Initially thought to be an attack by a nation-state, actual culprit turned out to be a known ransomware group and each day brings new revelations about the cyberattack
Fallout continues from cyberattack on Change Healthcare, the revenue cycle management (RCM) company that is a business unit of Optum, itself a division of UnitedHealth Group. Recent news accounts say providers are losing an estimated $100 million per day because they cannot submit claims to Change Healthcare nor receive reimbursement for these claims.
The cyberattack took place on February 21. The following day, UnitedHealth Group filed a Material Cybersecurity Incidents report (form 8-K) with the US Securities and Exchange Commission (SEC) in which it stated it had “identified a suspected nation-state associated cybersecurity threat actor [that] had gained access to some of the Change Healthcare information technology systems.”
A few days later the real identity of the threat actor was revealed to be a ransomware group known as “BlackCat” or “ALPHV,” according to Reuters.
Change Healthcare of Nashville, Tenn., is “one of the largest commercial prescription processors in the US,” Healthcare Dive reported, adding that hospitals, pharmacies, and military facilities had difficulty transmitting prescriptions “as a result of the outage.”
Change Healthcare handles about 15 billion payments each year.
According to a Change Healthcare statement, the company “became aware of the outside threat” and “took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”
Change Healthcare has provided a website where parties that have been affected by the cyberattack can find assistance and updated information on Change’s response to the intrusion and theft of its data.
“The fallout is only starting to happen now. It will get worse for consumers,” Andrew Newman (above), founder and Chief Technology Officer, ReasonLabs, told FOX Business, adding, “We know that the likely destination for [the Change Healthcare] data is the Dark Web, where BlackCat will auction it all off to the highest bidder. From there, consumers could expect to suffer from things like identity theft, credit score downgrades, and more.” Clinical laboratories are also targets of cyberattacks due to the large amount of private patient data stored on their laboratory information systems. (Photo copyright: ReasonLabs.)
Millions of Records May be in Wrong Hands
Reuters reported that ALPHV/BlackCat admitted it “stole millions of sensitive records, including medical insurance and health data from the company.”
The ransomware group has been focusing its attacks on healthcare with 70 incidents since December, according to federal agencies.
In a letter to HHS, AHA warned, “Change Healthcare’s downed systems will have an immediate adverse impact on hospital finances. … Their interrupted technology controls providers’ ability to process claims for payment, patient billing, and patient cost estimation services.”
“My understanding is Change/Optum touches almost every hospital in the US in one way or another,” John Riggi, AHA’s National Advisor for Cybersecurity and Risk, told Chief Healthcare Executive. “It has sector wide impact in potential risk. So, really, this is an attack on the entire sector.” Riggi spent nearly 30 years with the FBI.
Some physician practices may also have been impacted by the Change Healthcare cyberattack, according to the Medical Group Management Association (MGMA). In a letter to HHS, MGMA described negative changes in processes at doctors’ offices. They include delays in paper and electronic statements “for the duration of the outage.”
In addition, “prescriptions are being called into pharmacies instead of being electronically sent, so patients’ insurance information cannot be verified by pharmacies, and [the patients] are forced to self-pay or go without necessary medication.”
Here are “just a few of the consequences medical groups have felt” since the Change Healthcare cyberattack, according to the MGMA:
Substantial billing and cash flow disruptions, such as a lack of electronic claims processing. Both paper and electronic statements have been delayed. Some groups have been without any outgoing charges or incoming payments for the duration of the outage.
Limited or no electronic remittance advice from health plans. Groups are having to manually pull and post from payer portals.
Prior authorization submissions have been rejected or have not been transmittable at all. This further exacerbates what is routinely ranked the number one regulatory burden by medical groups and jeopardizes patient care.
Groups have been unable to perform eligibility checks for patients.
Many electronic prescriptions have not been transmitted, resulting in call-in prescriptions to pharmacies or paper prescriptions for patients. Subsequently, patients’ insurance information cannot be verified by pharmacies, and they are forced to self-pay or go without necessary medication.
Lack of connectivity to important data infrastructure needed for success in value-based care arrangements, and other health information technology disruptions.
Medical laboratory leaders and pathologists are advised to consult with their colleagues in IT and cybersecurity on how to best prevent ransomware attacks. Labs hold vast amount of private patient information. Recent incidents suggest more steps and strategies may be needed to protect laboratory information systems and patient data.
The federal agency shipped tests to five commercial clinical laboratory companies, augmenting efforts by public health labs
Medical laboratories in the US are ramping up their efforts to respond to an outbreak of monkeypox that has been spreading around the globe. Microbiologists and clinical laboratory scientists will be interested to learn that this infectious agent—which is new to the US—may be establishing itself in the wild rodent population in this country. If proved to be true, it means Americans would be at risk of infection from contact with rodents as well as other people.
The Centers for Disease Control and Prevention (CDC) announced on May 18 that it had identified the infection in a Massachusetts resident who had recently traveled to Canada. As of August 3, the federal agency was reporting 6,617 confirmed cases in the US.
“Because there are no other non-variola orthopoxviruses circulating in the US, a positive test result is presumed to be monkeypox,” states the APHL press release.
“As we focus on the US response, we keep a close watch on the global outbreak. Infectious diseases don’t respect borders, as we know,” said Chris Mangal (above), director of public health preparedness and response, APHL, in a press release. “I am proud of how LRN member laboratories have rapidly and effectively responded to this emergency. This is precisely what the LRN was intended to do. Should this outbreak continue to grow, preparing for expanded testing and increasing capacity beyond LRN laboratories is important to ensuring we are ready for a surge in testing.” (Photo copyright: Association of Public Health Laboratories.)
Commercial Labs Get Involved
Seeking to bolster testing capacity, the federal Department of Health and Human Services (HHS) announced on June 22 that the CDC had begun shipping OrthopoxvirusPCR tests to five commercial lab companies. They include:
“By dramatically expanding the number of testing locations throughout the country, we are making it possible for anyone who needs to be tested to do so,” said HHS Secretary Xavier Becerra in an HHS press release.
Labcorp was first out of the gate, announcing on July 6 that it was offering the CDC-developed test for its customers, as well as accepting overflow from public labs. “We will initially perform all monkeypox testing in our main North Carolina lab and have the capacity to expand to other locations nationwide should the need arise,” said Labcorp chief medical officer and president Brian Caveney, MD, in a press release.
Mayo Clinic Laboratories followed suit on July 11, announcing that the clinic’s Department of Laboratory Medicine and Pathology would perform the testing at its main facility in Rochester, Minnesota.
“Patients can access testing through Mayo Clinic healthcare professionals and will soon be able to access testing through healthcare professionals who use Mayo Clinic Laboratories as their reference laboratory,” Mayo stated in a press release.
Then, Quest Diagnostics announced on July 13 that it was testing for the virus with an internally developed PCR test, with plans to offer the CDC test in the first half of August.
The lab-developed test “was validated under CLIA federal regulations and is now performed at the company’s advanced laboratory in San Juan Capistrano, Calif.,” Quest stated in a press release.
Public Health Emergency?
Meanwhile, the CDC announced on June 28 that it had established an Emergency Operations Center to respond to the outbreak. A few weeks later, on July 23, World Health Organization (WHO) Secretary-General Tedros Adhanom Ghebreyesus, PhD, declared that the outbreak represented “a public health emergency of international concern.”
He noted that international health regulations required him to consider five elements to make such a declaration.
“WHO’s assessment is that the risk of monkeypox is moderate globally and in all regions, except in the European region where we assess the risk as high,” he said in a WHO news release. “There is also a clear risk of further international spread, although the risk of interference with international traffic remains low for the moment. So, in short, we have an outbreak that has spread around the world rapidly, through new modes of transmission, about which we understand too little, and which meets the criteria in the International Health Regulations.”
Still, public health authorities have made it clear that this is not a repeat of the COVID-19 outbreak.
“Monkeypox virus is a completely different virus than the viruses that cause COVID-19 or measles,” the CDC stated in a June 9 advisory. “It is not known to linger in the air and is not transmitted during short periods of shared airspace. Monkeypox spreads through direct contact with body fluids or sores on the body of someone who has monkeypox, or with direct contact with materials that have touched body fluids or sores, such as clothing or linens. It may also spread through respiratory secretions when people have close, face-to-face contact.”
The New York Times reported that some experts disagreed with the CDC’s assessment that the virus “is not known to linger in the air.” But Professor of Environmental Health Donald Milton, MD, DrPH, of the University of Maryland, told The Times it is still “not nearly as contagious as the coronavirus.”
The Massachusetts resident who tested positive in May was not the first known case of monkeypox in the US, however, previous cases involved travel from countries where the disease is more common. Two cases in 2021—one in Texas and one in Maryland—involved US residents who had recently returned from Nigeria, the CDC reported. And a 2003 outbreak in the Midwest was linked to rodents and other small mammals imported to Texas from Ghana in West Africa.
“Labcorp and Quest don’t dispute that in many cases, their phlebotomists are not taking blood from possible monkeypox patients,” according to CNN. “What remains unclear, after company statements and follow-ups from CNN, is whether the phlebotomists are refusing on their own to take blood or if it is the company policy that prevents them. The two testing giants say they’re reviewing their safety policies and procedures for their employees.”
One symptom of monkeypox, the CDC states, is a rash resembling pimples or blisters. Clinicians are advised that two swabs should be collected from each skin lesion, though “procedures and materials used for collecting specimens may vary depending on the phase of the rash.”
“Effective communication and precautionary measures between specimen collection teams and laboratory staff are essential to maximizing safety when manipulating specimens suspected to contain monkeypox virus,” the CDC notes. “This is especially relevant in hospital settings, where laboratories routinely process specimens from patients with a variety of infectious and/or noninfectious conditions.”
Perhaps the negative reaction to the CDC’s initial response to the COVID-19 outbreak in the US is driving the federal agency’s swift response to this new viral threat. Regardless, clinical laboratories and pathology groups will play a key role in the government’s plan to combat monkeypox in America.
It did not take long for fraudsters to pursue hundreds of billions of federal dollars designated to support SARS-CoV-2 testing and it is rare when federal prosecutors bring cases only a few months after illegal lab testing schemes are identified
As if the COVID-19 pandemic weren’t bad enough, unscrupulous clinical laboratory operators quickly sought to take advantage of the critical demand for SARS-CoV-2 testing and defraud the federal government.
Unfortunately for the many defendants in these cases, federal investigations into alleged cases of fraud were launched with noteworthy speed. As a result of these investigations into alleged healthcare fraud by clinical laboratories and other organizations during fiscal year (FY) 2020, the US Department of Justice (DOJ) announced the US government has recovered $1.8 billion.
The federal prosecutions involved dozens of medical laboratory owners and operators who paid back “hundreds of millions in alleged federal healthcare program losses,” Goodwin Life Sciences Perspectives explained.
When combined with similar efforts starting in prior years, the program has returned to the federal government and private individuals a total of $3.1 billion, the DOJ noted.
“In its 24th year of operation, the program’s continued success confirms the soundness of a collaborative approach to identify and prosecute the most egregious instances of healthcare fraud, to prevent future fraud and abuse, and to protect program beneficiaries,” the report states.
According to the graphic above, which is based on analysis by B2B research company MarketsandMarkets, “North America will dominate the healthcare fraud analytics market from 2020–2025.” As clinical laboratory testing represents a significant portion of the fraud, medical lab managers will want to remain vigilant. (Graphic copyright: MarketsandMarkets.)
COVID-19 Pandemic an Opportunity for Fraud
The HHS report notes that the COVID-19 pandemic required CMS to develop a “robust fraud risk assessment process” to identify clinical laboratory fraud schemes, such as offering COVID-19 tests in exchange for personal details and Medicare information.
“In one fraud scheme, some labs are targeting retirement communities claiming to offer COVID-19 tests but are drawing blood and billing federal healthcare programs for medically unnecessary services,” the HHS report notes.
Still other alleged schemes involved billing for expensive tests and services in addition to COVID-19 testing. “For example, providers are billing a COVID-19 test with other far more expensive tests such as the Respiratory Pathogen Panel (RPP) and antibiotic resistance tests,” the report says.
“Other potentially unnecessary tests being billed along with a COVID-19 test include genetic testing and cardiac panels CPT (current procedural terminology) codes. Providers are also billing respiratory, gastrointestinal, genitourinary, and dermatologic pathogen code sets with the not otherwise specified code CPT 87798,” the report states.
Different Types of Healthcare Organizations Investigated in 2020
Beyond clinical laboratories, the HHS’ 124-page report also shares criminal and civil investigations of other healthcare organizations and areas including:
clinics,
drug companies,
durable medical equipment,
electronic health records,
home health providers,
hospice care,
hospitals and healthcare systems,
medical devices,
nursing home and facilities,
pharmacies, and
physicians/other practitioners.
According to the DOJ, “enforcement actions” in 2020 included:
1,148 new criminal healthcare fraud investigations opened,
440 defendants convicted of healthcare fraud and related crimes,
1,079 civil healthcare fraud investigations opened, and
1,498 pending civil health fraud matters at year-end.
“Federal Bureau of Investigation (FBI) investigative efforts resulted in over 407 operational disruptions of criminal fraud organizations and the dismantlement of the criminal hierarchy of more than 101 healthcare fraud criminal enterprises,” the DOJ reported.
Furthermore, the report said OIG investigations in 2020 led to:
578 criminal actions against people or organizations for Medicare-related crimes,
781 civil actions such as false claims, and
2,148 people and organizations eliminated from Medicare and Medicaid participation.
Implications for Clinical Laboratories
In 2020, OIG issued 178 reports, completed 44 evaluations, and made 689 recommendations to HHS divisions.
Clinical laboratory leaders may be most interested in those related to patient identification as a means to combating fraud and Medicare Part B lab testing reimbursement.
The HHS report says, “Medicare Advantage (MA) encounter data continue to lack National Provider Identifiers (NPIs) for providers who order and/or refer … clinical laboratory services,” adding that, “Almost half of MA organizations believe that using NPIs for ordering providers is critical for combating fraud.”
Additionally, the report states, “Medicare Part B spending for lab tests increased to $7.6 billion in 2018, despite lower payment rates for most lab tests. The $459 million spending increase was driven by:
“increased spending on genetic tests,
“ending the discount for certain chemistry tests, and the
“move to a single national fee schedule.”
Medical laboratory leaders may be surprised to learn that federal healthcare investigators were so vigorous in their investigations, even during the worst of the COVID-19 pandemic.
Vigilance is critical to ensure labs do not fall under the DOJ’s scrutiny. This HHS report, which describes the types and dollars involved in fraudulent schemes by clinical labs and other providers, could help inform revisions to federal compliance regulations and statutes.
Sophisticated cyberattacks have already hit hospitals and healthcare networks in Oregon, California, New York, Vermont, and other states
Attention medical laboratory managers and pathology group administrators: It’s time to ramp up your cyberdefenses. The FBI, the federal Department of Health and Human Services (HHS), and the federal Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory (AA20-302A) warning US hospitals, clinical laboratories, and other healthcare providers to prepare for impending ransomware attacks, in which cybercriminals use malware, known as ransomware, to encrypt files on victims’ computers and demand payment to restore access.
The joint advisory, titled, “Ransomware Activity Targeting the Healthcare and Public Health Sector,” states, “CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.” It includes technical details about the threat—which uses a type of ransomware known as Ryuk—and suggests best practices for preventing and handling attacks.
In his KrebsOnSecurity blog post, titled, “FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals,” former Washington Post reporter, Brian Krebs, wrote, “On Monday, Oct. 26, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics, and medical care facilities across the United States. Today, officials from the FBI and the US Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an ‘imminent cybercrime threat to US hospitals and healthcare providers.’”
Krebs went on to reported that the threat is linked to a notorious cybercriminal gang known as UNC1878, which planned to launch the attacks against 400 healthcare facilities.
Clinical Labs, Pathology Groups at Risk Because of the Patient Data They Keep
Hackers initially gain access to organizations’ computer systems through phishing campaigns, in which users receive emails “that contain either links to malicious websites that host the malware or attachments with the malware,” the advisory states. Krebs noted that the attacks are “often unique to each victim, including everything from the Microsoft Windows executable files that get dropped on the infected hosts to the so-called ‘command and control’ servers used to transmit data between and among compromised systems.”
Charles Carmakal, SVP and Chief Technology Officer of cybersecurity firm Mandiant told Reuters, “UNC1878 is one of the most brazen, heartless, and disruptive threat actors I’ve observed over my career,” adding, “Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline.”
John Riggi (above), senior cybersecurity adviser to the American Hospital Association (AHA), told the AP, “We are most concerned with ransomware attacks which have the potential to disrupt patient care operations and risk patient safety. We believe any cyberattack against any hospital or health system is a threat-to-life crime and should be responded to and pursued as such by the government.” Hospital-based medical laboratories and independent clinical laboratories that interface with hospital networks should be assess their vulnerability to cyberattacks and take appropriate steps to protect their patients’ data. (Photo copyright: American Hospital Association.)
Multiple Healthcare Provider Networks Under Attack
Hospitals in Oregon, California, and New York have already been hit by the attacks, Reuters reported. “We can still watch vitals and getting imaging done, but all results are being communicated via paper only,” a doctor at one facility told Reuters, which reported that “staff could see historic records but not update those files.”
Some of the hospitals that have reportedly experienced cyberattacks include:
In October, the Associated Press (AP) reported that a recent cyberattack disrupted computer systems at six hospitals in the University of Vermont (UVM) Health Network. The FBI would not comment on whether that attack involved ransomware, however, it forced the UVM Medical Center to shut down its computer system and reschedule elective procedures.
Threat intelligence analyst Allan Liska of US cybersecurity firm Recorded Future told Reuters, “This appears to have been a coordinated attack designed to disrupt hospitals specifically all around the country.”
He added, “While multiple ransomware attacks against healthcare providers each week have been commonplace, this is the first time we have seen six hospitals targeted in the same day by the same ransomware actor.”
An earlier ransomware attack in September targeted 250 healthcare facilities operated by Universal Health Services Inc. (UHS). A clinician at one facility reported “a high-anxiety scramble” where “medical staff could not easily see clinical laboratory results, imaging scans, medication lists, and other critical pieces of information doctors rely on to make decisions,” AP reported.
Outside of the US, a similar ransomware attack in October at a hospital in Düsseldorf, Germany, prompted a homicide investigation by German authorities after the death of a patient being transferred to another facility was linked to the attack, the BBC reported.
CISA, FBI, HHS, Advise Against Paying Ransoms
To deal with the ransomware attacks, CISA, FBI, and HHS advise against paying ransoms. “Payment does not guarantee files will be recovered,” the advisory states. “It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.” The federal agencies advise organizations to take preventive measures and adopt plans for coping with attacks.
The advisory suggests:
Training programs for employees, including raising awareness about ransomware and phishing scams. Organizations should “ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.”
Regular backups of data and software. These should be “maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups.” Personnel should also test the backups.
Continuity plans in case information systems are not accessible. For example, organizations should maintain “hard copies of digital information that would be required for critical patient healthcare.”
“Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations,” the advisory states. “Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies.”
Dark Daily Publisher and Editor-in-Chief, Robert Michel, suggests that clinical laboratories and anatomic pathology groups should have their cyberdefenses assessed by security experts. “This is particularly true because the technologies and methods used by hackers change rapidly,” he said, “and if their laboratory information systems have not been assessed in the past year, then this proactive assessment could be the best insurance against an expensive ransomware attack a lab can purchase.”
Clinical laboratories are advised to continue developing methods for making prices for procedures available to the general public
Even as an effective treatment for COVID-19 continues to elude federal healthcare agencies, Medicare officials are pressing ahead with efforts to bring about transparency in hospital healthcare pricing, including clinical laboratory procedures and prescription drugs costs.
In FY 2021 Proposed Rule CMS-1735-P, titled, “Medicare Program; Hospital Inpatient Prospective Payment Systems for Acute Care Hospitals and the Long-Term Care Hospital Prospective Payment System and Proposed Policy Changes and Fiscal Year 2021 Rates; Quality Reporting and Medicare and Medicaid Promoting Interoperability Programs Requirements for Eligible Hospitals and Critical Access Hospitals,” the Centers for Medicare and Medicaid Services (CMS) proposes to “revise the Medicare hospital inpatient prospective payment systems (IPPS) for operating and capital-related costs of acute care hospitals to implement changes arising from our continuing experience with these systems for FY 2021 and to implement certain recent legislation.”
The proposed rule suggests a 1.6% increase (about $2 billion) in reimbursement for hospital inpatient services for 2021, but also eludes to the possibility of payer negotiated rates being used to determine future payment to hospitals.
In its analysis of the proposed rule, Modern Healthcare noted that CMS is “continuing its price transparency push, to the chagrin of some providers.”
However, the provisions in the proposed rule do, according to the CMS news release, advance several presidential executive orders, including:
Controversial Use of Payer Data for Future Medicare Rates
This latest CMS proposed rule (comments period ended July 10) moves forward “controversial price transparency” and has a new element of possible leverage of reported information for future Medicare payment rates, Healthcare Dive reported.
The 1,602-page proposed rule (CMS-1735-P) calls for these requirements in hospital Medicare cost reports:
Median payer-specific negotiated inpatient services;
Inclusion of rates for Medicare Advantage plans and other third party plans;
“In addition, the agency is requesting information regarding the potential use of these data to set relative Medicare payment rates for hospital procedures,” the CMS news release states.
Thus, under the proposed rule, the nation’s 3,200 acute care hospitals and 360 long-term care hospitals would need to start reporting requested data for discharges effective Oct. 1, 2020, a CMS fact sheet explained.
In the news release following the release of the proposed rule, CMS Administrator Seema Verma had a positive spin. “Today’s payment rate announcement focuses on what matters most to help hospitals conduct their business and receive stable and consistent payment.”
However, the American Hospital Association (AHA) articulated a different view, even calling the requirement for hospitals to report private terms “unlawful.”
“We are very disappointed that CMS continues down the unlawful path of requiring hospitals to disclose privately negotiated contract terms,” AHA Executive Vice President Tom Nickels (above) said in a statement, adding, “The disclosure of privately negotiated rates will not further CMS’ goal of paying market rates that reflect the cost of delivering care. These rates take into account any number of unique circumstances between a private payer and a hospital and simply are not relevant for fixing Fee-for-Service Medicare reimbursement.” (Photo copyright: American Hospital Association.)
AHA and other organizations attempted to block a price transparency final rule last year in a lawsuit filed against the U.S. Department of Health and Human Services (HHS), which oversees CMS, Dark Daily reported.
During in-court testimony, provider representatives declared that revealing rates they negotiate with payers violates First Amendment rights, Becker’s Hospital Review reported.
Officials for the federal government pushed back telling the federal judge that they can indeed require hospitals to publish negotiated rates. Hospital chargemasters, they added, don’t tell the full story, since consumers don’t pay those rates, Modern Healthcare reported.
In addition to the increase in inpatient payments and price transparency next steps, the recent CMS proposed rule also includes a new hospital payment category for chimeric antigen receptor (CAR) T-cell therapy. The technique uses a patient’s own genetically-modified immune cells to treat some cancers, as an alternative to chemotherapy and other treatment covered by IPPS, CMS said in the news release.
The agency also expressed intent to remove payment barriers to new antimicrobials approved by the FDA’s Limited Population Pathway for Antibacterial and Antifungal Drugs (LPAD pathway). “The LPAD pathway encourages the development of safe and effective drug products that address unmet needs of patients with serious bacterial and fungal infections,” the CMS fact sheet states.
Clinical laboratories are gateways to healthcare. For hospital lab leaders, the notion of making tests prices easily accessible to patients and consumers will soon no longer be a nice idea—but a legal requirement.
Therefore, clinical laboratory leaders are advised to stay abreast of price transparency regulations and continue to prepare for sharing test prices and information with patients and the general public in ways that fulfill federal requirements.
