
                                                    Purington, JD, for
                                                    the California
                                                    Health care
                                                    Foundations January
                                                    2010 (Accessed July
                                                    15, 2010).
Laboratories, as indicated in              33,807  Data from OSCAR
 Table 7, required to update                        database accessed
 their HIPAA notices of                             August 27, 2012
 privacy practices.                                Includes Certificate
                                                    of Compliance and
                                                    Certificate of
                                                    Accreditation in the
                                                    27 states impacted
                                                    by the HIPAA
                                                    provisions to update
                                                    the notices of
                                                    privacy practice.
Hourly salary of clerical                  $30.09  2013 salary/wages and
 level employee to process                          benefits--use 2012
 requests for test reports.                         salary/wages and
                                                    benefits obtained
                                                    from the U.S. Bureau
                                                    of Labor Statistics,
                                                    Economic News
                                                    Release, March 2012
                                                    U.S.--Total employer
                                                    costs per hour
                                                    worked for employee
                                                    compensation:
                                                    Civilian workers;
                                                    Occupational Group:
                                                    Service-providing at
                                                    http://www.bls.gov/news.release/ecec.t01.htm) and
                                                    adjusts annually by
                                                    2.78 percent to
                                                    reflect an average
                                                    increase in total
                                                    compensation costs
                                                    from 2007-2011.
Hourly salary of management                $50.06  2013 salary/wages and
 level employee to determine                        benefits--use 2012
 policy.                                            salary/wages and
                                                    benefits obtained
                                                    from the U.S. Bureau
                                                    of Labor Statistics,
                                                    Economic News
                                                    Release, March 2012
                                                    U.S.--Total employer
                                                    costs per hour
                                                    worked for employee
                                                    compensation:
                                                    Civilian workers;
                                                    Occupational Group:
                                                    Service-providing at
                                                    http://www.bls.gov/news.release/ecec.t01.htm) and
                                                    adjusts annually by
                                                    2.78 percent to
                                                    reflect an l average
                                                    increase in total
                                                    compensation costs
                                                    from 2007-2011.
------------------------------------------------------------------------
1. Note that there may be circumstances where a laboratory is able to
  comply with both HIPAA and the state law.


                                         Table 2--Summary of Assumptions
----------------------------------------------------------------------------------------------------------------
                 Variable                                  Low                                High
----------------------------------------------------------------------------------------------------------------
Number of test results per test report...  10 test results...................  20 test results.
Percentage of patients requesting test     0.05%.............................  0.50%.
 report.
Time required to process request for test  10 minutes........................  30 minutes.
 report.
----------------------------------------------------------------------------------------------------------------


[[Page 7307]]

    We determined that the impacted CLIA-certified laboratories can be 
broken down into four categories: Laboratories in states and 
territories where there is no law regarding who can receive test 
reports (N=26), laboratories in states and territories where test 
reports can only be given to the provider (N=13), laboratories in 
states and territories that allow test reports to go directly to the 
patient through some means or mechanism (N=9), and laboratories in 
states and territories that allow the test reports to go to the patient 
with provider approval (N=7). Of these four categories, we believe that 
laboratories in the 39 states and territories where there is either no 
law regarding receipt of test reports or where reports can only go to 
the provider are affected by the individual access provisions contained 
in this rulemaking (see Table 3 for a list of states and territories by 
category). Laboratories in the remaining categories would most likely 
have existing procedures in place to respond to patient requests for 
test reports, whereas the laboratories in the first two categories 
would most likely not have procedures in place and would have to 
develop mechanisms for handling these requests and providing access.

   Table 3--Impact on Laboratories of New Individual Access Provisions
------------------------------------------------------------------------
        Impacts laboratories             Does not impact laboratories
------------------------------------------------------------------------
                                                           Allows test
                      Allows test        Allows test       reports to
   No State law     reports only to      reports to       patient with
                        provider           patient          provider
                                                            approval
------------------------------------------------------------------------
Alabama            Arkansas           Delaware          California
Alaska             Georgia            District of       Connecticut
                                       Columbia
Arizona            Hawaii             Maryland          Florida
Colorado           Illinois           New Hampshire     Massachusetts
Guam               Kansas             New Jersey        Michigan
Idaho              Maine              Nevada            New York
Indiana            Missouri           Oregon            Virginia
Iowa               Pennsylvania       Puerto Rico       ................
Kentucky           Rhode Island       West Virginia     ................
Louisiana          Tennessee          ................  ................
Minnesota          Washington         ................  ................
Mississippi        Wisconsin          ................  ................
Montana            Wyoming            ................  ................
Nebraska           .................  ................  ................
New Mexico         .................  ................  ................
North Carolina     .................  ................  ................
North Dakota       .................  ................  ................
Northern Mariana   .................  ................  ................
 Islands
Ohio               .................  ................  ................
Oklahoma           .................  ................  ................
South Carolina     .................  ................  ................
South Dakota       .................  ................  ................
Texas              .................  ................  ................
Utah               .................  ................  ................
Vermont            .................  ................  ................
Virgin Islands     .................  ................  ................
------------------------------------------------------------------------

    In addition to the impact from the access provisions, laboratories 
both in the 39 states and territories where there is either no law 
regarding receipt of test reports or where reports can only go to the 
provider, as well as in the 7 states and territories that currently 
allow test reports to go to the patient only with provider approval, 
will be affected by the requirement to update HIPAA notices of privacy 
practices as a result of this final rule (see Table 4 for a list of 
states and territories by category). Even if laboratories in the 7 
states and territories that currently allow test reports to go to the 
patient with provider approval have processes in place to provide test 
reports to patients, their notices of privacy practices may now contain 
inaccurate statements about how individuals can obtain copies of their 
test reports, given that this final rule preempts these state laws. 
Therefore, by the compliance date of this rule, the laboratories in the 
46 states and territories identified in Table 4 will need to revise 
their notices to inform individuals of their right to obtain reports 
directly from the laboratory, provide a brief description of how to 
exercise this right, and must remove any statements to the contrary 
(see Sec.  164.520(b)(1)(iv)(C)).

  Table 4--Impact on Laboratories of HIPAA Privacy Rule Requirement To
                Revise Their Notices of Privacy Practices
------------------------------------------------------------------------
                 Impacts laboratories                    Does not impact
-------------------------------------------------------   laboratories
                                         Allows test   -----------------
                      Allows test        reports to
   No State law     reports only to     patient with       Allows test
                        provider          provider         reports to
                                          approval           patient
------------------------------------------------------------------------
Alabama            Arkansas           California        Delaware
Alaska             Georgia            Connecticut       District of
                                                         Columbia
Arizona            Hawaii             Florida           Maryland
Colorado           Illinois           Massachusetts     New Hampshire
Guam               Kansas             Michigan          New Jersey
Idaho              Maine              New York          Nevada

[[Page 7308]]

 
Indiana            Missouri           Virginia          Oregon
Iowa               Pennsylvania       ................  Puerto Rico
Kentucky           Rhode Island       ................  West Virginia
Louisiana          Tennessee          ................
Minnesota          Washington         ................
Mississippi        Wisconsin          ................
Montana            Wyoming            ................
Nebraska           .................  ................
New Mexico         .................  ................
North Carolina     .................  ................
North Dakota       .................  ................
Northern Mariana   .................  ................
 Islands
Ohio               .................  ................
Oklahoma           .................  ................
South Carolina     .................  ................
South Dakota       .................  ................
Texas              .................  ................
Utah               .................  ................
Vermont            .................  ................
Virgin Islands     .................  ................
------------------------------------------------------------------------

    The CMS Online Survey, Certification, and Reporting (OSCAR) 
database indicates that there are a total of 234,756 laboratories which 
provide approximately 12.8 billion tests annually (see Table 5) in the 
United States. We assume Certificate of Waiver laboratories and 
Certificate of PPM laboratories would not be impacted because the tests 
are usually performed in these sites during a patient's visit. We 
assume that the physician or health practitioner would inform the 
patient of those results during the visit, and we anticipate that the 
patient would ask that person with whom they interacted as opposed to 
the laboratory, if they have reason to seek copies of the test report 
in the future. In the 39 states and territories that are impacted by 
the patient access provision, there are 22,816 laboratories that 
perform over 7 billion tests annually (see Table 6).
    However, we recognize that some laboratories included in these 
estimates may not be covered entities under HIPAA (because they do not 
conduct covered health care transactions electronically, for example, 
filing electronic claims for payment) and, therefore, would not be 
required to provide direct individual access.

          Table 5--All U.S. Laboratory Testing Subject to CLIA
------------------------------------------------------------------------
                                           Number of
         CLIA certificate type            laboratories   Number of tests
------------------------------------------------------------------------
Certificate of Compliance.............           20,470    3,122,772,023
Certificate of Accreditation..........           16,829    8,998,058,524
Certificate of Waiver.................          158,996      477,094,700
Certificate of Provider Performed                38,461      207,777,472
 Microscopy (PPM).....................
                                       ---------------------------------
    Totals............................          234,756   12,805,702,719
------------------------------------------------------------------------


    Table 6--Number of Laboratories Impacted by New Individual Access
                               Provisions
------------------------------------------------------------------------
                                         Number of
         State or territory             laboratories    Number of tests
------------------------------------------------------------------------
Alaska..............................              103         10,688,466
Alabama.............................              868        252,267,262
Arkansas............................              540         74,686,910
Arizona.............................              581        195,731,588
Colorado............................              499        138,847,079
Georgia.............................            1,190        217,997,888
Guam................................               13          2,500,654
Hawaii..............................              117         36,918,267
Idaho...............................              230         33,092,465
Illinois............................            1,053      1,852,543,312
Indiana.............................              621        190,732,493
Iowa................................              548         82,389,916
Kansas..............................              438        240,744,893
Kentucky............................              710        133,586,267

[[Page 7309]]

 
Louisiana...........................              677        135,050,184
Maine...............................              140         36,150,552
Minnesota...........................              832        165,066,668
Mississippi.........................              523         45,808,928
Missouri............................              683        192,145,580
Montana.............................              961        300,480,983
Nebraska............................              317         33,103,996
New Mexico..........................              189         44,642,110
North Carolina......................              673         48,771,993
North Dakota........................              177         49,833,112
Northern Mariana Islands............              181         56,185,878
Ohio................................              634        163,151,403
Oklahoma............................              485        111,005,884
Pennsylvania........................              747         87,776,132
Rhode Island........................              477         91,657,444
South Carolina......................              453         38,185,190
South Dakota........................              469        171,638,497
Tennessee...........................            2,626        949,935,182
Texas...............................            1,594        155,118,958
Utah................................              705        256,856,757
Vermont.............................              245        174,974,043
Virgin Islands......................               45         11,413,475
Washington..........................              936        167,818,742
Wisconsin...........................              482         73,457,876
Wyoming.............................               54          2,884,622
                                     -----------------------------------
    Total...........................           22,816      7,025,841,649
------------------------------------------------------------------------

    In addition to complying with the individual access requirements, a 
total of 33,087 laboratories in the states and territories that are 
affected by the HIPAA notice provisions will need to revise their 
notices of privacy practices to reflect the right of individuals to 
obtain test reports directly from laboratories (see Table 7). However, 
as stated above, we recognize that some laboratories included in these 
estimates may not be covered entities under HIPAA and, therefore, would 
not be required to provide direct individual access and would not be 
required to revise any notices.

   Table 7--Number of Laboratories Impacted by the HIPAA Privacy Rule
        Requirement to Revise Their Notices of Privacy Practices
------------------------------------------------------------------------
                                                            Number of
                         State                             laboratories
------------------------------------------------------------------------
Alaska.................................................              103
Alabama................................................              868
Arkansas...............................................              540
Arizona................................................              581
California.............................................            2,919
Colorado...............................................              499
Connecticut............................................              379
Florida................................................            2,462
Georgia................................................            1,190
Guam...................................................               13
Hawaii.................................................              117
Idaho..................................................              230
Illinois...............................................            1,053
Indiana................................................              621
Iowa...................................................              548
Kansas.................................................              438
Kentucky...............................................              710
Louisiana..............................................              677
Massachusetts..........................................              693
Maine..................................................              140
Michigan...............................................              926
Minnesota..............................................              832
Mississippi............................................              523
Missouri...............................................              683
Montana................................................              961
Nebraska...............................................              317
New Mexico.............................................              189
New York...............................................            2,425
North Carolina.........................................              673
North Dakota...........................................              177
Northern Mariana Islands...............................              181
Ohio...................................................              634
Oklahoma...............................................              485
Pennsylvania...........................................              747
Rhode Island...........................................              477
South Carolina.........................................              453
South Dakota...........................................              469
Tennessee..............................................            2,626
Texas..................................................            1,594
Utah...................................................              705
Vermont................................................              245
Virgin Islands.........................................               45
Virginia...............................................              467
Washington.............................................              936
Wisconsin..............................................              482
Wyoming................................................               54
                                                        ----------------
    Totals.............................................           33,087
------------------------------------------------------------------------

A. Information Collection Requests (ICRs) Regarding the Development of 
Process To Provide Patient Access to Test Reports (Sec.  493.1291)

    Under Sec.  493.1291(l), we assume that the development of the 
mechanisms to provide patient access to laboratory test reports will be 
a one-time burden and that each laboratory will develop its own unique 
policies and procedures to address patient access or adopt mechanisms/
procedures developed by consultants or associations representing 
laboratories. We assume a one-time burden of 2 to 9 hours to identify 
the applicable legal obligations and to develop the processes and 
procedures for handling patient requests for access to test reports. 
While we provide a range of burden estimates in this final rule, for 
purposes of OMB review and approval we will submit burden estimates 
based

[[Page 7310]]

on 9 hours. We also assume an hourly rate for a management-level 
employee to be $50.06 (see Table 1).
    The range of costs for laboratories to develop the necessary 
processes and procedures for handling patient requests is:

(2 hours x $50.06 per hour x 22,816 laboratories) = $2,284,338
(9 hours x $50.06 per hour x 22,816 laboratories) = $10,279,521

    Since this is a one-time burden, the average annual cost over the 
3-year OMB approval period, which is the period between approval and 
renewal of the information collection by OMB, will range between 
$761,446 and $3,426,507.
    The ongoing burden associated with responding to test report 
requests is dependent upon the total number of test reports that exist 
in affected laboratories, the percent of the results that would be 
requested, and the cost of producing these reports for those 
individuals who ask for direct access.
    Laboratory test reports are commonly understood to contain multiple 
test results with many laboratory tests being ordered as panels of 
tests. Each laboratory may have its own unique test report panels which 
may contain anywhere from 1 to 20 individual test results.
    Using a range of 10 to 20 test results in a test report, we 
estimated the annual number of test reports that may be requested to 
be:

(7,025,841,649 tests per year/20 tests per report) = 351,292,082 test 
reports/year
(7,025,841,649 tests per year/10 tests per report) = 702,584,165 test 
reports/year

    We are unaware of any data that would provide a reasonable estimate 
for the number of patients who would request test reports from 
laboratories if they are available. We solicited public comments on 
this issue but did not receive any to inform our estimates. Therefore, 
we assume a range of 1 in 2,000 patients (0.05 percent) to 1 in 200 
patients (0.50 percent) will request direct access to his or her test 
report.
    Using these figures, the range of the number of patient requests 
per year will be:

(351,292,082 test reports per year x .0005) = 175,646 patient requests 
per year
(702,584,165 test reports per year x .005) = 3,512,921 patient requests 
per year

    The processing of a patient request for a test report generally 
covers steps from actual receipt of the patient's request to the 
delivery of the report and documentation of the delivery. Requests for 
laboratory results are usually handled by non-managerial or clerical 
staff. Due to the lack of data that indicates the amount of time it 
takes for staff to process a test report request, we assume a range of 
10 minutes (0.17 hours) to 30 minutes (0.5 hours) to handle a request 
from start to finish.
    We then multiplied this range by the range of the anticipated 
number of patient requests to obtain the total annual burden hours:

(175,646 patient requests per year x 0.17 hours) = 29,860
(3,512,921 patient request per year x 0.5 hours) = 1,756,461

    We then multiplied this range by the hourly rate of $30.09 for a 
clerical-level employee (see Table 1) to develop the total labor cost 
of reporting:

29,860 (total annual burden hours) x $30.09 = $898,487
1,756,461 (total annual burden hours) x $30.09 = $52,851,911

                                                                  Table 8--Summary of Annual Requirements and Burden Estimates
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                     Burden per    Total annual    Hourly labor     Total labor   Total capital/
                  Regulation section(s)                   OMB  Control   Respondents    Responses     response        burden          cost of         cost of       maintenance   Total cost ($)
                                                               No.                                     (hours)        (hours)     reporting  ($)   reporting ($)    costs  ($)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
42 CFR 493.1291.........................................     0938--New        22,816        22,816             9         205,344           50.06      10,279,521               0      10,279,521
42 CFR 493.1291.........................................     0938--New     3,512,921     3,512,921            .5       1,756,461           30.09      52,851,911               0      52,851,911
                                                         ---------------------------------------------------------------------------------------------------------------------------------------
    Total...............................................  ............     3,535,737     3,535,737  ............       1,961,804  ..............      63,131,432  ..............      63,131,432
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    We will exercise our enforcement discretion to allow HIPAA-covered 
laboratories to revise their notices only once to reflect the changes 
to privacy practices of these entities both resulting from this rule, 
as well as the final rule published on January 25, 2013, modifying the 
HIPAA Rules, which became effective on March 26, 2013 (78 FR 5566). 
Since we accounted for the overall burden to covered health care 
providers, including laboratories, of revising notices in the burden 
statement accompanying the January 25, 2013, final rule (78 FR 5669), 
we do not include estimates of any additional burden in this rule.
    If you comment on these information collection and recordkeeping 
requirements, please submit your comments to the Office of Information 
and Regulatory Affairs, Office of Management and Budget, Attention: CMS 
Desk Officer, [CMS-2319-F] Fax: (202) 395-6974; or Email: OIRA_submission@omb.eop.gov.

VII. Regulatory Impact Analysis

A. Overall Impact

    We have examined the impacts of this final rule as required by 
Executive Order 12866 on Regulatory Planning and Review (September 30, 
1993), Executive Order 13563 on Improving Regulation and Regulatory 
Review (January 18, 2011), the Regulatory Flexibility Act (RFA) 
(September 19, 1980, Pub. L. 96-354), section 1102(b) of the Social 
Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 
(March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism 
(August 4, 1999), and the Congressional Review Act (5 U.S.C. 804(2)).
    Executive Orders 13563 and 12866 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This final rule has been designated a ``significant 
regulatory action'' although not economically significant, under 
section 3(f) of Executive Order 12866. Accordingly, the rule has been 
reviewed by the Office of Management and Budget.
    Laboratories regulated under CLIA that do not currently provide 
patients with an opportunity to receive, upon request, a copy of their 
laboratory test report (defined in CLIA Sec.  493.1291) are affected by 
this final rule. According to the CMS OSCAR database accessed on August 
27, 2012, there are 234,756

[[Page 7311]]

laboratories in the United States that are subject to CLIA. OSCAR is a 
data network maintained by CMS in cooperation with the state surveying 
agencies and accrediting organizations that provides a compilation of 
all the data elements collected during inspection surveys conducted at 
laboratories. Of the total CLIA-certified laboratories identified in 
the OSCAR database, we believe approximately 90 percent of these would 
not be impacted by the individual access provisions because they 
perform testing either under a Certificate of Waiver or Certificate of 
Provider Performed Microscopy (PPM) or they are located in states that 
already allow the laboratory to provide patient access to test reports, 
either directly or with provider approval. Removing the step in which 
the provider grants permission to the laboratory should not pose an 
additional impact on the laboratory, as we believe these laboratories 
already have processes in place to provide patients access to test 
reports once that permission is received.
    We expect that 22,816 laboratories located in the 39 states and 
territories identified in Table 3 as having no state law or a state law 
that provides test reports only to the provider will be impacted by the 
individual access provisions in this final rule. In addition, we expect 
that 33,087 laboratories located in the 46 states and territories 
identified in Table 4 as having no state law, a state law that provides 
test reports only to the provider, or a state law that permits test 
reports to go to patients only with provider approval, will be affected 
by the HIPAA requirement to update their notices of privacy practices. 
We believe that this final rule does not constitute an economically 
significant rule because we estimate the range of overall annual costs 
that would be expended by the affected laboratories would be less than 
$100 million for 2013.
    The RFA requires agencies to analyze options for regulatory relief 
of small entities, if a rule has a significant impact on a substantial 
number of small entities. For purposes of the RFA, we assume that the 
great majority of medical laboratories are small entities, either by 
virtue of being nonprofit organizations or by meeting the SBA 
definition of a small business by having revenues of less than $13.5 
million in any 1 year. We believe at least 83 percent of medical 
laboratories qualify as small entities based on their nonprofit status 
as reported in the American Hospital Association Fast Fact Sheet 
updated June 24, 2010 (http://www.aha.org/aha/resource-center/Statistics-and-Studies/Fast_Facts_Nov_11_2009.pdf).
    Other options for regulatory relief of small businesses, as 
discussed in section E of this final rule, were determined not to be 
feasible and therefore these options were not analyzed for this final 
rule. We believe any alternative to allowing the laboratory to provide 
patient access to test reports would be counterproductive to the 
Department's efforts to provide patient-centered health care. We are 
unaware of any instances in which the changes included in this final 
rule would affect health care entities operated by small government 
jurisdictions.
    Section 1102(b) of the Social Security Act also requires us to 
prepare a regulatory impact analysis if a rule may have a significant 
impact on the operations of a substantial number of small rural 
hospitals. This analysis must conform to the provisions of section 604 
of the RFA. For purposes of section 1102(b) of the Act, we define a 
small rural hospital as a hospital that is located outside of a 
metropolitan statistical area and has fewer than 100 beds. We do not 
expect this final rule would have a significant impact on small rural 
hospitals. The final rule applies only to laboratories. If a small 
rural hospital operates a laboratory, we anticipate compliance with 
this final rule will require minimal effort as we expect that the 
hospital already has procedures in place for responding to individual 
access requests for hospital records under the HIPAA Privacy Rule. We 
believe that these existing policies and procedures should be easy to 
translate for use in direct access requests to hospital-operated 
laboratories. Therefore, the Secretary has determined that this final 
rule does not have a significant impact on the operations of a 
substantial number of small rural hospitals.
    Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) also 
requires that agencies assess anticipated costs and benefits before 
issuing any rule whose mandates require spending in any 1 year of $100 
million in 1995 dollars, updated annually for inflation. In 2013, that 
threshold is approximately $142 million. We do not anticipate this 
final rule will impose an unfunded mandate on states, tribal 
governments, or the private sector of more than $142 million annually. 
Executive Order 13132 establishes certain requirements that an agency 
must meet when it promulgates a proposed rule (and subsequent final 
rule) that imposes substantial direct requirements and costs on state 
and local governments, preempts state law, or otherwise has Federalism 
implications.
    The changes to the CLIA regulations at Sec.  493.1291 will not have 
a substantial direct effect on state and local governments, preempt 
state law, or otherwise have a Federalism implication and there is no 
change in the distribution of power and responsibilities among the 
various levels of government.
    The Federalism implications of the Privacy Rule were assessed as 
required by Executive Order 13132 and published as part of the preamble 
to the final rule on December 28, 2000 (65 FR 82462, 82797). Regarding 
preemption, though the changes to the Privacy Rule will preempt a 
number of state laws (see Table 4), this preemption of state law is 
consistent with the preemption provision of the HIPAA statute. The 
preamble to the final Privacy Rule explains that the HIPAA statute 
dictates the relationship between state law and Privacy Rule 
requirements, and the rule's preemption provisions do not raise 
Federalism issues.
    We do not believe that this rule will impose substantial direct 
compliance costs on state and local governments. We do not believe that 
a significant number of laboratories affected by these proposals are 
operated by state or local governments. Therefore, the modifications in 
these areas will not cause additional costs to state and local 
governments.
    In considering the principles in and requirements of Executive 
Order 13132, the Department has determined that the modifications to 
the Privacy Rule will not significantly affect the rights, roles and 
responsibilities of the states.

B. Anticipated Effects

    The current CLIA regulations and related laws of the states and 
territories pose potential barriers to the laboratory exchange of 
health care information (test reports) directly with the patient. These 
regulatory changes will amend Sec.  493.1291(f) and add Sec.  
493.1291(l) to the CLIA regulations and also amend Sec.  164.524 of the 
Privacy Rule. These changes are being made in support of the 
Department's efforts toward achieving patient-centered and health IT-
enabled health care and would allow patients direct access to their 
laboratory test reports from a laboratory.
    The changes providing for individual access will impact 
laboratories in 39 states and territories (Table 3) where state law 
does not permit the laboratory to provide test reports directly to the 
patient. These changes do not impact the laboratories in the remaining 
16

[[Page 7312]]

states and territories where the laboratory is allowed to provide the 
test report to the patient either directly or after provider approval. 
However, laboratories in 46 states and territories (Table 4) where 
state law does not permit the laboratory to provide test reports 
directly to the patient or permits direct access only after provider 
approval, will be impacted by the requirement to update their HIPAA 
notice of privacy practices to reflect individuals' new access rights 
under this final rule.

C. Costs

    Although data are not available to calculate the estimated costs 
and benefits that will result from these changes, we are providing an 
analysis of the potential impact based upon available information and 
certain assumptions. These regulatory changes are anticipated to have 
the following associated costs and benefits:
     The impacted laboratories may require additional resources 
to ensure patients receive test reports when requested.
     Patients will benefit from having direct access to their 
laboratory test results. (See section D below).
1. Quantifiable Impacts
    Laboratories that are issued a CLIA Certificate of Compliance or 
Certificate of Accreditation in the 39 states and territories 
identified in Table 3 will be required to provide patients with a copy 
of their test report upon request. The OSCAR database includes 22,816 
laboratories in the 39 states and territories that will be impacted and 
the corresponding number of annual tests in these laboratories is 
approximately 7 billion as shown in Table 6. Data are not available for 
estimating the number of test results reported per test report. 
However, the majority of test reports contain multiple test results. 
Tests are frequently ordered as panels of individual tests. For 
example, according to 2008 CMS reimbursement data, three of the four 
most frequently ordered tests in the Medicare outpatient setting are 
panels of multiple individual tests, some of which may contain up to 20 
tests. As part of a medical encounter, frequently more than one panel 
is ordered per patient, and a test report could contain a large number 
of individual test results. Therefore, for the purposes of this 
analysis, an assumed range of 10 to 20 is used to represent the average 
number of test results per test report. Applying this range to the 
total number of annual tests (7,025,841,649) from Table 6, the 
estimated number of total annual test reports ranges from a low of 
351,292,082 to a high of 702,584,165.
    For the purposes of this analysis, we assume that many patients 
will still prefer to obtain their laboratory result information from 
their health care provider, who will also be able to provide 
interpretation of the test results, and thus an assumed range of from 1 
in 2,000 (0.05 percent) to 1 in 200 (0.50 percent) is used to represent 
the proportion of test reports requested. Applying this range to the 
number of estimated annual test reports (351,292,082 to 702,584,165) 
yields an estimated annual number patient requests ranging from 175,646 
to 3,512,921.
    Processing a request for a test report, either manually or 
electronically, will require completion of the following steps: (1) 
Receipt of the request from the individual; (2) authentication of the 
identification of the individual; (3) retrieval of test reports; (4) 
verification of how and where the individual wants the test report to 
be delivered and provision of the report by mail, fax, email or other 
electronic means; and (5) documentation of test report issuance. We 
estimate the total time to process each test report request to be in 
the range of 10 minutes (0.17 hours) to 30 minutes (0.5 hours). This 
estimate for a range of total time includes estimates for a range of 
time for each of the five steps listed above. The time needed to 
complete each step is dependent on the capabilities of the laboratory, 
such as whether manual or automated processes are available, and the 
desired method of communication of test reports to the individual 
patient as listed in step four. We multiplied the range for the number 
of patient requests, 175,646 to 3,512,921 by 0.17 hours and 0.5 hours 
to determine the total number of hours for processing the test reports 
to be in the range of 29,860 and 1,756,461. The estimated annual cost 
to process all test report requests in 2013 ranges from $$898,487 to 
$52,851,911.
    The analysis also assumed each of the estimated 22,816 laboratories 
to be impacted by individual access provisions of this rule (Table 6) 
will need to develop and implement a policy and process to receive and 
respond to patient requests as discussed above. To estimate the 
initial, one-time development cost, it is assumed to require laboratory 
management staff time ranging from a low of 2 hours to a high of 9 
hours per laboratory. To convert the number of hours to an estimated 
cost per laboratory, we applied the rate of $50.06 (see Table 1) to the 
assumed 2 to 9 hour time range yields an estimated cost per laboratory 
ranging from $100.12 to $450.54, which when applied to the estimated 
22,816 laboratories impacted results in a total estimated one-time 
development cost ranging from $2,284,338 to $10,279,521.
    Table 9 shows the total estimated range of annual costs for the 
change in undiscounted 2013 dollars and discounted at 3 percent and 7 
percent to translate expected benefits or costs in any given future 
year into present value terms. To calculate the total estimated costs 
in 2013, we added the cost to develop the necessary policies and 
processes (which would only be applicable in the first year) and the 
cost of responding to test report requests. These costs total between 
$3 million and $63 million for 2013 to provide patients with access to 
their laboratory test reports. As subsequent years will only entail the 
costs associated with processing requests, we simply took the 2013 
values for the cost of responding to test reports and applied the same 
inflation factor used in Table 1 for the hourly rate calculations. The 
resulting values can be found in Table 9.

                                          Table 9--Total Estimated Annual Costs of Patient Test Report Requests
                                               [Policy development and processing for the patient access]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                          Undiscounted  (Base year: 2013         Discounted  at 3%               Discounted  at 7%
                                                                        $)               ---------------------------------------------------------------
                                                         --------------------------------
                                                                Low            High             Low            High             Low            High
--------------------------------------------------------------------------------------------------------------------------------------------------------
2013....................................................      $3,182,819     $63,131,432      $3,090,115     $61,292,652      $2,974,597     $59,001,338
2014....................................................         932,243      55,934,563         878,728      52,723,690         814,257      48,855,414
2015....................................................         959,045      57,542,682         877,662      52,659,705         782,866      46,971,969
2016....................................................         986,617      59,197,034         876,597      52,595,798         752,686      45,161,134

[[Page 7313]]

 
2017....................................................       1,014,982      60,898,949         875,533      52,531,968         723,668      43,420,109
--------------------------------------------------------------------------------------------------------------------------------------------------------

    Laboratories will be able to offset some of these costs pursuant to 
Sec.  164.524(c)(4) of the HIPAA Privacy Rule, which permits covered 
entities to impose on the individual a reasonable, cost-based fee for 
providing access to their health information, including the cost of 
supplies for and labor of copying the requested information.
    As we explain above, with respect to notices of privacy practices, 
we are exercising our enforcement discretion to allow HIPAA-covered 
laboratories to revise their notices only once to reflect the changes 
to privacy practices of these entities both resulting from this rule, 
as well as the final rule published on January 25, 2013, modifying the 
HIPAA Rules, which became effective on March 26, 2013 (78 FR 5566). 
Since we accounted for the overall costs to covered health care 
providers, including laboratories, of revising and reprinting notices 
in the impact statement accompanying the January 25, 2013, final rule 
(78 FR 5669), we do not include here any estimates of additional costs 
to revise and print notices.
    Therefore, we estimate the cost to provide patients with access to 
their laboratory test reports is estimated to be between $3 million and 
$63 million for 2013.
2. Non-Quantifiable Impacts
    The burden in this final rule would be primarily on laboratories to 
provide the laboratory test reports when requested by the patient; 
however, there may be some non-quantifiable impacts on the health care 
provider's office. If the patient does not know where the provider sent 
the test request, the provider may need to provide laboratory contact 
information to the patient so he or she may request the test report. We 
assume that notification of the laboratory name and contact information 
could be provided in as little as 30 seconds; however there are no data 
to confirm this, and we did not receive comments on the issue. We also 
note that since the provider may need to provide an interpretation of 
the test results, the provider may give the patient a copy of the test 
report rather than referring the patient to the laboratory for the 
information. The time cost to patients of new interactions with 
laboratories is a further impact of the rule that has not been 
quantified.

D. Benefits

    Although we cannot quantify the impact on patients, we believe that 
it will be positive in light of findings from studies that focused on 
patient receipt of test results from the provider. We found several 
studies where greater than 90 percent of patients stated they preferred 
being notified of all test results, both normal and abnormal (1. 
Baldwin DM, Quintela J, Duclos C, et al. Patient Preferences for 
Notification of Normal Laboratory Test Results: A Report from the ASIPS 
Collaborative. BMC Fam Practice 2005; 6:11; 2. Boohaver EA, Ward RE, 
Uman JE et al. Patient Notification and Follow-up of Abnormal Test 
Results. Arch Intern Med 1996; 327-331; 3. Grimes GC, Reis MD, Gokul B, 
et al. Patient Preferences and Physician Practices for Laboratory Test 
Result Notification. JABFM 2009:22:6:670-676; and 4. Meza JP and 
Webster DS. Patient Preferences for Laboratory Test Result 
Notification. Am J Manag Care 2000; 6:1297-300). These same studies 
reported, for both the health care provider and patient, the preferred 
method for receiving normal test results was the U.S. mail, and direct 
phone contact from the provider was the preferred method for abnormal 
test results. These preferences may have changed in the last 5 years 
given the increase in the use of electronic communications. Advantages 
reported in these studies for the patient having direct access to the 
test report include reduced workload for the health care provider's 
office, reduced chance of a patient not being informed of a laboratory 
test result, and reduced numbers of patients who fail to seek 
appropriate medical care. Additionally, we expect significant benefits 
to flow to patients as a result of increased access to their laboratory 
test results. Commenters to this final rule describe these benefits as 
including increased patient participation in treatment programs, such 
as those that involve monitoring of chronic diseases, and the ability 
of patients to identify and treat health risks sooner and more 
effectively.

E. Alternatives Considered

    The changes to the CLIA regulations and the HIPAA Privacy Rule are 
in support of the Department's efforts toward achieving patient-
centered health care. Several alternatives were considered before 
selecting the approach in this final rule to provide access to 
laboratory test reports upon a patient's request. One alternative would 
have been to leave the regulations as written without making any 
changes. However, this option would leave in place the restrictions on 
patients' direct access to their laboratory test results and would 
therefore impede the goal of promoting patient-centered health care. 
Another alternative would have been to revise the definition of 
``authorized person'' under CLIA to specifically include a patient as 
an authorized person. This alternative was not considered feasible 
because the definition of ``authorized person'' in the CLIA regulations 
also permits individuals to order tests, and it defers to state law for 
authorization. A last alternative considered would have been to require 
the laboratory to automatically provide each test report directly to 
each patient rather than the permissive approach to provide patients 
access to their reports upon request. However, this alternative would 
have had the potential of significantly increasing the cost for 
laboratories since 100 percent of the 350 million to 703 million test 
reports issued annually would need to be provided to the patients.

F. Accounting Statement and Table

    We have prepared the following accounting statement showing the 
classification of the expenditures associated with the provisions of 
this final rule.

[[Page 7314]]



----------------------------------------------------------------------------------------------------------------
                                            Primary         Minimum         Maximum       Source citation (RIA,
               Category                    estimate        estimate        estimate          preamble, etc.)
----------------------------------------------------------------------------------------------------------------
BENEFITS:
    Monetized benefits................             n/a             n/a             n/a  RIA Section C2
Annualized qualified, but unmonetized,             n/a             n/a             n/a  RIA Section C2
 benefits.
(Unqualified benefits)................             n/a             n/a             n/a  RIA Section C2
COSTS:
Monetized costs (2012 $):
    Patient access provisions 2013....             n/a      $3,182,819     $63,131,432  RIA Sec C1 (Table 7)
    Patient access provisions 2014....             n/a        $932,243     $55,934,563  RIA Sec C1 (Table 7)
    Patient access provisions 2015....             n/a        $959,045     $57,542,682  RIA Sec C1 (Table 7)
    Patient access provisions 2016....             n/a        $986,617     $59,197,034  RIA Sec C1 (Table 7)
    Patient access provisions 2017....             n/a      $1,014,982     $60,898,949  RIA Sec C1 (Table 7)
    Annualized quantified, but                     n/a             n/a             n/a  ........................
     unmonetized, benefits.
Qualitative (unquantified) costs......             n/a             n/a             n/a  RIA Section C2
TRANSFERS:
    Annualized monetized transfers:                n/a             n/a             n/a  ........................
     ``on budget''.
    From whom to whom?................             n/a             n/a             n/a  ........................
    Annualized monetized transfers:                n/a             n/a             n/a  ........................
     ``off-budget''.
    From whom to whom?................             n/a             n/a             n/a  ........................
----------------------------------------------------------------------------------------------------------------
Category..............................                      Effects                     Source Citation
                                                                                        (RIA, preamble, etc.)
----------------------------------------------------------------------------------------------------------------
Effects on State, local, and/or tribal             n/a             n/a             n/a  RIA Sec A (Table 4)
 governments.
Effects on small businesses...........             n/a             n/a             n/a  RIA Section A
Effects on wages......................             n/a             n/a             n/a  ........................
Effects on growth.....................             n/a             n/a             n/a  ........................
----------------------------------------------------------------------------------------------------------------

G. Conclusion

    We estimated the cost to laboratories to provide patients with a 
copy of their test reports upon request and determined it would cost 
between $3 million and $63 million in 2013. These costs will diminish 
in subsequent years. In addition laboratory provision of test reports 
to patients may provide information that could benefit the patient by 
reducing the chance of the patient not being informed of a laboratory 
test result, reducing the number of patients lost to follow-up, and 
benefiting health care providers by reducing their workload in 
providing laboratory test reports. Finally, as we explain above, to 
avoid HIPAA-covered laboratories having to modify their notices twice 
within the same year to comply with both the January 25, 2013, final 
rule and this rule, we will exercise our enforcement discretion to 
allow CLIA laboratories (including CLIA-exempt laboratories) that are 
HIPAA covered entities to take until the compliance date of this final 
rule to revise their notices to reflect both sets of modifications. See 
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/clia-labs.html. 
Therefore, CLIA and CLIA-exempt laboratories that are HIPAA covered 
entities need only update their notices once to comply with both rules.
    In accordance with the provisions of Executive Order 12866, this 
regulation was reviewed by the Office of Management and Budget.

VIII. Analysis of and Responses to Public Comments on the Paperwork 
Reduction and Regulatory Impact Analysis

    We have provided an analysis of the potential impact of this final 
rule, based upon available information and certain assumptions. We have 
prepared the Paperwork Reduction Act and the Regulatory Impact Analysis 
representing the costs and benefits of the final rule based on analysis 
of identified variables and data sources needed for this change. We 
requested that commenters provide any additional data that would assist 
us in the analysis of the potential impact of this regulation on CLIA 
certified laboratories but we did not receive any additional data.
    Therefore, based on our analysis and assessment of the overall 
annual costs to the laboratories affected by this final rule, we are 
finalizing the provisions as set forth in the proposed rule. The 
comments we received on this provision and our responses are set forth 
below.
    Comment: We received several comments from organizations and 
individuals suggesting the implementation and operations cost estimate 
provided in the regulatory impact analysis (that is, for the laboratory 
to receive the request, authenticate the requestor is allowed to have 
access to the test report, process the request and provide the test 
report) was too low. Some suggested there were other factors that were 
not considered in the proposed rule's RIA, such as costs for training 
staff to provide the reports in a compliant manner, verification that 
the information was received, and for providing an explanation or 
summary of results, which may require higher level staff than those at 
a clerical level. Some recommended we review the anticipated cost 
structure and contact several laboratories to request best estimates. 
One organization recommended that we permit laboratories to charge a 
standard fee between $10 to $15 per test report issued to cover overall 
administrative costs, which would be in addition to the actual cost of 
the supplies used to provide the test report to the patient or personal 
representative or, if applicable, a third party designated by the 
individual.
    Response: Our cost estimate was based on assumptions from internal 
discussions and consultation with two laboratories that provide test 
reports directly to patients. Although the proposed rule solicited 
comments and additional data from laboratories that already provide 
test reports directly to the patient, we did not receive any data to 
support adjusting the estimates provided in the proposed rule; 
therefore, we are not adjusting those estimates in this final rule and 
acknowledge that they may not reflect costs for every laboratory 
setting. We appreciate the commenter's suggestion about staff training 
costs; however we believe that there is no need to include additional 
costs for training staff to provide the reports in a HIPAA Privacy Rule 
compliant manner since training

[[Page 7315]]

cost was part of our original estimate for developing and implementing 
a policy and process.
    In addition, the HIPAA Privacy Rule permits covered entities to 
charge a reasonable cost-based fee to provide individuals with copies 
of their protected health information. The fee may include only the 
cost of copying (including supplies and labor) and postage, if the 
individual requests that the copy be mailed. If the individual (or 
individual's personal representative) has agreed to receive a summary 
or explanation of his or her protected health information, the covered 
entity may also charge a reasonable, cost-based fee for preparation of 
the summary or explanation. The fee may not include costs associated 
with searching for and retrieving the requested information, nor does 
the HIPAA Privacy Rule permit charging a standard fee; therefore, this 
final rule does not permit laboratories to charge these fees. The fees 
permitted to be charged to individuals under the HIPAA Privacy Rule are 
discussed more fully above in section VII.
    Comment: We received a few comments that smaller, rural hospitals, 
particularly Critical Access Hospitals (CAHs), may face financial 
constraints that would make compliance with this requirement 
challenging.
    Response: The impacts discussed in the preamble affect only those 
laboratories that currently do not provide patients with access to 
their health information. Since most hospitals are HIPAA covered 
entities, they are required already to provide individuals with access 
to the protected health information in their designated record sets, 
including laboratory test results, in accordance with Sec.  164.524 of 
the HIPAA Privacy Rule. As discussed above, laboratories that operate 
as part of a legal entity that is a hospital or that are part of an 
affiliated covered entity or organized health care arrangement with the 
hospital (see the definition of ``organized health care arrangement'' 
in the HIPAA Rules at Sec.  160.103, and the provisions for affiliated 
covered entities at Sec.  164.105(b)), may continue to utilize the 
hospital's already established mechanisms for providing access to the 
individuals requesting their test reports from the hospital 
laboratories, provided that the established mechanisms are compliant 
with the access provisions of the HIPAA Privacy Rule.
    Comment: Several commenters asked why we used test volume data that 
was self-reported rather than validated Part B claims or actual claims. 
Other commenters asked why we did not analyze the cost of providing 
access to completed test reports to Medicare fee-for-service 
beneficiaries in states that already allow laboratories to provide a 
copy of test results to the patient.
    Response: We used data from the CMS OSCAR database for our 
estimates. The OSCAR database is not limited to Medicare-reimbursed 
tests only, but also includes testing totals for laboratory tests 
reimbursed by private payers and those that are not reimbursed. Test 
volume is self-reported by laboratories and validated by CMS surveyors 
during laboratory inspections. This data is more accurate for 
estimating the impact of these changes. We requested comments from 
laboratories that are currently providing test reports to the patient. 
We did not receive any comments that would support adjusting the 
estimates provided in the proposed rule; therefore, we conclude that 
these estimates are sufficiently accurate and have retained those 
estimates in this final rule.
    Comment: We received several comments disagreeing with the time 
estimate of 2 to 9 hours for laboratories to identify the applicable 
legal obligations and develop processes or procedures to handle the 
patient requests for access to test reports. One commenter stated that 
his institution had reported spending several hours in meetings between 
administration, laboratory management, and legal counsel examining 
procedural options and the risks of each procedure. Other commenters 
stated that it would not be possible for the information technology/
data privacy teams to meet this requirement in the allotted timeframe 
for implementation. Several commenters suggested some laboratories may 
need to develop policies related to sensitive issues, such as minors 
and parent/guardian access or release of the results of drug testing 
that might have an impact on the laboratory's liability insurance 
costs. Other comments stated that the policy development would not be a 
one-time charge since laboratories would need to monitor all new state 
and federal regulations related to the disclosure of protected health 
information.
    Response: Our cost estimate was based on assumptions from internal 
discussions and consultation with two laboratories that provide test 
reports directly to patients. Although the proposed rule solicited 
comments and additional data from laboratories that already provide 
test reports directly to the patient, we did not receive any data to 
support adjusting the estimates provided in the proposed rule. We 
acknowledge that these estimates may not reflect costs for every 
laboratory setting. However, in the absence of data to support changing 
our estimate, we are not adjusting those estimates in this final rule. 
Laboratories may be able to learn from those in the 16 states that 
allow the laboratory to provide a copy of the test results to the 
patient and from larger reference laboratories that have already 
developed policies to accommodate requests received from patients that 
receive testing in these 16 states. The HHS Office for Civil Rights, 
which administers and enforces the HIPAA Privacy Rule, provides 
guidance on its Web site and through other sources on many compliance 
issues, including regarding disclosure of information on minors. See 
http://www.hhs.gov/ocr/privacy/ for more information. This may be a new 
requirement for laboratories, but other HIPAA covered entities have, 
for quite some time, followed the requirements in Sec.  164.524 of the 
HIPAA Privacy Rule when providing protected health information.
    Comment: We received comments from organizations that supported the 
proposed change, but noted it would be impossible to know how many 
individuals would request their test reports. Other comments suggested 
the laboratory could receive a barrage of requests. One comment said 
our estimates of 0.05 percent to 0.5 percent of patients requesting 
their test report from the laboratory falls short of what is needed to 
meet the Department's goal of patient engagement to ensure the provider 
receives and acts on the test results. The commenters suggested that 
under the health care transformation that is taking place, the patient 
could be provided a digitally signed copy of the laboratory report in 
his or her electronic patient health record (EHR) at the same time and 
in the same format as the laboratory report provided electronically to 
the requesting health care provider's electronic health record. 
Patients would only need to give the requesting provider the repository 
identifier for their personally controlled health record for inclusion 
with the laboratory test order.
    Response: We agree that it is difficult to know how many 
individuals will request their test report from covered entity 
laboratories. However, we received several comments indicating that the 
preferred method for a patient to receive laboratory test results is 
the same procedure as currently practiced; that is, the health care 
provider's office notifies the patient of the results on the same day 
the results are received from the laboratory. This procedure allows the 
patient to ask the health care provider's office for interpretation of 
the laboratory test report in concert with

[[Page 7316]]

results of other procedures, as well as provides an opportunity to 
discuss any needed treatment or follow-up. Allowing patients to request 
and receive laboratory test reports directly from the laboratory will 
provide an additional route for them to receive the test report. 
However, this will not replace the current procedure. If the ordering 
physician does not contact the patient with critical or significant 
laboratory test results, patients may prompt the physician's office to 
find and act on the test results. The rate of apparent failures to 
inform or document informing the patient of abnormal test results 
ranges from 0 percent to 26.2 percent [Casalino LP, Dunham D, Chin MH, 
et al. Frequency of Failure to Inform Patients of Clinically 
Significant Outpatient Test Results. Arch Intern Med. 2009; 
169(12):1123-1129]. When patients have their laboratory test results, 
they are more likely to ask appropriate questions of their health care 
provider and more fully participate in making better decisions that 
lead to better care. The regulations promulgated pursuant to the HITECH 
Act, particularly for Meaningful Use and Certification of EHRs, 
encourage patient access to comprehensive patient data through robust 
patient-centered health information exchange. Technology is currently 
being tested to allow patients the ability to retrieve personal health 
data directly from secured health records. We agree with the comment 
about electronic health records in that a request for access for 
protected health information to either the health care provider or the 
laboratory may be replaced with this technology as it becomes more 
readily available.

List of Subjects

42 CFR Part 493

    Administrative practice and procedure, Grant programs-health, 
Health facilities, Laboratories, Medicaid, Medicare, Penalties, 
Reporting and recordkeeping requirements.

45 CFR Part 164

    Administrative practice and procedure, Computer technology, 
Electronic information system, Electronic transactions, Employer 
benefit plan, Health, Health care, Health facilities, Health insurance, 
Health records, Hospitals, Medicaid, Medical research, Medicare, 
Privacy, Reporting and recordkeeping requirements, Security.

    For the reasons set forth in the preamble, the Centers for Medicare 
& Medicaid Services amends 42 CFR part 493 as set forth below:

PART 493--LABORATORY REQUIREMENTS

0
1. The authority citation for part 493 continues to read as follows:

    Authority: Section 353 of the Public Health Service Act, secs. 
1102, 1861(e), the sentence following sections 1861(s)(11) through 
1861(16) of the Social Security Act (42 U.S.C. 263a, 1302, 1395x(e), 
the sentence following 1395x(s)(11) through 1395x(s)(16)).

Subpart K--Quality System for Nonwaived Testing

0
2. Section 493.1291 is amended by--
0
A. Revising paragraph (f).
0
B. Adding a new paragraph (l).
    The revision and addition read as follows:


Sec.  493.1291  Standard: Test report.

* * * * *
    (f) Except as provided in Sec.  493.1291(l), test results must be 
released only to authorized persons and, if applicable, the persons 
responsible for using the test results and the laboratory that 
initially requested the test.
* * * * *
    (l) Upon request by a patient (or the patient's personal 
representative), the laboratory may provide patients, their personal 
representatives, and those persons specified under 45 CFR 
164.524(c)(3)(ii), as applicable, with access to completed test reports 
that, using the laboratory's authentication process, can be identified 
as belonging to that patient.
    For the reasons set forth in the preamble, the Department of Health 
and Human Services amends 45 CFR Subtitle A, Subchapter C, part 164, as 
set forth below;

PART 164--SECURITY AND PRIVACY

0
1. The authority citation for part 164 continues to read as follows:

    Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, 
Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note)); and 
secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.


0
2. Section 164.524 is amended by revising paragraphs (a)(1)(i) and (ii) 
and removing paragraph (a)(1)(iii) to read as follows:


Sec.  164.524  Access of individuals to protected health information.

    (a) * * *
    (1) * * *
    (i) Psychotherapy notes; and
    (ii) Information compiled in reasonable anticipation of, or for use 
in, a civil, criminal, or administrative action or proceeding.
* * * * *

    Dated: August 16, 2013.
Thomas R. Frieden,
Director, Centers for Disease Control and Prevention, Administrator, 
Agency for Toxic Substances and Disease Registry.
    Dated: August 19, 2013.
Marilyn Tavenner,
Administrator, Centers for Medicare & Medicaid Services.
    Dated: August 19, 2013.
Leon Rodriguez,
Director, Office for Civil Rights.
    Dated: August 27, 2013.
Kathleen Sebelius,
Secretary, Department of Health and Human Services.

    Editorial Note: This document was received at the Office of the 
Federal Register on January 30, 2014.

[FR Doc. 2014-02280 Filed 2-3-14; 11:15 am]
BILLING CODE 4120-01-P