Clinical laboratories should take a proactive approach to ensure compliance with current price transparency regulations
Price transparency in healthcare continues to be a focus of the Centers for Medicare and Medicaid Services (CMS). As of this ebrief, the agency has cited nearly a dozen hospitals this year that failed to, wholly or in part, follow through with federal legislation due to technical issues.
The citations, paired with President Trump’s executive order from February on price transparency, demonstrates a growing trend toward costly enforcement.
It’s not clear from the documentation posted by CMS if any of this involves price transparency with clinical laboratory tests. Labs that operate within hospitals or health systems are subject to the executive order; thus, diagnostic test pricing estimates are subject to transparency mandates.
Based on enforcement actions posted online by CMS, it’s clear that the agency is looking into technical issues of price transparency requirements that have little to do with diagnostic medicine. From that perspective, clinical laboratory teams may want to pass this Dark Daily ebrief along to their IT department and business analysts, whose work is drawing criticism from CMS at some hospitals.
The entire lab team should be proactive on the issue of price transparency.
“Imagine how a one-on-one conversation with a patient would go if a physician explained that a routine cholesterol test sent to Lab A would cost five times that of Lab B. Anyone think the patient would choose Lab A?” wrote Bryan Vaughn, senior vice president, health systems and mid-America division, Labcorp, in an article he penned for the lab company’s website. (Photo copyright: Labcorp.)
Hefty Fines and Warnings from CMS
According to CMS, already in 2025, 10 hospitals have received civil monetary penalty (CMP) notices of hefty fines for non-compliance. They include:
Arkansas Methodist Medical Center, Paragould, Ark. $309,738
Northlake Behavioral Health System, Mandeville, La. $257,180
Lawrence Rehabilitation Hospital, Brick, N.J. $120,120
Community Care Hospital, New Orleans, La. $93,214
Hill Hospital of Sumter County, York, Ala. $84,216
Bucktail Medical Center, Renovo, Pa. $75,582
D.W. McMillan Memorial Hospital, Brewton, Ala. $71,852
First Surgical Hospital, Bellaire, Texas $62,016
CCM Health, Montevideo, Minn. $55,611
Southeast Regional Medical Center, Kentwood, La. $32,301
Payments for citations are due 60 days after receiving the CMP notice.
Trump’s Executive Order
CMS’ price transparency focus comes alongside President Trump’s Executive Order 14221, “Making America Healthy Again by Empowering Patients with Clear, Accurate, and Actionable Healthcare Pricing Information,” which the administration put out in February of this year, CMS noted.
As covered in the March 31 issue of The Dark Report, a sister publication to Dark Daily, Trump’s order is an expansion of his previous price transparency ruling, which went into effect at the start of 2021.
At that time, hospitals were required to “provide clear, accessible pricing information online about the items and services they provide” that was easy understand and to use, and machine-readable files listing all services and items available, CMS noted.
Impact on Clinical Laboratories
CMS’ updated requirements and refreshed reinforcement against healthcare organizations remain pertinent to hospital laboratories mostly due to extreme variations in test pricing.
“Reports continue to point out wide differences in the prices of routine laboratory testing across settings. Yet, routine lab testing may be some of the most comparable procedures in healthcare, with minimal differences in methods or quality,” wrote Bryan Vaughn, senior vice president of health systems and the mid-America division at Labcorp, in an article he penned for the lab company’s website.
Vaughn cited as much as a $600 difference found between metabolic or lipid panels and other standard lab tests.
It behooves clinical labs to verify that the information they provide to consumers online about test prices is indeed easy to understand and meets the spirit of the executive order and CMS. Failure to do so could be costly to a health system or hospital.
Clinical laboratories need to understand how their patients’ protected health information is being used and secured by vendors to avert data breaches and HHS penalties
Most readers of The Dark Report, the sister publication to the Dark Daily, are aware that more than 24-million clinical laboratory patients had their protected health information (PHI) stolen during several recent data breaches involving multiple medical laboratory companies.
The first public statements made by clinical lab companies
about breaches of protected health information were issued in June.
Collectively, the following three lab companies announced that the data of more
than 20 million patients was compromised:
What all these clinical lab companies had in common was that they had contracted with American Medical Collection Agency (AMCA) to process lab test claims. AMCA is where the data breaches originated.
Under the rules established by the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, responsibility for the security of patient PHI falls to covered entities and business associates. This includes healthcare providers, health plans, and healthcare clearinghouses, such as AMCA. For clinical laboratories, this also includes vendors who receive patients’ PHI to complete their service contracts.
Until recently, any violation of HIPAA could draw down enormous fines—called Civil Money Penalties (CMPs)—by the US Department of Health and Human Services (HHS). Fines could reach $1.5 million annually across four categories, or tiers, of violations, depending on HHS’ determination as to the “level of culpability” of the violator. Those categories and min/max fines include:
No Knowledge, $100-$50,000 fine, $1.5 mil annual
limit.
Reasonable Cause, $1,000-$50,000 fine, $1.5 mil
annual limit.
In the notice, HHS stated, “the Department recognized that
section 13410(d) contained apparently inconsistent language (i.e., its
reference to two penalty tiers ‘for each violation,’ each of which provided a
penalty amount ‘for all such violations’ of an identical requirement or
prohibition in a calendar year). To resolve this inconsistency, with the
exception of violations due to willful neglect that are not timely corrected,
the [interim final rule] adopted a range of penalty amounts between the minimum
given in one tier and the maximum given in the second tier for each violation
and adopted the amount of $1.5 million as the limit for all violations of an
identical provision of the HIPAA rules in a calendar year.”
Modern Healthcare reports that “organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty than those who are found neglectful.”
Thus, the new HHS guidelines will be of interest to clinical
laboratories, which must ensure the privacy of patients’ PHI, including being
keenly aware of how vendor business associates are handling their patients’
data.
In an exclusive interview with The Dark Report, James Giszczak (above), Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins, said two important steps clinical laboratories must take include, “ensuring that your vendor has appropriate insurance policies in place that cover PHI breaches, and confirming that vendors comply with laws governing the protection of patients’ information.” To do that, he says, every lab needs to ensure that all critical provisions are covered in each contract it has with each vendor. (Photo copyright: Institute of Continuing Legal Education.)
Did HHS Go Too Far?
Some experts, however, wonder if HHS went too far in
reducing annual penalties providers may owe. Could lower annual CMP caps cause
organizations to relax strict PHI policies? Some privacy authorities urge
caution and raise concern about how incentives may be perceived by providers
and others.
“HHS is adopting a much lower annual cap for all violations except those due to willful neglect, which means significantly lower penalties for large breaches and for ongoing persistent violations of the rules,” Deven McGraw, Chief Regulatory Officer at Citizen Corporation and former Deputy Director Health Information Privacy for HHS’ Office for Civil Rights, told FierceHealthcare.
“Arguably,” she continued, “the incentive to fix these
persistent failures is much less because the potential fines for failing to do
so will not be very large. Same is true for large breaches—if you breach 10
records, at a minimum penalty of $1,000 for a breach due to reasonable cause,
your fine would be $100,000, which is the annual cap.”
New Annual Limits Recognize ‘Unintentional’ Violations
But not all experts agree. Prior to HHS’ announcement,
minimum to maximum penalty violations were the same as noted in the tiers
above. The annual limits ($1.5 million), however, were the same for each of the
four tiers.
Matthew Fisher, Partner at Mirick O’Connell and Chair of the Worcester, Mass. firm’s health law group, says the new penalty structure “is arguably good in terms of aligning potential penalties with the level of culpability.”
“If a violation was clearly unintentional and without
knowledge, why should a potentially massive fine follow? While the discretion
existed, the interpretation will now be binding and remove the potential
uncertainty,” he told FierceHealthcare.
Advice for Clinical Laboratories
Labs are advised to develop appropriate procedures to
safeguard their patients’ PHI under federal and state laws. And this includes
knowing how vendors handle PHI.
“Every lab should be proactive and do a review to understand
each vendor’s policies, procedures, training, and response in the event of a
breach,” James
Giszczak, Data Privacy and Cybersecurity Attorney and Chair of the
Litigation Department at McDonald
Hopkins in Bloomfield Hills, Mich., told The
Dark Report (TDR).
“By being prepared, clinical laboratories can save
themselves many headaches,” he said. “Ultimately, these proactive steps may
help laboratories save time, money, and costly bad publicity.”
Following that advice, along with understanding the new HHS notice,
will help medical laboratory managers ensure the privacy and security of their
client’s PHI.
