Clinical laboratories need to understand how their patients’ protected health information is being used and secured by vendors to avert data breaches and HHS penalties
Most readers of The Dark Report, the sister publication to the Dark Daily, are aware that more than 24-million clinical laboratory patients had their protected health information (PHI) stolen during several recent data breaches involving multiple medical laboratory companies.
The first public statements made by clinical lab companies
about breaches of protected health information were issued in June.
Collectively, the following three lab companies announced that the data of more
than 20 million patients was compromised:
What all these clinical lab companies had in common was that they had contracted with American Medical Collection Agency (AMCA) to process lab test claims. AMCA is where the data breaches originated.
Under the rules established by the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, responsibility for the security of patient PHI falls to covered entities and business associates. This includes healthcare providers, health plans, and healthcare clearinghouses, such as AMCA. For clinical laboratories, this also includes vendors who receive patients’ PHI to complete their service contracts.
Until recently, any violation of HIPAA could draw down enormous fines—called Civil Money Penalties (CMPs)—by the US Department of Health and Human Services (HHS). Fines could reach $1.5 million annually across four categories, or tiers, of violations, depending on HHS’ determination as to the “level of culpability” of the violator. Those categories and min/max fines include:
No Knowledge, $100-$50,000 fine, $1.5 mil annual
limit.
Reasonable Cause, $1,000-$50,000 fine, $1.5 mil
annual limit.
In the notice, HHS stated, “the Department recognized that
section 13410(d) contained apparently inconsistent language (i.e., its
reference to two penalty tiers ‘for each violation,’ each of which provided a
penalty amount ‘for all such violations’ of an identical requirement or
prohibition in a calendar year). To resolve this inconsistency, with the
exception of violations due to willful neglect that are not timely corrected,
the [interim final rule] adopted a range of penalty amounts between the minimum
given in one tier and the maximum given in the second tier for each violation
and adopted the amount of $1.5 million as the limit for all violations of an
identical provision of the HIPAA rules in a calendar year.”
Modern Healthcare reports that “organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty than those who are found neglectful.”
Thus, the new HHS guidelines will be of interest to clinical
laboratories, which must ensure the privacy of patients’ PHI, including being
keenly aware of how vendor business associates are handling their patients’
data.
In an exclusive interview with The Dark Report, James Giszczak (above), Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins, said two important steps clinical laboratories must take include, “ensuring that your vendor has appropriate insurance policies in place that cover PHI breaches, and confirming that vendors comply with laws governing the protection of patients’ information.” To do that, he says, every lab needs to ensure that all critical provisions are covered in each contract it has with each vendor. (Photo copyright: Institute of Continuing Legal Education.)
Did HHS Go Too Far?
Some experts, however, wonder if HHS went too far in
reducing annual penalties providers may owe. Could lower annual CMP caps cause
organizations to relax strict PHI policies? Some privacy authorities urge
caution and raise concern about how incentives may be perceived by providers
and others.
“HHS is adopting a much lower annual cap for all violations except those due to willful neglect, which means significantly lower penalties for large breaches and for ongoing persistent violations of the rules,” Deven McGraw, Chief Regulatory Officer at Citizen Corporation and former Deputy Director Health Information Privacy for HHS’ Office for Civil Rights, told FierceHealthcare.
“Arguably,” she continued, “the incentive to fix these
persistent failures is much less because the potential fines for failing to do
so will not be very large. Same is true for large breaches—if you breach 10
records, at a minimum penalty of $1,000 for a breach due to reasonable cause,
your fine would be $100,000, which is the annual cap.”
New Annual Limits Recognize ‘Unintentional’ Violations
But not all experts agree. Prior to HHS’ announcement,
minimum to maximum penalty violations were the same as noted in the tiers
above. The annual limits ($1.5 million), however, were the same for each of the
four tiers.
Matthew Fisher, Partner at Mirick O’Connell and Chair of the Worcester, Mass. firm’s health law group, says the new penalty structure “is arguably good in terms of aligning potential penalties with the level of culpability.”
“If a violation was clearly unintentional and without
knowledge, why should a potentially massive fine follow? While the discretion
existed, the interpretation will now be binding and remove the potential
uncertainty,” he told FierceHealthcare.
Advice for Clinical Laboratories
Labs are advised to develop appropriate procedures to
safeguard their patients’ PHI under federal and state laws. And this includes
knowing how vendors handle PHI.
“Every lab should be proactive and do a review to understand
each vendor’s policies, procedures, training, and response in the event of a
breach,” James
Giszczak, Data Privacy and Cybersecurity Attorney and Chair of the
Litigation Department at McDonald
Hopkins in Bloomfield Hills, Mich., told The
Dark Report (TDR).
“By being prepared, clinical laboratories can save
themselves many headaches,” he said. “Ultimately, these proactive steps may
help laboratories save time, money, and costly bad publicity.”
Following that advice, along with understanding the new HHS notice,
will help medical laboratory managers ensure the privacy and security of their
client’s PHI.
PwC’s list of 12 factors that will shape the healthcare landscape in 2018 calls attention to many new innovations Dark Daily has reported on that will impact how medical laboratories perform their tests
PwC’s Health Research Institute (HRI) issued its annual report, detailing the 12 factors expected to impact the healthcare industry the most in 2018. Dark Daily culled items from the list that will most likely impact clinical laboratories and anatomic pathology groups. They include:
How clinical laboratory leaders respond to these items could, in part, be determined by new technologies.
AI Is Everywhere, Including in the Medical Laboratory
Artificial intelligence is becoming highly popular in the healthcare industry. According to an article in Healthcare IT News, business executives who were polled want to “automate tasks such as routine paperwork (82%), scheduling (79%), timesheet entry (78%), and accounting (69%) with AI tools.” However, only about 20% of the executives surveyed have the technology in place to use AI effectively. The majority—about 75%—plan to invest in AI over the next three years—whether they are ready or not.
One such example of how AI could impact clinical laboratories was demonstrated by a recent advancement in microscope imaging. Researchers at the University of Waterloo (UW) developed a new spectral light fusion microscope that captures images in full color and is far less expensive than microscopes currently on the market.
“In medicine, we know that pathology is the gold standard in helping to analyze and diagnose patients, but that standard is difficult to come by in areas that can’t afford it,” Alexander Wong, PhD, one of the UW researchers, told CLP.
“The newly developed microscope has no lens and uses artificial intelligence and mathematical models of light to develop 3D images at a large scale. To get the same effect using current technologies—using a machine that costs several hundred thousand dollars—a technician is required to ‘stitch together’ multiple images from traditional microscopes,” CLP noted.
Healthcare Intermediaries Could Become Involved with Clinical Laboratory Data
Pricing is one of the biggest concerns for patients and government entities. This is a particular concern for the pharmaceutical sector. PwC’s report notes that “stock values for five of the largest intermediaries in the pharmacy supply chain have slumped in the last two years as demands for lower costs and better outcomes have intensified.”
Thus, according to PwC, pressure may come to bear on intermediaries such as Pharmacy Benefit Managers (PBMs) and wholesalers, to “prove value and success in creating efficiencies or risk losing their place in the supply chain.”
Similar pressures to lower costs and improve efficiency are at work in the clinical laboratory industry as well. Dark Daily reported on one such cost-cutting measure that involves shifting healthcare payments toward digital assets using blockchains. The technology digitally links trusted payers and providers with patient data, including medical laboratory test results. (See, “Blockchain Technology Could Impact How Clinical Laboratories and Pathology Groups Exchange Lab Test Data,” September 29, 2017.)
PwC’s latest report predicts 12 forces that will continue to impact healthcare, including clinical laboratories and anatomic pathology groups, in 2018. Click on the image of the cover above to access an online version of the report. (Photo copyright: PwC/Issuu.)
The Opioid Crisis Remains at the Forefront
Healthcare will continue to feel the impact of the opioid crisis, according to the PwC report. Medical laboratories will continue to be involved in the diagnosis and treatment of opioid addition, which has garnered the full attention of the federal government and has become a multi-million-dollar industry.
Security Remains a Concern
Cybersecurity will continue to impact every facet of healthcare in 2018. Healthcare IT News reported, “While 95% of provider executives believe their organization is protected against cybersecurity attacks, only 36% have access management policies and just 34% have a cybersecurity audit process.”
Patients are aware of the risks and are often skeptical of health information technology (HIT), Dark Daily reported in June of last year. Clinical laboratories must work together with providers and healthcare organizations to audit their security measures. Recognizing the importance of the topic, the National Independent Laboratory Association (NILA) has named cybersecurity for laboratory information systems (LIS) a focus area.
Patient Experience a Priority
Although there have been significant improvements in the area of administrative tasks, there is still an enormous demand for a better patient experience, including in clinical laboratories. Healthcare providers want patients to make changes for the better that ultimately improve outcomes and the patient experience is one path toward that goal.
As they follow healthcare reform guidelines to increase quality while lowering costs, state governments will continue to ramp up pressure on healthcare providers and third parties in the area of pricing. Rather than simply requiring organizations to report on pricing, states are moving towards legislating price controls, as Dark Daily reported in February.
Social Factors Affect Healthcare Access
The transition to value-based care makes the fact that patients’ socioeconomic statuses matter when it comes to their health. “The most important part of getting good results is not the knowledge of the doctors, not the treatment, not the drug. It’s the logistics, the social support, the ability to arrange babysitting,” David Berg, MD, co-founder of Redirect Health told PwC.
One such transition that is helping patients gain access to healthcare involves microhospitals and their adoption of telemedicine technologies, which Dark Daily reported on in March.
“Right now, they seem to be popping up in large urban and suburban metro areas,” Priya Bathija, Vice President, Value Initiative American Hospital Association, told NPR. “We really think they have the potential to help in vulnerable communities that have a lack of access.”
“Physician decision-support software utilizes medical laboratory test data as a significant part of a full dataset used to guide caregivers,” Dark Daily noted. “Thus, if the FDA makes it easier for developers to get regulatory clearance for these types of products, that could positively impact medical labs’ ability to service their client physicians.”
Healthcare Delivery During and Following Natural Disasters
PwC predicts the long-term physical results, financial limitations, and supply chain disruptions following natural disasters will continue to affect healthcare in 2018. The devastation can prevent many people from receiving adequate, timely healthcare.
PwC’s report is an important reminder of from where the clinical laboratory/anatomic pathology industry has come, and to where it is headed. Sharp industry leaders will pay attention to the predictions contained therein.
Insurers might use blockchain technology to enable instantaneous verification and interoperability of healthcare records, which could impact clinical laboratory payment systems
Medical laboratories and anatomic pathology groups are keenly aware that connected, secure, interoperable health records are critical to smooth, efficient workflows. However, the current often dysfunctional state of health information technology (HIT) in America’s healthcare system often disrupts the security and functionality of information exchange between hospital and ancillary practice patient record systems.
One solution to this could be blockchain technology. With its big data and abundant touchpoints (typically: insurer, laboratory, physician, hospital, and home care), the healthcare industry could be ripe for blockchain information exchanges. Blockchain might enable secure and trusted linkage of payer, provider, and patient data. But what exactly is blockchain technology and how might it impact your laboratory?
Blockchains Could Transform Healthcare
Blockchain refers to a decentralized and distributed ledger that enables the interface of computer servers for the purpose of making, tracking, and storing linked transactions.
“At its core, blockchain is a distributed system recording and storing transaction records. More specifically, blockchain is a shared, immutable record of peer-to-peer transactions built from linked transaction blocks and stored in a digital ledger,” explained risk-management group Deloitte in a report, which goes on to state:
“Blockchain technology has the potential to transform healthcare, placing the patient at the center of the healthcare ecosystem and increasing the security, privacy, and interoperability of health data. This technology could provide a new model for health information exchanges (HIE) by making electronic medical records more efficient, disintermediated, and secure.
“Blockchain relies on established cryptographic techniques to allow each participant in a network to interact (e.g., store, exchange, and view information), without pre-existing trust between the parties.
“In a blockchain system, there is no central authority; instead, transaction records are stored and distributed across all network participants. Interactions with the blockchain become known to all participants and require verification by the network before information is added, enabling trustless collaboration between network participants while recording an immutable audit trail of all interactions.”
Key principles of blockchain (above) demonstrate the decentralization of the healthcare data. In some ways, this resembles electronic health record (EHR) systems that feature federated databases, rather than centralized databases. (Image copyright: Deloitte.)
Instant Verifications and Authorizations at Point-of-Care
In a Healthcare Finance News (HFN) article, insurers acknowledged blockchain’s potential for information verification and authorizations in real-time, fast payments, and access to patient databases that could fulfill population health goals.
“Everybody that is part of a transaction has access to the network. There’s no need for an intermediary. Blockchain allows for verification instantly,” noted Chris Kay, JD, Senior Vice President and Chief Innovation Officer at Humana, in the HFN article.
At clinical laboratories, blockchain could enable nearly instantaneous verification of a patient’s health insurance at time of service. Blockchain also could enable doctors to review a patient’s medical laboratory test results in real-time, even when multiple labs are involved in a person’s care.
“Everyone has to have a node on the blockchain and have a server linked to the blockchain. The servers are the ones talking to one another,” explained Kay. “What’s really transformative about this is it takes the friction out of the system. If I see a doctor, the doctor knows what insurance I have because it’s on the network. All this is verified through underlying security software.”
Healthcare Obstacles to Overcome
Breaking down data silos and loosening proprietary holds on information can help healthcare providers prepare for blockchain. However, in our highly regulated industry, blockchain is at least five years away, according to blockchain experts in a Healthcare IT News (HIT News) article.
“We’re hearing that blockchain is going to revolutionize the way we interact with and store data. But it’s not going to happen tomorrow. Let’s find smaller problems we can solve as a starting point—projects that don’t have the regulatory hurdles—and then take baby steps that don’t require breaking down all the walls,” advised Joe Guagliardo, JD, Intellectual Property/Technology Attorney and Chair of the Blockchain Technology Group at Pepper Hamilton, a Philadelphia-based law firm, in the HIT News article.
Healthcoin: Rewarding Patients for Improved Biomarkers
One company has already started to work with blockchain in healthcare. Healthcoin is a blockchain-based platform aimed at prevention of diabetes, heart disease, and obesity. The idea is for employers, insurers, and others to use Healthcoin (now in pre-launch) to reward people based on biomarker improvements shown in medical laboratory tests.
Healthcoin’s Chief Executive Officer Diego Espinosa and Chief Operating Officer Nick Gogerty, founded the company in 2016 after Espinosa, who had been diagnosed with diabetes, made diet changes to reverse it, according to an article in Bitcoin Magazine.
“When I saw my blood labs, the idea for Healthcoin was born—shifting the focus of prevention to ‘moving the needle’ on biomarkers, as opposed to just measuring steps,” Espinosa told Bitcoin Magazine.
Blockchain Provides Security
What does blockchain provide that isn’t available through other existing technologies? According to Deloitte, it’s security and trust.
“Today’s health records are typically stored within a single provider system. With blockchain, providers could either select which information to upload to a shared blockchain when a patient event occurs, or continuously upload to the blockchain,” Deloitte notes. “Blockchain’s security and ability to establish trust between entities are the reasons why it can help solve the interoperability problem better than today’s existing technologies.”
Should Clinical Laboratories Prepare for Blockchain?
It’s important to note that insurers are contemplating blockchain and making relevant plans and strategies. Dark Daily believes the potential exists for blockchain technology to both disrupt existing business relationships, including those requiring access to patient test data, and to create new opportunities to leverage patient test data in real-time that could generate new revenue sources for labs. Thus, to ensure smooth payments, medical laboratory managers and pathology group stakeholders should explore blockchain’s value to their practices.
New studies show number of Americans who are unwilling to reveal private health information is growing, hindering medical technology developers
Healthcare consumers appear not only to be raising their expectations of the quality of care they receive, but also in the privacy and security of their protected health information (PHI) as well. This is an important development for clinical laboratories and pathology groups, since they hold large quantities of patient test data.
News reports indicate that, due to the increase in patient distrust about privacy and security, developers of health information technology (HIT) products that collect and transmit patient data are struggling to insert their products into the broader healthcare market.
However, there is a positive side to this trend for medical laboratory professionals. Patients’ interest in tighter security and privacy protections provides pathology groups and clinical laboratory leaders with an invaluable opportunity to inform patients on their lab’s use of cybersecurity measures and to reiterate their commitment to protecting their patients’ data.
Clinical Laboratories Can Ease Patient Fears
It’s not enough that medical laboratories promote their services and efficiencies. They also must tout the capability of their laboratory information management systems (LIMS) to protect a patient’s PHI. That’s critical because recent studies indicate high proportions of healthcare consumers are becoming increasingly wary of how their healthcare data are protected.
The graphic above taken from a 2017 Accenture survey may indicate why healthcare consumer trust in an organization’s ability to secure protected health data (PHI) has eroded so deeply. (Graphic copyright: Accenture.)
Numerous reports of data hacking and security breaches have eroded healthcare consumers’ trust. Patients are more skeptical than ever about the benefits of HIT, such as:
The poll aimed at exploring consumers’ adoption and acceptance of HIT. It found:
87% of consumers are unwilling to divulge all their medical information (up from 66% in 2013);
70% of Americans distrust health technology (a significant increase from 10% in 2014);
And 57% of people who underwent actual encounters with providers’ technology (including ancillary providers, such as clinical laboratories) remain skeptical of HIT.
Even with all the bells and whistles, HIT cannot penetrate the healthcare system if people don’t adopt it, a Black Book news release pointed out.
89% of Patients Withhold Information During Office Visits
Respondents to Black Book’s poll reported being especially alarmed by their data being shared (without their acknowledgement or consent) beyond their hospital and physician. This includes:
Pharmacy prescriptions (90%);
Mental health notes (99%); and
Chronic conditions (81%).
Other key findings from the Black Book poll include the fact that:
89% of consumers withheld health information during their 2016 provider visits;
93% are concerned about security of their personal financial information;
69% say their primary care doctor does not have the technological expertise necessary for them to feel safe divulging extensive personal information.
Missing Data Compromises Care, Analytics
An article in Healthcare IT News reported that fear of breaches is translating to consumers’ reticence to share information. And, the Black Book survey states that data analytics and population health efforts by healthcare providers could be compromised due to consumer distrust, according to a FierceHealthcare article.
“Incomplete medical histories and undisclosed conditions, treatment, or medications raises obvious concerns on the reliability and usefulness of patient health data in application of risk-based analytics, care plans, modeling, payment reforms, and population health programming,” stated Doug Brown, President, Black Book, in the news release.
“This revelation should force cybersecurity solutions to the top of the technology priorities in 2017 to achieve tangible trust in big data dependability,” he concluded.
Patients/Doctors at Odds Over Use of Patient Data
According to the Black Book poll, 91% of people surveyed who use wearable medical tracking devices believe their physician’s EHR should be able to store any health-related data they wish. However, physicians responding to the provider section of the survey stated they have all the information they need. In fact, 94% of the doctors stated patient-generated data (generated by wearables) are “overwhelming, redundant, and unlikely to make a clinical difference.”
The disconnect has led to miscommunication and frustration in the doctor/patient relationship, noted a HealthITSecurity article.
People who struggle to find and understand medical information tend to also be wary of health technologies, such as wearables, patient portals, and mobile apps, noted a UT news release.
Conversely, Americans with a high degree of health literacy are more likely to use fitness trackers and online portals and view them as useful and trustworthy, UT researchers stated.
This study of nearly 5,000 Americans also explored patients’ perceptions of privacy and trust in institutions. Researchers found lower health literacy was associated with more distrust and less adoption of HIT tools.
“There is a pressing need to further the understanding of how health literacy is related to HIT app adoption and usage. This will ensure that all users receive the full health benefits from these technologies in a manner that protects health information privacy, and that users engage with organizations and providers they trust,” the researchers wrote.
Another Dark Daily e-briefing summarized accounts of ransomware and cyberattacks on hospitals and medical labs in 2016. Clinical laboratory leaders are reminded to work with provider teams and appropriate experts to determine the lab’s ability to prevent and withstand cyberattacks.
Labs may glean some ideas from these cybersecurity “2017 must-haves” shared (along with others) in a Healthcare IT News article:
Invest in a risk assessment that makes clear exactly what needs to be protected;
Recognize that beyond medical and billing information, high tech equipment (such as lab analyzers) need to be addressed in planning.
Medical laboratory leaders should not be shy about communicating their lab’s cybersecurity priority, investment, and actions taken to keep their patient’s PHI private and secure. That message could be just what skeptical consumers need to hear and could be well received by the lab’s patients.
The DxMA Summit’s agenda will complement EWC’s and will explore disruptive technologies likely to be of great interest to medical laboratory leaders and pathology groups
That’s according to Debra Harrsch, President-elect of the Diagnostics Marketing Association (DxMA), a self-funded organization devoted to helping diagnostic marketing professionals stay abreast of industry trends and effectively navigate the changing legal, regulatory, and technology landscape.