Clinical laboratories need to understand how their patients’ protected health information is being used and secured by vendors to avert data breaches and HHS penalties
Most readers of The Dark Report, the sister publication to the Dark Daily, are aware that more than 24-million clinical laboratory patients had their protected health information (PHI) stolen during several recent data breaches involving multiple medical laboratory companies.
The first public statements made by clinical lab companies about breaches of protected health information were issued in June. Collectively, the following three lab companies announced that the data of more than 20 million patients was compromised:
In the eight weeks that followed, additional medical laboratory companies publicly disclosed breaches of their patient data, including:
- Inform Diagnostics,
- CompuNet Clinical Laboratories,
- Clinical Pathology Laboratories,
- American Esoteric Laboratories,
- South Texas Dermatopathology,
- Seacoast Pathology,
- Arizona Dermatopathology, and
- Laboratory of Dermatopathology ADX.
What all these clinical lab companies had in common was that they had contracted with American Medical Collection Agency (AMCA) to process lab test claims. AMCA is where the data breaches originated.
Under the rules established by the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, responsibility for the security of patient PHI falls to covered entities and business associates. This includes healthcare providers, health plans, and healthcare clearinghouses, such as AMCA. For clinical laboratories, this also includes vendors who receive patients’ PHI to complete their service contracts.
Until recently, any violation of HIPAA could draw down enormous fines—called Civil Money Penalties (CMPs)—by the US Department of Health and Human Services (HHS). Fines could reach $1.5 million annually across four categories, or tiers, of violations, depending on HHS’ determination as to the “level of culpability” of the violator. Those categories and min/max fines include:
- No Knowledge, $100-$50,000 fine, $1.5 mil annual limit.
- Reasonable Cause, $1,000-$50,000 fine, $1.5 mil annual limit.
- Willful Neglect-Corrected, $10,000-$50,000, $1.5 annual limit.
- Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit.
Earlier this year, HHS released a “Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.” In it, HHS revised its interpretation of the law and reduced CMPs, while more clearly defining how provider culpability ties to the ultimate amount of the fines:
- No Knowledge, $100-$50,000 fine, $25,000 annual limit.
- Reasonable Cause, $1,000-$50,000 fine, $100,000 annual limit.
- Willful Neglect-Corrected, $10,000-$50,000, $250,000 annual limit.
- Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit
In the notice, HHS stated, “the Department recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers ‘for each violation,’ each of which provided a penalty amount ‘for all such violations’ of an identical requirement or prohibition in a calendar year). To resolve this inconsistency, with the exception of violations due to willful neglect that are not timely corrected, the [interim final rule] adopted a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year.”
Modern Healthcare reports that “organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty than those who are found neglectful.”
Thus, the new HHS guidelines will be of interest to clinical laboratories, which must ensure the privacy of patients’ PHI, including being keenly aware of how vendor business associates are handling their patients’ data.
Did HHS Go Too Far?
Some experts, however, wonder if HHS went too far in reducing annual penalties providers may owe. Could lower annual CMP caps cause organizations to relax strict PHI policies? Some privacy authorities urge caution and raise concern about how incentives may be perceived by providers and others.
“HHS is adopting a much lower annual cap for all violations except those due to willful neglect, which means significantly lower penalties for large breaches and for ongoing persistent violations of the rules,” Deven McGraw, Chief Regulatory Officer at Citizen Corporation and former Deputy Director Health Information Privacy for HHS’ Office for Civil Rights, told FierceHealthcare.
“Arguably,” she continued, “the incentive to fix these persistent failures is much less because the potential fines for failing to do so will not be very large. Same is true for large breaches—if you breach 10 records, at a minimum penalty of $1,000 for a breach due to reasonable cause, your fine would be $100,000, which is the annual cap.”
New Annual Limits Recognize ‘Unintentional’ Violations
But not all experts agree. Prior to HHS’ announcement, minimum to maximum penalty violations were the same as noted in the tiers above. The annual limits ($1.5 million), however, were the same for each of the four tiers.
Matthew Fisher, Partner at Mirick O’Connell and Chair of the Worcester, Mass. firm’s health law group, says the new penalty structure “is arguably good in terms of aligning potential penalties with the level of culpability.”
“If a violation was clearly unintentional and without knowledge, why should a potentially massive fine follow? While the discretion existed, the interpretation will now be binding and remove the potential uncertainty,” he told FierceHealthcare.
Advice for Clinical Laboratories
Labs are advised to develop appropriate procedures to safeguard their patients’ PHI under federal and state laws. And this includes knowing how vendors handle PHI.
“Every lab should be proactive and do a review to understand each vendor’s policies, procedures, training, and response in the event of a breach,” James Giszczak, Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins in Bloomfield Hills, Mich., told The Dark Report (TDR).
“By being prepared, clinical laboratories can save themselves many headaches,” he said. “Ultimately, these proactive steps may help laboratories save time, money, and costly bad publicity.”
Following that advice, along with understanding the new HHS notice, will help medical laboratory managers ensure the privacy and security of their client’s PHI.
—Donna Marie Pocius