Across the nation, healthcare attorneys and others report that ransomware attacks are happening weekly, and that once providers’ data systems are encrypted, they have few options to regain control of their information systems
Ransomware is now the single biggest threat to your hospital, clinical laboratory, and anatomic pathology group’s ability to operate a viable business. Few practice administrators and managers are fully aware of this threat. And yet, many still have not taken even basic steps to protect their organizations from ransomware attacks.
Encryption attacks that shut down a hospital or lab’s information services come without warning, rendering the provider unable to access electronic healthcare records (EHRs), to schedule appointments, or conduct most other normal business activities.
Further, negotiating with the ransomware attackers to obtain a de-encryption key can take weeks. During that time, the hospital or lab cannot access its essential information systems and that disrupts or even stops patient care.
Think this cannot happen to your hospital or lab? Think again.
Just this spring, Scripps Health of San Diego was hit with a ransomware attack. Key information systems were encrypted, and it did not take patients long to notice that they could not email their physicians, access their medical records, or see their test results.
The ransomware attack became the headline story on the San Diego nightly news. Scripps would only admit that many essential information systems had been encrypted and that the organization was using paper to conduct business.
The ransomware attack on Colonial Pipeline of Houston, which took place one week after the Scripps Health attack, also became global news. Colonial Pipeline supplies gasoline and similar fuels to 14 states—from Georgia in the South to New York and New Jersey in the North. Dark Daily readers living along the Atlantic Coast personally experienced the shortage of gasoline in their communities because of the ransomware attack on Colonial Pipeline.
No Ransom Payment, No De-encryption Key
Ransomware is probably the single biggest threat to every hospital and every clinical lab in this country. But few healthcare organizations are taking the essential steps needed to make their information systems more resistant to an encryption attack. Even fewer hospitals and labs have policies or procedures in place that outline how management should react when an encryption attack is first discovered. Yet these attacks are hitting medical providers every week across the US.
Dark Daily surveyed several major law firms that have sizeable healthcare practices. Each firm stated it is contacted weekly by one or more hospitals, labs, and medical clinics that have had their digital systems encrypted, followed by a demand for ransom. The healthcare providers were told by the hackers that if they did not pay the ransom, they would not receive the de-encryption key required to bring their software, apps, and digital systems back into service.
“This is the biggest story in healthcare, yet it gets little attention,” stated Robert L. Michel, Editor-in-Chief of Dark Daily’s sister publication The Dark Report. “The reason why you don’t read more news stories about ransomware attacks on hospitals and labs is simple. If it becomes known that a hospital or a lab paid ransom to obtain the de-encryption key needed to restore access to its information systems, that encourages other hackers to attack the organization as well, since the hackers know the organization will pay the ransom. They figure if the provider paid the ransom once, the same provider will likely pay it again.”
Payment of Ransom Does Not Guarantee Restoration of Critical Systems
As bad as a ransomware attack on a hospital, lab, or a medical clinic can be—it can get worse. “Experts involved in helping hospitals and labs respond to a ransomware attack say there is no guarantee the de-encryption key provided by the hackers after payment of ransom will restore access to the encrypted systems,” Michel noted. “We hear reports of hospitals and labs that spent more on their efforts to bring the encrypted systems back online and functioning than they did on the actual ransom.”
This is a must-attend webinar—not only for you—but for everyone in your hospital, health system, or clinical laboratory who will be working to prevent ransomware attacks, or who is involved in restoring digital services following such an attack.
Two experts who are contacted each week by multiple hospitals, labs, and medical clinics that were attacked, had their digital systems encrypted, and received a ransom demand for hundreds of thousands—even millions—of dollars from hackers, will be sharing their knowledge and experience in the legal implications of—and the recovery from—ransomware attacks.
Johnson and Caron will cover best practices designed to provide crucial training and decision-making skills for handling a ransomware attack on hospital and health system clinical laboratories and anatomic pathology practices. These best practices include:
Legal issues triggered by a ransomware attack: What to do when an incident is a breach and when it is not.
Your obligations in response to a ransomware attack: HIPAA privacy and other regulatory rules, contractual arrangements (e.g., reference labs), and crisis communication to patients and other stakeholders.
Responding to and negotiating with ransomware perpetrators—including the expected “etiquette” in dealing with cybercriminals—and collaborating with consultants who are experienced in how to deal with ransomware demands.
And much more.
The roundtable discussion will help you understand how a security incident can occur with or without a breach of protected health information (PHI). Johnson and Caron also will discuss how knowing what to do in each scenario is essential to reducing collateral damage to both patients and your organization, and how to educate your hospital, lab and the broader medical community to address—both proactively and in response—the surging risk of ransomware attacks.
And because so many healthcare administrators, physicians, and pathologists are working remotely, Dark Daily has arranged special group rates for hospitals, practices, and physicians that would like their essential leaders to participate in this important webinar and roundtable discussion on protecting against—and recovering from—ransomware attacks.
Inquire at info@darkreport.com or call 512-264-7103.
VA Office of Inspector General recommends changes in management processes after doctor is sentenced to long federal prison term
In a compelling report, the US Department of Veterans Affairs (VA) Office of Inspector General (OIG) found that a host of management failures and “deficiencies in the facility’s quality management processes” at an Arkansas VA hospital contributed to “thousands of diagnostic errors” throughout the tenure of the facility’s Chief of Pathology and Laboratory Medical Services Robert Morris Levy, MD.
“Any one of these breakdowns could cause harmful results,” the report states. “Occurring together and over an extended period of time, the consequences were devastating, tragic, and deadly.”
The OIG report’s findings on how hospital and laboratory administrators dealt with Levy over the years of his employment at the Fayetteville VA Medical Center demonstrate why clinical and pathology lab leaders need to be constantly vigilant in how various quality and compliance procedures are administered in their laboratories. When people and processes are not meeting acceptable standards, it is patients who are at risk of being harmed.
In January, the federal court in Arkansas sentenced Levy to “240 months in federal prison, followed by three years of supervised release and ordered [him] to pay $497,745.70 in restitution for one count each of mail fraud and involuntary manslaughter,” according to court documents.
In its coverage of the federal case against Robert Morris Levy, MD (above in a jailhouse photo), former Chief of Pathology and Laboratory Medical Services at the Fayetteville VA Medical Center, The Washington Post wrote, “Levy’s supervisors failed to heed early warnings that he was endangering patients and then were slow to act, according to internal VA documents, court filings, and interviews with 20 congressional officials, veterans and current and former VA employees.” Clinical laboratory managers and hospital pathologists would be well advised to study the VA’s conclusions in its recent report. (Photo copyright: The Washington Post.)
VA Pathologist ReceivedMultiple Suspensions, then Termination
Following his removal in April 2018, the OIG assembled a team of pathologists to review nearly 34,000 cases interpreted by Levy since he began working at the VA hospital. They identified more than 3,000 errors, of which 589 were classified as “major diagnostic discrepancies” potentially having a negative impact on patient care.
Of the 589, 34 were deemed serious enough to require institutional disclosures, defined as a discussion with the patient or the patient’s representative revealing “that an adverse event has occurred during the patient’s care that resulted in or is reasonably expected to result in death or serious injury.”
The OIG report cited at least two deaths likely resulting from misdiagnoses.
Levy’s hospital privileges were initially suspended in March 2016 following a blood alcohol test indicating he was legally intoxicated while at work. He was reinstated about six months later after completing a treatment program and agreeing to submit to random drug testing.
His privileges were suspended again in October 2017 after he showed signs of impairment during a hospital committee meeting. He was terminated in April 2018 after he was arrested for allegedly driving while intoxicated (DWI) during work hours.
Federal Court Indicts Levy on Multiple Counts
Shortly after the OIG team began reviewing Levy’s cases, a separate OIG group launched a criminal investigation. Levy admitted to investigators that he had been an alcoholic for 30 years, the report stated, and that he had “purchased a substance, 2-methyl-2-butanol (2M2B), online that could be ingested, was similar to alcohol but more potent, and was not detectable using routine drug and alcohol testing methods.”
Citing the federal indictment, the OIG report noted that Levy passed 42 drug and alcohol tests following his reinstatement at the hospital in 2016.
In August 2019, federal authorities charged Levy with three counts of involuntary manslaughter along with multiple counts of wire fraud, mail fraud, and making false statements. The wire and mail fraud charges were related to his 2M2B purchases.
Levy pleaded guilty in June 2020 and was sentenced on January 22, 2021. In addition to the 20-year prison term, he was ordered to pay approximately $498,000 in restitution to VA. The OIG report noted that Levy has appealed the sentence.
And in “Arkansas Pathologist Faces Three Manslaughter Charges,” Dark Daily’s sister publication, The Dark Report, noted that “The outcome of [the Levy] case could be a precedent that gives other prosecutors the confidence that they can file criminal charges in cases where evidence shows that a pathologist’s actions contributed to diagnostic errors that directly contributed to the death of one or more patients.”
“This sentence should send a strong message that those who abuse their positions of trust in caring for veterans will be held accountable,” said VA Inspector General Michael J. Missal in a federal Department of Justice (DOJ) press release. “Our thoughts are with all those harmed by Dr. Levy’s actions, and we hope they find some small measure of comfort from what happened here today.” (Photo copyright: Military Times.)
OIG Finds Numerous ‘Deficiencies in Quality Management’
In its report, OIG found deficiencies in quality management going back to Levy’s original appointment as Pathology and Laboratory Medical Services Chief.
He was initially hired in September 2005 as a locum tenens (temporary) provider and appointed as full-time service chief a month later. This was despite a DWI conviction from 1996 and a stay of only eight months with his previous employer.
Neither would have barred the doctor as a potential candidate; however, the OIG report states, “the OIG is concerned that a rigorous process was not in place to better evaluate his clinical competency at the time he was hired.”
And that was just the beginning.
In his role as service chief, Levy was responsible for the Path and Lab quality management program with assistance from a subordinate staff pathologist, “which made the process susceptible to subversion,” the report states.
The VHA requires a second pathologist to review certain findings, such as diagnosis of a new cancer malignancy. But in some cases, “it was determined that Dr. Levy was entering concurrence statements into some patients’ electronic health records (EHR) when a second pathologist had not agreed with the interpretation or diagnosis,” the OIG report states.
In addition, second reads sometimes “were communicated by sticky notes, which provided Dr. Levy the opportunity to alter or ignore the results,” the OIG reported.
Inherent Conflict of Interest, Fear of Reprisals, and OIG Recommendations
The periodic privileging process, which grants ongoing hospital privileges, was based in part on a “10% peer review” conducted by the staff pathologist. “The involvement of a subordinate in the peer review process of a supervisor creates an inherent conflict of interest,” the OIG report stated. And in some cases, appraisals of the doctor’s competence came from non-pathologists.
The OIG report suggested that the Veteran’s Health Administration (VHA) re-examine its guidance on the peer review, which requires cases to be randomly selected. Instead, the report suggests that targeting specific kinds of cases, such as those with higher risk of interpretation error, could be more effective in analyzing a pathologist’s performance.
The OIG report also noted failures in dealing with the doctor’s impairment and fostering a “culture of accountability.” Hospital staff, apparently, reported signs of impairment as early as 2014, including incidents when the doctor smelled of alcohol and displayed hand tremors. But hospital leadership failed to “vigorously address allegations of impairment,” the OIG report states. And in interviews with the OIG, some staffers expressed fear of reprisal if they reported what they saw.
The OIG report offers 10 recommendations to the VA, including practices related to hiring processes, the 10% peer review, and alcohol and drug testing. It makes two additional recommendations to the director of the Ozarks VA health system: one related to the credentialing processes and the other aimed at ensuring staff and patients can report concerns without fear of reprisal.
Clinical laboratory managers and hospital pathologists may want to review these recommendations and consider the value of applying them in their own practices.
Patients in health systems that use the Cerner EHR can now track and share specific health metrics with their healthcare providers
In what may be first steps toward becoming a full-service digital healthcare platform, Health information technology (HIT) developer Cerner (NASDAQ:CERN) is partnering with Amazon (NASDAQ:AMZN) to bring cloud-based health tracking services to its EHR customers. People who use Amazon’s Halo service—which includes a wristband device and smartphone app to monitor specific health metrics—can now import that data directly into Cerner electronic health record (EHR) systems for sharing with healthcare providers.
This may turn out to be a pioneering effort by one of the nation’s major providers of EHR systems to pull in useful health data from a variety of non-traditional sources and incorporate them into a patient’s electronic health record. Cerner has a major market share of EHR systems (exceeded only by Epic) and has a laboratory information system (LIS) that is used by many clinical laboratories.
For this fact alone, strategic planners at medical laboratories and anatomic pathology groups should follow this development. That is particularly true of those labs operated by hospitals and health systems that decide to add this new feature to their existing Cerner EHR. If data is flowing into the EHR from patients’ Amazon Halo service, for example, it is not a big leap to imagine that clinical lab test data from the patients’ EHRs might later flow back to the Halo service where it would be instantly accessible to those patients.
This collaboration, according to a Cerner press release, “allows consumers to easily connect vital health and well-being information with their broader healthcare teams. … Historically this type of data has been siloed or difficult to obtain. Wearable technology, such as the Amazon Halo, can help achieve greater interoperability across healthcare when integrated directly into a patient’s electronic health record (EHR).”
Cerner’s integration of the Amazon Halo Band and smartphone app (above) into its electronic health record (EHR) system allows users to share collected healthcare metrics with doctors in health systems that use the Cerner EHR. How long will it be before clinical laboratories that use Cerner’s laboratory information systems (LIS) will be able to incorporate similar metrics into their LIS as well? (Photo copyright: Amazon.)
Using Artificial Intelligence to Empower Healthcare Consumers
The Halo wristband, along with its accompanying smartphone app, “combines a suite of AI-powered health features that provide actionable insights into overall wellness … [and] uses multiple advanced sensors to provide the highly accurate information necessary to power Halo,” an Amazon press release states.
Data collected by Amazon Halo that are now importable into Cerner EHRs, according to the press release, include:
Activity: Informed by American Heart Association physical activity guidelines and the latest medical research, Amazon Halo awards points based on the intensity and duration of movement, not just the number of steps taken.
Sleep: Amazon Halo uses motion, heart rate, and temperature to measure time asleep and time awake; time spent in the various phases of sleep including deep, light, and REM; and skin temperature while sleeping.
Body: Amazon Halo lets customers measure their body fat percentage from the comfort and privacy of their own home, making this important information easily accessible.
Tone: This feature uses machine learning to analyze energy and positivity in a customer’s voice so they can better understand how they may sound to others, helping improve their communication and relationships.
Labs: Amazon Halo Labs are science-backed challenges, experiments, and workouts that allow customers to discover what works best for them specifically, so they can build healthier habits.
Leveraging Patient Generated Health Data
In the Cerner press release, David Bradshaw, Senior Vice President of Consumer and Employer Solutions at Cerner, said, “The healthcare industry is undergoing a digital revolution, where physicians are increasingly looking to leverage patient-generated health data to help keep them healthier and out of the doctor’s office.
“Our work with Amazon Halo,” he continued, “highlights the importance of using artificial intelligence and other leading-edge technologies to accelerate healthcare innovation and improve health outcomes. Cerner is focused on continuing to lead a wave of breakthrough innovation, and this integration with Amazon Halo is a step toward this goal.”
The first healthcare provider to offer the Amazon Halo service to its Cerner EHR users is Sharp HealthCare of San Diego. Some Sharp Health Plan members will participate in wellness programs and eventually have the option to link their Sharp and Halo data directly into the healthcare system’s Cerner EHR.
Sharp HealthCare includes 2,600 physicians, four acute care facilities, and three specialty hospitals.
“Technology is revolutionizing the way we care for patients and how consumers care for themselves, and at Sharp we strive to embrace innovative ways to leverage leading technology to engage consumers in managing their health,” said Michael Reagin, SVP and Chief Information and Innovation Officer at Sharp HealthCare, in the Cerner press release.
“With more relevant information at their fingertips, our populations will be empowered to make more informed decisions about the health and well-being of themselves and the communities they serve,” he added. “We are pleased to work with Cerner and Amazon Halo to offer our members, patients, and clinicians an opportunity to have a more connected health record.”
Cerner Expanding to Include Population Health and Precision Medicine
Cerner may be evolving toward a cloud-based platform that pulls in data from hospital and doctors’ office EHRs—as well as data gather by wearable devices—and uses that information for population health and precision medicine analysis to guide healthcare providers.
Last year, Cerner announced a collaboration with the Amazon Web Services (AWS) cloud platform, reportedly in an effort to pivot beyond its traditional health records business.
“Moving forward, I think Cerner will look more like a health platform company and less like an EHR company,” Dan Devers, SVP, Cloud Strategy, and Chief IP Officer at Cerner, told Fierce Healthcare. “As you play out the trend in healthcare, I see Cerner very much operating at the health network level—so beyond the enterprise of a single health system. Given the power of the cloud and the work we’re doing, I see Cerner having much more relevance into broader networks and providing nationwide capabilities.”
Cerner is aiming to provide consumers with more power regarding their own healthcare by equipping them with easy, fast, and efficient methods to access their personal information and provide healthcare professionals with useful data about individual patients.
Given the value and importance of clinical laboratory data, innovative lab managers should strive to be aware of collaborations like the one between Cerner and Amazon Halo. Remaining alert for opportunities to participate in these types of arrangements could provide labs with added revenue streams and inventive ways to offer customers value-added services.
Media reports in the United Kingdom cite bad timing and centralization of public health laboratories as reasons the UK is struggling to meet testing goals
Clinical pathologists and medical laboratories in UK and the US function within radically different healthcare systems. However, both countries faced similar problems deploying widespread diagnostic testing for SARS-CoV-2, the novel coronavirus that causes COVID-19. And the differences between America’s private healthcare system and the UK’s government-run, single-payer system are exacerbating the UK’s difficulties expanding coronavirus testing to its citizens.
The Dark Daily reported in March that a manufacturing snafu had delayed distribution of a CDC-developed diagnostic test to public health laboratories. This meant virtually all testing had to be performed at the CDC, which further slowed testing. Only later that month was the US able to significantly ramp up its testing capacity, according to data from the COVID Tracking Project.
However, the UK has fared even worse, trailing Germany, the US, and other countries, according to reports in Buzzfeed and other media outlets. On March 11, the UK government established a goal of administering 10,000 COVID-19 tests per day by late March, but fell far short of that mark, The Guardian reported. The UK government now aims to increase this to 25,000 tests per day by late April.
This compares with about 70,000 COVID-19 tests per day in
Germany, the Guardian reported, and about 130,000 per day in the US
(between March 26 and April 14), according to the COVID Tracking Project.
“Ministers need to explain why the NHS [National Health Service] is not testing to capacity, why we are falling behind other countries, and what measures they will put in place to address this situation as a matter of urgency,” MP Keir Starmer (above) said in Parliament in late March, The Guardian reported. (Photo copyright: The Guardian.)
What’s Behind the UK’s Lackluster COVID-19 Testing
Response
In January, when the outbreak first hit, Public Health England (PHE) “began a strict program of contact tracing and testing potential cases,” Buzzfeed reported. But due to limited medical laboratory capacity and low supplies of COVID-19 test kits, the government changed course and de-emphasized testing, instead focusing on increased ICU and ventilator capacity. (Scotland, Wales, and Northern Ireland each have separate public health agencies and national health services.)
Later, when the need for more COVID-19 testing became
apparent, UK pathology laboratories had to contend with global shortages of
testing kits and chemicals, The Guardian reported. At present, COVID-19 testing
is limited to healthcare workers and patients displaying symptoms of pneumonia,
acute
respiratory distress syndrome, or influenza-like illness, PHE stated in “COVID-19:
Investigation and Initial Clinical Management of Possible Cases” guidance.
Another factor that has limited widespread COVID-19 testing is the country’s highly-centralized system of public health laboratories, Buzzfeed reported. “This has limited its ability to scale and process results at the same speed as other countries, despite its efforts to ramp up capacity,” Buzzfeed reported. Public Health England, which initially performed COVID-19 testing at one lab, has expanded to 12 labs. NHS laboratories also are testing for the SARS-CoV-2 coronavirus, PHE stated in “COVID-19: How to Arrange Laboratory Testing” guidance.
Sharon Peacock, PhD, PHE’s National Infection Service Interim Director, Professor of Public Health and Microbiology at the University of Cambridge, and honorary consultant microbiologist at the Cambridge clinical and public health laboratory based at Addenbrookes Hospital, defended this approach at a March hearing of the Science and Technology Committee (Commons) in Parliament.
“Laboratories in this country have largely been merged, so we have a smaller number of larger [medical] laboratories,” she said. “The alternative is to have a single large testing site. From my perspective, it is more efficient to have a bigger testing site than dissipating our efforts into a lot of laboratories around the country.”
Writing in The Guardian, Paul Hunter, MB ChB MD, a microbiologist and Professor of Medicine at University of East Anglia, cites historic factors behind the testing issue. The public health labs, he explained, were established in 1946 as part of the National Health Service. At the time, they were part of the country’s defense against bacteriological warfare. They became part of the UK’s Health Protection Agency (now PHE) in 2003. “Many of the laboratories in the old network were shut down, taken over by local hospitals or merged into a smaller number of regional laboratories,” he wrote.
US Facing Different Clinical Laboratory Testing Problems
Meanwhile, a few medical laboratories in the US are now contending with a different problem: Unused testing capacity, Nature reported. For example, the Broad Institute of MIT and Harvard in Cambridge, Mass., can run up to 2,000 tests per day, “but we aren’t doing that many,” Stacey Gabriel, PhD, a human geneticist and Senior Director of the Genomics Platform at the Broad Institute, told Nature. Factors include supply shortages and incompatibility between electronic health record (EHR) systems at hospitals and academic labs, Nature reported.
Politico
cited the CDC’s narrow testing criteria, and a lack of supplies for collecting
and analyzing patient samples—such as swabs and personal protective equipment—as
reasons for the slowdown in testing at some clinical laboratories in the US.
Challenges Deploying Antibody Tests in UK
The UK has also had problems deploying serology tests designed to detect whether people have developed antibodies against the virus. In late March, Peacock told members of Parliament that at-home test kits for COVID-19 would be available to the public through Amazon and retail pharmacy chains, the Independent reported. And, Politico reported that the government had ordered 3.5 million at-home test kits for COVID-19.
However, researchers at the University of Oxford who had been charged with validating the accuracy of the kits, reported on April 5 that the tests had not performed well and did not meet criteria established by the UK Medicines and Healthcare products Regulatory Agency (MHRA). “We see many false negatives (tests where no antibody is detected despite the fact we know it is there), and we also see false positives,” wrote Professor Sir John Bell, GBE, FRS, Professor of Medicine at the university, in a blog post. No test [for COVID-19], he wrote, “has been acclaimed by health authorities as having the necessary characteristics for screening people accurately for protective immunity.”
He added that it would be “at least a month” before suppliers could develop an acceptable COVID-19 test.
In the United States, the Cellex COVID-19 test is intended for use by medical laboratories. As well, many research sites, academic medical centers, clinical laboratories, and in vitro diagnostics (IVD) companies in the US are working to develop and validate serological tests for COVID-19.
Within weeks, it is expected that a growing number of such
tests will qualify for a Food and Drug Administration (FDA) Emergency Use
Authorization (EUA) and become available for use in patient care.
Physicians and clinical laboratories that do business with other healthcare providers who have been denied enrollment in Medicare or had their enrollment revoked are under increased scrutiny
Efforts by the Centers for Medicare and Medicaid Services
(CMS) to crack down on fraud could soon be bolstered by artificial
intelligence (AI) tools, placing new pressure on medical
laboratories and anatomic pathology groups to ensure that their billing
practices are fully compliant with current federal “affiliations” regulations.
This is why, last October, CMS issued a Request
for Information (RFI) seeking feedback from vendors, providers, and
suppliers about the potential use of AI tools to identify cases of fraud,
waste, and abuse in billing for healthcare services. Statements from CMS
indicate that the agency plans to deepen its investigation into the affiliations
physicians and clinical laboratories have with healthcare providers that been
involved in fraudulent behavior within the Medicare program.
At present, CMS uses a variety of approaches to spot
improper claims, the RFI notes, including the use of human medical reviewers.
However, this is a costly process that allows review of less than 1% of claims.
AI tools would increase the speed and accuracy of those investigations
exponentially.
The RFI notes that AI technology could “help CMS identify
potentially problematic affiliations upon initial screening and through continuous
monitoring. One example would be a new tool or technology that would allow
easy, seamless access to state and local business ownership and registration
information that could improve CMS’ line-of-sight to potentially problematic
business relationships.”
In a blog post on the federal agency’s website, CMS Administrator Seema Verma (above) wrote that “Advanced analytics and artificial intelligence can perform rapid analysis and comparison of large-scale claims data and medical records that could allow for more expeditious, seamless and accurate medical review, and ultimately, improved payment accuracy.” [Photo copyright: Centers for Medicare and Medicaid Services.)
CMS’ New Affiliations Rule Affects Clinical Laboratories
Our sister publication, The Dark Report (TDR),
provided in-depth coverage of this rule, which allows CMS “to revoke or deny
enrollment if it finds that a provider’s or supplier’s current or previous
affiliations pose an undue risk of fraud.” (See TDR, “Labs
Must Respond to New CMS Anti-Fraud Rule,” October 14, 2019.)
“For too many years, we have played an expensive and
inefficient game of ‘whack-a-mole’ with criminals—going after them one at a
time—as they steal from our programs,” CMS Administrator Seema Verma
said in a
statement about the new rule. “These fraudsters temporarily disappear into
complex, hard-to-track webs of criminal entities, and then re-emerge under
different corporate names. These criminals engage in the same behaviors again
and again.”
As TDR reported, the rule defines four “disclosable
events” that trigger the disclosure requirements:
Uncollected debt to Medicare, Medicaid, or CHIP;
Payment suspension under a federal healthcare program;
Exclusion by the Office of Inspector General from participation in Medicare, Medicaid, or CHIP; and
Termination, revocation, or denial of Medicare, Medicaid, or CHIP enrollment.
If disclosure is required, CMS described five definitions of
an affiliation, using a five-year look-back:
Direct or indirect ownership of 5% or more in another organization;
A general or limited partnership interest, regardless of the percentage;
An interest in which an individual or entity “exercises operational or managerial control over, or directly conducts” the daily operations of another organization, “either under direct contract or through some other arrangement;”
When an individual is acting as an officer or director of a corporation; and
Any reassignment relationship.
One interesting consequence of these definitions is that
individuals or companies that invest and own an interest in a provider
organization that has one or more “disclosable events” would be flagged by the
provider at time of enrollment or re-enrollment in the Medicare program. Over
the years, some very prominent private equity companies have been investors and
owners of medical laboratory companies that owed money to Medicare or entered
into civil settlements with the federal government where the full amount of the
alleged overpayments was not recovered and the provider neither admitted nor
denied guilt. These affiliations would need to be disclosed and could be used
by CMS to deny enrollment in the Medicare program.
“Lab companies that engage in fraud and abuse—often paying illegal inducements to physicians to encourage them to order medically-unnecessary tests—distort the lab testing marketplace and capture lab test referrals that would otherwise go to compliant clinical labs and pathology groups,” stated Robert Michel, Editor-In-Chief of The Dark Report. “So, honest labs will recognize how the new rule can help suppress various types of fraud that constantly plague the clinical lab industry.” (See TDR, “Is New Medicare Affiliation Rule Good, Bad, or Ugly?” November 4, 2019.)
Other AI Applications in Healthcare
The CMS RFI also suggests other areas in which artificial
intelligence could help identify fraudulent activity, including real-time monitoring
of electronic
health records (EHR), risk
adjustment data validation (RADV) audits, and value-based payment systems.
“These tools hold the promise of more expeditious, seamless
and accurate review of chart documentation during medical review to ensure that
we are paying for what we get and getting what we pay for,” the RFI states.
“However, concerns about potential improper payments and bad actors remain. We
need to determine whether innovative new strategies, tools, and technologies
presently exist that can increase data accuracy and integrity and consequently
reduce improper payments.”
Clinical laboratories should not be surprised by any of this.
Artificial intelligence and machine learning are increasingly becoming vital
tools in today’s modern healthcare system. Nevertheless, lab leaders should
closely monitor CMS’ use of these technologies to root out fraud, as labs are
often caught up in their investigations.
