Attachment C: Return of Individual Results and Special Consideration of Issues Arising from Amendments of HIPAA and CLIA


This SACRHP recommendation is focused on regulatory and ethical issues arising in human research subjects protections due to recent jointly issued amendments to HIPAA and CLIA. 

There is currently significant attention to the distribution of study data and results, both to subjects who participated in the research and to the public at large.  SACHRP has identified four aspects related to returning research results to subjects and releasing the results publicly, with overlap of the concepts along a spectrum: 

Return of incidental findings to subjects

  • Return of individual study results to subjects
  • Return of general study results to subjects
  • Public release of study data

Four aspects

SACHRP partially addressed the issue of public release of data in December 2013 by providing commentary in response to the June 4, 2013, Food and Drug Administration (FDA) Request for Comment relating to the availability of masked and de-identified non-summary safety and efficacy data.  While this SACHRP commentary was focused on the issues presented in the FDA request for comment, it also addressed some of the broader issues associated with the public release of study data.

SACHRP also released a recommendation on the return of general study results to research subjects on April 24, 2015.

SACHRP plans to issue recommendations on return of individual results to subjects and return of incidental findings, in order to provide targeted assessments of the ethical, regulatory, and administrative issues raised by each.  However, HHS’s recent joint amendments to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations[1] have created a specific issue involving release of individual results upon request, pursuant to individuals’ access rights in the HIPAA Privacy Rule.  As a result, certain laboratories in HIPAA covered entities that process research results have a legal responsibility to provide the results to research subjects upon request, although CLIA does not allow returning non-CLIA lab results for a treatment purpose, because of legitimate and long-standing concerns for the validity, reliability and accuracy of results generated in non-CLIA-certified laboratories.  As explained below, access to (or return of) such results would occur only if the information fits within the “designated record set” of the covered entity, a set of information that by definition is not limited to medical records.  HIPAA defines a designated record set broadly to include (1) medical and billing records, (2) certain health plan information, and (3) records “[u]sed, in whole or in part, by or for the covered entity to make decisions about individuals.”  45 CFR 164.501.  HHS has stated that category (3) is not limited to information used to make treatment decisions about individuals.


Regulatory Status

Human Subject Protection Regulations

The HHS Human Subject Protection Regulations (45 CFR 46 and 21 CFR sections 50 and 56)) are silent regarding the return of individual results to research subjects, and neither expressly require nor expressly disallow this activity. 

The Clinical Laboratory Improvement Amendments of 1988 (CLIA)

The Clinical Laboratory Improvement Amendments of 1988 (CLIA) (42 CFR 493) is intended to ensure that laboratory results used in patient care are accurate.  CLIA contains an exception to the return of certain research results at 42 CFR 493.3(b)(2), by “Research laboratories that test human specimens but do not report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients”.  These labs do not require CLIA certification.  However, if the lab reports individually identifiable research results for clinical care purposes, then this exception does not apply, and the laboratory would require certification under CLIA or by a cognizant state agency. 

If, when research results are returned to subjects, subjects are counseled that these results are not for treatment purposes and that they should seek additional testing through their regular health care providers at CLIA-certified laboratories, then the researcher would not be giving results for diagnosis or treatment purposes and therefore would not violate the applicable CLIA regulations.  CMS has taken the position, however, that the agency would regard any return of research results as violating the research exemption.  While the intent of the CMS interpretation may be benign, a recent legal analysis concluded that it is unsupported by the plain regulatory language, as well as judicial canons of construction that give meaning to each word in a regulation.[2]  For example, encouraging someone to “seek a health assessment” is not itself an “assessment of the health” of the person, and accordingly should not violate the research exception.[3]  Moreover, this commentator observes that “legal uncertainty is chilling communication of results from non-CLIA-certified labs.”  According to a National Heart, Lung, and Blood Institute (“NHLBI”) Working Group, “[t]his is a high-impact issue” for genetics studies.[4]

Further, CMS has suggested publicly that if research laboratories wish to be able to give test results to research subjects, even if on a case-by-case basis, those laboratories should obtain CLIA certification.  In this way, CMS has asserted, the return of research test results to subjects would present no compliance problems.  However, as SACHRP has discussed, this is not a realistic alternative, as it would impose tremendous, new transaction costs on research and could even lead to the elimination of some research laboratories and the consolidation of others, which would reduce research opportunities overall.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The HIPAA Privacy Rule (45 CFR 164) among other things, requires that patients have access to their Protected Health Information (PHI).  There are certain exceptions, including the option to delay temporarily access to records during the course of research – as, for example, in a clinical trial.  Subjects in research studies can obtain individual results from the research if they are part of the subjects’ “designated record set,” but those results may be withheld while the research is being conducted in order to protect study “blinding” and other study design elements that are intended to reduce bias in the conduct of the research, as long as subjects have been informed of the access restrictions in place during the trial. 

On February 6, 2014, the Centers for Medicare and Medicaid Services and the Office for Civil Rights (OCR) jointly published a rule entitled “CLIA Program and the HIPAA Privacy Rule: Patients Access to Test Reports.” 

The summary of the rule says:

SUMMARY: This final rule amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to specify that, upon the request of a patient (or the patient’s personal representative), laboratories subject to CLIA may provide the patient, the patient’s personal representative, or a person designated by the patient, as applicable, with copies of completed test reports that, using the laboratory’s authentication process, can be identified as belonging to that patient. Subject to conforming amendments, the final rule retains the existing provisions that require release of test reports only to authorized persons and, if applicable, to the persons responsible for using the test reports and to the laboratory that initially requested the test. In addition, this final rule amends the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to provide individuals (or their personal representatives) with the right to access test reports directly from laboratories subject to HIPAA (and to direct that copies of those test reports be transmitted to persons or entities designated by the individual) by removing the exceptions for CLIA certified laboratories and CLIA-exempt laboratories from the provision that provides individuals with the right of access to their protected health information. These changes to the CLIA regulations and the HIPAA Privacy Rule provide individuals with a greater ability to access their health information, empowering them to take a more active role in managing their health and health care.

The affected laboratories are only those located in HIPAA-covered entities that are thereby subject to the Privacy Rule.[5]

In the article “Regulatory Changes Raise Troubling Question for Genomic Testing,”[6] Evans argues that these regulatory changes have failed to take into account the existence of non-CLIA approved laboratories conducting research activities in covered entities:

In a grave omission, the recent amendments do not provide an exception that excuses non-CLIA research laboratories, those that operate under CLIA'.s research exemption at 42 C.F.R. § 493.3(b)(2)-from having to comply with the Privacy Rule's § 164.524 individual access requirements.  HHS may have believed this was unnecessary because the amendments ostensibly apply only to CLIA-certified and CLIA exempt laboratories.  The CLIA regulations define "CLIA-exempt" as referring to laboratories regulated under state laws, as in Washington or New York, that the Centers for Medicare and Medicaid Services has found to be equivalent to CLIA.  Yet when HHS published the Privacy Rule many years ago, it interpreted the term “CLIA-exempt" as also including non-CLIA research laboratories for purposes of the § 164.524 individual access right (ref. 9 at 82,485). Forgetting this history, the recent amendments eliminated a § 164.524 exception that kept "CLIA exempt" laboratories from being required to comply with§ 164.524.  This inadvertently put HIPAA-covered, but non-CLIA-certified, laboratories squarely in the crosshairs of individuals' new § 164.524 access right.[7]

Questions accordingly have been raised about whether HHS intended to include research labs among the labs that must honor individuals’ access rights upon request.  Regarding intent, HHS repeatedly stated in the preamble to this new regulatory change that its goal was “to remove barriers in the HIPAA Privacy and CLIA regulations to individual access to test reports maintained by laboratories subject to or exempt from CLIA.”[8]   HHS said it expanded access rights to lab results so individuals could be “more proactive and more informed with regard to their health,” and specified that “removing barriers in this area supports the commitments and goals of the Secretary of the Department of Health and Human Services (the Department) and the Administrator of CMS regarding personalized medicine [and] and individual’s active involvement in his or her own health care.”[9]  It further expressed support for legal access rights even when results might cause anxiety; “concerns about psychological or emotional harm are not sufficient to justify denial of access.”[10]  These HHS statements suggest that when an individual asks a lab for results – not for a treatment purpose governed by CLIA, but rather pursuant to a legal right of access to information in a designated record set -- HHS supports a legal right of access in the current environment, taking into account personalized medicine initiatives and proactive engagement in one’s own health care.  This current approach of HHS to expanding rights of access therefore would seem to contradict the CMS interpretation that test results from non-CLIA-certified laboratories should not under any circumstances be distributed to or shared with test subjects.

Food and Drug Administration (FDA) Regulations and Guidance

An additional regulatory consideration is that the FDA is in the process of exercising more direct oversight of Laboratory Developed Tests (LDTs), and that the resultant rules and guidance currently being created could also create implications regarding the return of research results from CLIA-exempt research-oriented laboratories.  FDA’s Draft Guidance on the Framework for Regulatory Oversight of LDTs (Oct. 2014) would treat LDTs as being subject to medical device requirements in most cases, and for clinical investigations as being subject to IDE requirements, unless an exemption applies.  Based on recent dialogue between FDA and SACHRP, it appears that FDA would require an entity (and a cognizant IRB) to determine if the research test poses significant risk or non-significant risk; this determination would depend in part on whether a confirmatory test in a CLIA laboratory is available or a comparable test does not exist, and the extent of risk in giving results to participants, even with caveats.  If the research test poses a significant risk, then an IDE would need to be obtained before any results (with clinical interpretation) from that test could be returned to research subjects.  FDA has also indicated that it may be permissible to provide “raw data” to participants, without interpretation.    Clarity is needed as to how these lines should be drawn, and what FDA would expect from a regulatory standpoint when covered entities with non-CLIA research labs are required to provide results to individuals upon request in this context, as part of a designated record set, or otherwise wish to provide these results as an ethical matter, regardless of HIPAA requirements.

Summary of Regulatory Interpretation Issues

In summary, a regulatory conflict exists within HHS as to when research participants have a right to obtain test results from a non-CLIA-certified research laboratory that exists within a HIPAA covered entity.   The 2014 HIPAA/CLIA final rule and preamble state that individuals have a legal right to request and obtain test results from HIPAA-covered laboratories when such results are part of the “designated record set.” HIPAA requires such access following an individual’s request, yet CLIA prohibits research labs from providing test results generated by non-CLIA-certified labs when those results are provided “for treatment purposes.”  CMS personnel have interpreted this prohibition broadly, to forbid any communication of test results to patients from non-CLIA-certified labs.  In addition, FDA has proposed greater oversight of LDTs, and its draft guidance suggests that FDA may require IDEs for a broader set of clinical investigations, which may include genetic sequencing or other research laboratory tests; and it is unclear under such IDEs whether LDT research test results may be communicated to subjects. 

For all these reasons, clarity is urgently needed to guide the research community in how to resolve these regulatory conflicts, so that regulatory mandates, individual privacy rights, and the rights of research participants are concurrently respected.

SACHRP Recommendations: 

  1. SACHRP recommends that HHS – including OCR, FDA and CMS – clarify and ratify, through whatever regulatory interpretations or amendments necessary, that researchers who identify clinically actionable information from the results of a research test conducted in a non-CLIA-certified laboratory be able, without legal penalty, to refer a subject to a CLIA-certified laboratory for additional testing, to enable the subject to obtain such information through clinically reliable means.
  2. SACHRP recommends that CMS consider a more nuanced approach to the provision of results to individuals, upon their request, from non-CLIA-certified research labs that conduct research tests. Currently, CMS interpretation is that the return of such results is generally prohibited.  This interpretation seems at odds with the plain language of the regulation, which prohibits performing a non-CLIA-certified laboratory test for purposes of diagnosing or treating a person, but does not prohibit data releases required by law or for other purposes.  CMS’ interpretation also seems to conflict with HHS’ statements in the preamble to the February 2014 joint rule, related OCR interpretations of HIPAA, and HHS public statements about making participants a partner in research, particularly in precision medicine initiatives.  Moreover, there are times when the blunt tools of regulations cannot take into account unique factual situations in which ethics requires exceptions to the rule, or legal rights of individuals require access to information. Just as the FDA has found it imperative to create treatment use access options to the FDA prohibition on the use of non-FDA approved medical products in the United States, CMS should create criteria for an exception to the blanket prohibition of return of results from non-CLIA-certified research labs for treatment and/or informational purposes, if, in the judgment of the institution (who may also, consistent with institution-specific policies, consult with the IRB), return of results to the research subject is appropriate. In those cases, whenever possible, researchers should advise subjects to seek additional testing from CLIA-certified laboratories, through their own health care providers.
  3. SACHRP recommends that HHS – including OCR, FDA, and CMS – clarify the duties of HIPAA-covered entities to provide results to individuals, upon their request, from non-CLIA-certified research laboratories that conduct genetic sequencing and other research tests.  In light of HHS’s repeated statements of intent in the joint HIPAA/CLIA final rule, SACHRP believes the clarification should indicate that fulfilling an individual’s access right under HIPAA is a release required by law, and is therefore permissible, even if such duty is in conflict with CLIA’s current prohibition on the release to test subjects of such information.    
  4. SACHRP recommends that OCR provide guidance on how to interpret the term “designated record set” in the context of return of results from non-CLIA research labs. As noted, HIPAA’s definition of “designated record set” includes information beyond the medical record, and extends to information that may be “used … by or for the covered entity to make decisions about individuals.”  We recommend the guidance incorporate the following principles or points to consider, none of which is mutually exclusive:
  • Referral to CLIA-Certified Laboratory:  If a covered entity may use a test result from a non-CLIA-certified laboratory to encourage an individual to provide a new specimen or to get tested at a CLIA-certified laboratory, then the entity is using the primary test results to make a decision about the individual. Assuming the primary test results are “complete,” they generally should be released to an individual upon request, as part of the designated record set.  When researchers reasonably foresee this situation in advance, they should address it in their protocol so that the IRB is aware of the investigators’ intent, in appropriate cases and on the investigators’ own initiative, to refer subjects to additional care and testing.  Further, investigators should explain to participants as part of the consent process what it might mean if the subjects, having been provided such referrals by investigators, seek their research test results through their HIPAA access rights.  OCR’s guidance should mention that a covered entity is permitted to include caveats with a release of test results, e.g., to ensure an individual is aware that a test is from a research laboratory.
  • Clinical Significance:  If a HIPAA-covered entity believes that a non-CLIA laboratory test result may have clinical significance such that the entity may use it to make decisions related to the individual, then the result is part of a designated record set and must be released upon the individual’s request.  As noted earlier, we recommend that a covered entity typically refer an individual for secondary testing at a CLIA-approved laboratory in this situation, if such testing is in fact reasonably available.  If a CLIA-certified laboratory does not offer the test (e.g., because it is a cutting-edge research test), then the results should still be provided upon the individual’s request in this situation.  The purpose of the release is that it is required by law, consistent with the HIPAA-guaranteed individual right of access, and not to diagnose or treat the individual, as prohibited by the CLIA research exception.
  • Standard for Determining “Designated Record Set”:  If an individual requests a completed test result, then the covered entity should determine if it reasonably might use the information to make decisions about the individual. If so, it must release the result pursuant to HIPAA.  If not, then the release is not required by HIPAA, but the entity may wish to consult its IRB or counsel about responding to the request, as a matter of ethics or of other applicable law.
  • Outside of Designated Record Set:  If a covered entity believes a non-CLIA laboratory test result does not have clinical significance and would not otherwise be used to make decisions about individuals, then the result is not within the designated record set and need not be released upon request.
  1. SACHRP recommends that FDA address, as part of its planned oversight of Laboratory Developed Tests, when results of research on or utilizing LDTs can be returned to subjects. This guidance should expressly take into account individuals’ legal right under HIPAA to access information in a designated record set, which in some circumstances may include results from non-CLIA-certified research laboratories. It should also include, in this specific context, when raw laboratory results may be released, when and using what standards a covered entity must determine significant risk or non-significant risk, and when an IDE is required as a condition precedent to return of results.

These questions are pressing in an environment in which individuals increasingly are requesting access to their information, and major personalized/precision medicine initiatives turn on advances in research laboratory genetic testing studies.

[1] U.S. Department of Health and Human Services. CLIA program and HIPAA privacy rule: patients' access to test reports. Federal Register 2014;79:7290-7316 (6 February 2014).
[2] Evans, First Amendment Right to Speak About the Human Genome, at 562-563.
[3] Id. at 565.
[4] Id. at 565 (citing R. Fabsitz et al, Ethical and Practical Guidelines for Reporting Genetic Research Results to Study Participants: Updated Guidelines from a National Heart, Lung, and Blood Institute Working Group, 3 Circulation Cardiovascular Genetics 574, 576 (2010).
[5] Prior to the 2014 rule, individuals had a right under HIPAA to access lab results from covered entities in many situations (such as from a hospital lab through a hospital’s medical records office, after a doctor reviewed the result).  However, the original Privacy Rule did not mandate that CLIA-certified labs that were covered entities always had to provide individual access rights; rather, if CLIA prohibited the disclosure to an individual, then the lab was not required to provide access to the individual. Regarding research labs, the original Privacy Rule acknowledged that “research laboratories that test human specimens but do not report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients” were exempt from CLIA regulations.  HHS stated that such research labs, “[[i]f subject to the access requirements … would be forced to meet the requirements of CLIA from which they are currently exempt.  To eliminate this additional regulatory burden, we have also excluded covered entities that are exempt from CLIA under that rule from the access requirement of this [Privacy Rule] regulation.”   65 Fed. Reg. at 82485 (Dec. 28, 2000).  In 2014, HHS shifted to a position strongly favoring individual access rights, and amended CLIA and HIPAA so that CLIA and CLIA-exempt labs were obligated to directly give individuals access to lab test results upon request.
[6] B. Evans et al., Regulatory Changes Raise Troubling Question for Genomic Testing, GENETICS in MEDICINE, Volume 16, Number 11 (November 2014].
[7] Id. at 801.
[8] 79 Fed. Reg. 7290, at 7296 (Feb. 6, 2014). 
[9] Id. at 7293 and 7290.
[10] Id. at 7296.


Content created by Office for Human Research Protections (OHRP)
Content last reviewed