OCR, HIPAA, and Individuals’ Right to Access Laboratory Test Results

The Office for Civil Rights (OCR) released guidance clarifying an individual’s right, under the Health Information Portability and Accountability Act (HIPAA) Privacy Rule, to access all the protected health information (PHI) about them that is in the designated record set maintained by or for a HIPAA covered entity (health plans and most health care providers).[1] The stated intent in publishing this guidance is to empower individuals to take control of their health and well-being by removing barriers to accessing health information.

The OCR guidance is particularly interesting in the context of an individual’s right to access laboratory test reports. In 2014, the Department of Health and Human Services (HHS) adopted a new rule that amended both the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments (CLIA) Laboratory Requirements.[2] These amendments expanded an individual’s ability to receive test reports directly from laboratories.


Unfortunately, the new rule has caused some uncertainty in the research community regarding its application to research laboratory tests results.[3]

For example, commentators note that it is unclear which types of research laboratory tests would be considered part of the designated record set and thus, subject to the Privacy Rule access provisions.[4] While OCR guidance does not directly address this uncertainty, it does provide some clarity on the scope of information a laboratory must provide upon a request for access.

In addressing the right to access genomic information generated by a clinical laboratory, OCR explains that the designated record set includes not only the laboratory test reports but also the underlying information generated as part of the test. For example, in a laboratory that conducts next generation sequencing (NGS) of DNA on an individual (e.g. whole genome sequencing), the designated record set would include the completed test report, the full gene variant information generated by the test, and any other information concerning the test.

This information addresses a question held by many commentators as to whether the large amount of genetic information produced by NGS—including raw, uninterpreted genetic data—could become part of the designated record set.[5] There is concern that, if this data is indeed considered part of the designated record set, individuals could request and receive access to unintelligible data with no corresponding interpretive assistance and counseling.[6] This outcome is seen as particularly troubling in the context of research, where exploratory laboratory test results may have unknown analytic and clinical validity.[7]

In an apparent response to this concern, OCR points out that, because the Privacy Rule only gives an individual the right to inspect or copy the designated record set, it does not require the laboratory to interpret the laboratory test results for patients. A covered entity therefore has no obligation to create new information, such as explanatory materials or analyses that do not already exist in the designated record set. A laboratory is also permitted to provide the test reports with a disclaimer or caveat explaining the limitations of the laboratory data for diagnosis or treatment purposes.

Going Forward

Although OCR’s statements were made in the context of clinical laboratories, PHI maintained by or for a research laboratory that is a covered entity may also become part of the designated record set and, if so, the same scope of information would be available to research participants.

It thus appears that OCR has taken the ethical and regulatory stance that “more information is better.” In introducing the guidance, the agency stressed that an individual’s autonomy interests and their right under the Privacy Rule to obtain information about themselves is fundamental in facilitating an individual’s active participation in their own health care. OCR states that “general concerns about psychological or emotional harm are not sufficient to deny an individual access (e.g., concerns that the individual will not be able to understand the information or may be upset by it).”

This ethical standpoint is consistent with the agency’s regulatory position, as presented in the guidance, that if access to genomic test data is requested, this information must be provided and interpretive assistance is not mandatory. How the recent OCR guidance will be interpreted by the research community and the potential effects on research participants’ access to laboratory test results remains to be seen.



[1] OCR Guidance, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 (January 7, 2016), http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

[2] CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports, 79 Fed. Reg. 7290 (Feb. 6, 2014) (amending 42 C.F.R. § 493.1291; 45 C.F.R. § 164.524).

[3] See, e.g., Secretary’s Advisory Committee on Human Research Protections (SACHRP) Letter to the HHS Secretary , Attachment C: Return of Individual Results and Special Consideration of Issues Arising from Amendments of HIPAA and CLIA (September 28, 2015), http://www.hhs.gov/ohrp/sachrp/commsec/attachmentc:letter9/28/15.html; Mark Barnes et al., The CLIA/HIPAA Conundrum of Returning Test Results to Research Participants, 14 Bloomberg BNA Med. Res. L. & Pol. Rep. 491 (July 2015); Barbara J. Evans et al., Regulatory changes raise troubling questions for genomic testing, 16 Am. C. Med. Genetics & Genomics 799 (November 2014).

[4] Id.

[5] See, e.g., Mark Barnes et al., The CLIA/HIPAA Conundrum of Returning Test Results to Research Participants, 14 Bloomberg BNA Med. Res. L. & Pol. Rep. 491 (July 15, 2015); Barbara J. Evans et al., Regulatory changes raise troubling questions for genomic testing, 16 Am. C. Med. Genetics & Genomics 799 (November 2014).

[6] Id.

[7] See e.g., Presidential Commission for the Study of Bioethical Issues, Anticipate and Communicate: Ethical Management of Inci­dental and Secondary Findings in the Clinical, Research, and Direct-to-Consumer Contexts (December 2013), http://bioethics.gov/node/316; Susan M. Wolf et al., Managing Incidental Findings and Research Results in Genomic Research Involving Biobanks & Archived Datasets, 14 Genetics in Med. 361 (April 2012); Richard R. Fabsitz et al., Ethical and Practical Guidelines for Reporting Genetic Research Results to Study Participants: Updated Guidelines from a National Heart, Lung and Blood Institute Working Group, 3 Circulation: Cardiovascular Genet­ics 574 (December 2010); Susan M. Wolf et al., Managing Incidental Findings in Human Subjects Research: Analysis and Recommendations, 36 J.L. Med. & Ethics 219 (October 2008).

Tags: , , , ,