News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

Labs Must Report Privacy Breaches of 500 or More to the Media

Call it HITECH collides with HIPAA! Most pathologists and lab executives know that passage of the HITECH Act was the part of 2009’s American Recovery and Reinvestment Act (also referred to as “ARRA” or the “stimulus bill”). HITECH provides incentives for the expanded use of electronic health records by physicians and other providers.

But what is lesser known is how the HITECH Act creates new legal obligations of covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPPA). These new legal mandates are designed to protect the privacy and security of the patient. They require clinical laboratories and all providers to take specific actions whenever patient privacy is breached.

New Patient Privacy Requirements for Clinical Laboratories and Pathology Groups when Patient Privacy is Breached

These new rules took effect in September, but many pathologists and clinical laboratory managers are not yet aware of the responsibilities placed on their clinical laboratories and pathology groups by the new HITECH Act rules. To alert Dark Daily subscribers and readers, we tracked down Elizabeth A. Sullivan, a legal healthcare expert and associate at the law firm of McDonald Hopkins, LLC.

“There are several troubling elements of the new law, for which all clinical labs and pathology groups should be informed,” explained Sullivan. “For example, a laboratory may now proactively need to report certain breaches of patient privacy to a media outlet. For example, if the privacy of 500 or more patients in a state were breached at a provider, that provider must issue a public statement to the media. That’s big! Another requirement is that this provider must immediately contact the secretary of Health and Human Services.

“It can be very difficult to determine what the right media outlet for disclosure is,” she added. “It varies from case to case. It is very important that covered entities know how to recognize what action to take in each very specific situation.”

Sullivan advises laboratories to do more than simply reading the language of the new law. “To be protected, laboratory managers must understand all the details of these new reporting and action requirements whenever a patient privacy breach occurs,” said Sullivan. “The lab team must know how to judge when a patient privacy breach has happened, how to determine a timeline, and what the laboratory’s obligations are to disclose the breach to patients, to media, and to the correct federal agency. These are proactive steps and a laboratory can find itself out of compliance if does not do all these things correctly.”

“These are significant changes to the requirements of providers as defined by HIPAA,” stated Sullivan. “It starts with a provider, like a clinical lab or pathology group, recognizing that a breach of patient privacy has occurred. Under the requirements of HITECH and HIPPA, the covered entity must first recognize that a breach of patient privacy occurred. The next step is to assess whether disclosure of the breach is required.

”As part of this assessment, the clinical laboratory or pathology group must determine if harm resulting from the breach of patient privacy,” she continued. “That depends who had access to the information, what type of information it was and what kind of harm might be caused by that breach. This is what makes the new legal requirements a bit trickier than simply saying, ‘OK, we’ve been compromised. Let’s make a disclosure.’ Your lab staff must not only look at the breach, but it must know how to determine if a disclosure is necessary.”

“Not understanding the full depth of HITECH could result in a number of consequences,” continued Sullivan. “A lab failing to act appropriately may be subject to sanctions, such as payment of a penalty fee. The clinical laboratory may also face certain repercussions from Medicare and Medicaid.”

Elizabeth Snyder will provide up-to-the-minute recommendations and insights about these disturbing legal requirements of the HITECH ACT, along with other changing legal, compliance, and managed contracting issues that touch clinical laboratories and pathology practices. She will present at a “must attend” audio conference. “New Legal Issues and Regulatory Changes and Their Potential Impact on Clinical Laboratories and Pathology Groups.” It will take place on Tuesday, October 27, 2009 at 1 p.m. EDT; 12 p.m. CDT; 11 a.m. MDT; 10 a.m. PDT. For information and to register, visit

Joining Sullivan on this important audio conference are attorneys Richard Cooper and Jane Pine Wood, also of McDonald Hopkins LLC. These three experts in laboratory law, compliance, and managed care contracting will discuss at least six major trends and developments about which laboratories must be informed and prepared. Along with this severe requirement for disclosing patient privacy breaches to the media and a federal agency, other vital topics will include EMR donations and the “do’s and don’ts” for laboratories; how and why some hospitals are putting anatomic pathology services out to bid at contract renewal time; and, new managed care contracting tactics by payers designed to further reduce reimbursement for key1laboratory and AP CPT codes.

Join the experts and register today for this essential audio conference! Take this important step to protect your laboratory from the new regulatory and compliance mandates about which most labs remain unaware. This is hard-hitting, practical knowledge that your lab can use to protect itself.

Don’t forget that your laboratory’s attorneys, legal advisors, and compliance experts can listen to this valuable audio conference simply by gathering together in your lab’s conference room. Better yet, they can ask questions during the interactive Q&A session to get personalized answers to your lab’s unique needs and interests. Reserve your participation in this highly valuable audio conference by registering today at


DATE: Tuesday, October 27, 2009

TIME: 1 p.m. EDT; 12 p.m. CDT; 11 a.m. MDT; 10 a.m. PDT

PLACE: Your telephone or speakerphone

COST: $195 per dial-in site (unlimited attendance per site) through 10/21/09; $245 thereafter

TO REGISTER: Click here or call 1-800-560-6363 toll-free

Related Information:

View the HITECH Breach Notification Guidance and Request for Public Comment supplied by the U.S. Department of Health and Human Services goes over what to know about red flags, notification laws, and the HITECH act. decries what it calls too many rules and not enough vision or value