News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

HHS Announces Culpability Limits for HIPAA Violations, Drops Annual Fines Owed by Providers

Clinical laboratories need to understand how their patients’ protected health information is being used and secured by vendors to avert data breaches and HHS penalties

Most readers of The Dark Report, the sister publication to the Dark Daily, are aware that more than 24-million clinical laboratory patients had their protected health information (PHI) stolen during several recent data breaches involving multiple medical laboratory companies.

The first public statements made by clinical lab companies about breaches of protected health information were issued in June. Collectively, the following three lab companies announced that the data of more than 20 million patients was compromised:

In the eight weeks that followed, additional medical laboratory companies publicly disclosed breaches of their patient data, including:

What all these clinical lab companies had in common was that they had contracted with American Medical Collection Agency (AMCA) to process lab test claims. AMCA is where the data breaches originated.

Under the rules established by the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, responsibility for the security of patient PHI falls to covered entities and business associates. This includes healthcare providers, health plans, and healthcare clearinghouses, such as AMCA. For clinical laboratories, this also includes vendors who receive patients’ PHI to complete their service contracts.

Until recently, any violation of HIPAA could draw down enormous fines—called Civil Money Penalties (CMPs)—by the US Department of Health and Human Services (HHS). Fines could reach $1.5 million annually across four categories, or tiers, of violations, depending on HHS’ determination as to the “level of culpability” of the violator. Those categories and min/max fines include:

  • No Knowledge, $100-$50,000 fine, $1.5 mil annual limit.
  • Reasonable Cause, $1,000-$50,000 fine, $1.5 mil annual limit.
  • Willful Neglect-Corrected, $10,000-$50,000, $1.5 annual limit.
  • Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit.

Earlier this year, HHS released a “Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.” In it, HHS revised its interpretation of the law and reduced CMPs, while more clearly defining how provider culpability ties to the ultimate amount of the fines:

  • No Knowledge, $100-$50,000 fine, $25,000 annual limit.
  • Reasonable Cause, $1,000-$50,000 fine, $100,000 annual limit.
  • Willful Neglect-Corrected, $10,000-$50,000, $250,000 annual limit.
  • Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit

In the notice, HHS stated, “the Department recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers ‘for each violation,’ each of which provided a penalty amount ‘for all such violations’ of an identical requirement or prohibition in a calendar year). To resolve this inconsistency, with the exception of violations due to willful neglect that are not timely corrected, the [interim final rule] adopted a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year.”

Modern Healthcare reports that “organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty than those who are found neglectful.”

Thus, the new HHS guidelines will be of interest to clinical laboratories, which must ensure the privacy of patients’ PHI, including being keenly aware of how vendor business associates are handling their patients’ data.

In an exclusive interview with The Dark Report, James Giszczak (above), Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins, said two important steps clinical laboratories must take include, “ensuring that your vendor has appropriate insurance policies in place that cover PHI breaches, and confirming that vendors comply with laws governing the protection of patients’ information.” To do that, he says, every lab needs to ensure that all critical provisions are covered in each contract it has with each vendor. (Photo copyright: Institute of Continuing Legal Education.)

Did HHS Go Too Far?

Some experts, however, wonder if HHS went too far in reducing annual penalties providers may owe. Could lower annual CMP caps cause organizations to relax strict PHI policies? Some privacy authorities urge caution and raise concern about how incentives may be perceived by providers and others.

“HHS is adopting a much lower annual cap for all violations except those due to willful neglect, which means significantly lower penalties for large breaches and for ongoing persistent violations of the rules,” Deven McGraw, Chief Regulatory Officer at Citizen Corporation and former Deputy Director Health Information Privacy for HHS’ Office for Civil Rights, told FierceHealthcare.

“Arguably,” she continued, “the incentive to fix these persistent failures is much less because the potential fines for failing to do so will not be very large. Same is true for large breaches—if you breach 10 records, at a minimum penalty of $1,000 for a breach due to reasonable cause, your fine would be $100,000, which is the annual cap.”

New Annual Limits Recognize ‘Unintentional’ Violations

But not all experts agree. Prior to HHS’ announcement, minimum to maximum penalty violations were the same as noted in the tiers above. The annual limits ($1.5 million), however, were the same for each of the four tiers.

Matthew Fisher, Partner at Mirick O’Connell and Chair of the Worcester, Mass. firm’s health law group, says the new penalty structure “is arguably good in terms of aligning potential penalties with the level of culpability.”

“If a violation was clearly unintentional and without knowledge, why should a potentially massive fine follow? While the discretion existed, the interpretation will now be binding and remove the potential uncertainty,” he told FierceHealthcare.

Advice for Clinical Laboratories

Labs are advised to develop appropriate procedures to safeguard their patients’ PHI under federal and state laws. And this includes knowing how vendors handle PHI. 

“Every lab should be proactive and do a review to understand each vendor’s policies, procedures, training, and response in the event of a breach,” James Giszczak, Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins in Bloomfield Hills, Mich., told The Dark Report (TDR).

“By being prepared, clinical laboratories can save themselves many headaches,” he said. “Ultimately, these proactive steps may help laboratories save time, money, and costly bad publicity.”

Following that advice, along with understanding the new HHS notice, will help medical laboratory managers ensure the privacy and security of their client’s PHI.

—Donna Marie Pocius

Related Information:

HHS Implements HIPAA Fine Caps Based on Level of Culpability

Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties

HHS Moves to Reduce HIPAA Fines Lowering the Cap More Than $M for Some Violations

HHS to Cap HIPAA Fines Based on “Culpability”

Labs Should Heed Lessons from Huge Data Breach

Late-Breaking Lab News: Add Eight More Laboratories to the List of Lab Companies Whose Patient Data Were Breached

DOJ Pursues Organizations That Falsely Claim Compliance with Medicare’s EHR Incentive Programs

Clinical laboratories that interface with hospital EHR systems under scrutiny by the DOJ could be drawn into the investigations

Officials at the federal US Department of Justice (DOJ) continue to pursue fraud cases involving health systems that allegedly have falsely attested to complying with the Medicare and Medicaid electronic health record (EHR) adoption incentive programs (now known as the Promoting Interoperability Programs).

This is important for clinical laboratory leaders to watch, because medical labs often interface with hospital EHRs to exchange vital patient data, a key component of complying with Medicare’s EHR incentive programs. If claims of interoperability are shown to be false, could labs engaged with those hospital systems under scrutiny be drawn into the DOJ’s investigations?

Violating the False Claims Act

In May, Coffey Health System (CHS), which includes Coffey County Hospital, a 25-bed critical access hospital located in Burlington, Kan., agreed to pay the US government a total of $250,000 to settle a claim that it violated the False Claims Act.

CHS’ former CIO filed the qui tam (aka, whistleblower) lawsuit, which allows individuals to sue on behalf of the government and share in monetary recovery. He alleged that CHS provided false information to the government about being in compliance with security standards to receive incentive payments under the EHR Incentive Program.

According to a DOJ press release, “the United States alleged that Coffey Health System falsely attested that it conducted and/or reviewed security risk analyses in accordance with requirements under a federal incentive program for the reporting periods of 2012 and 2013. The government contended that the hospital submitted false claims to the Medicare and Medicaid Programs pursuant the Electronic Health Records (EHR) Incentive Program.”

“Medicare and Medicaid beneficiaries expect that providers ensure the accuracy and security of their electronic health records,” said Stephen McAllister (above), United States Attorney for the District of Kansas, in the DOJ press release. “This office remains committed to protecting the federal health programs and to hold accountable those whose conduct results in improper payments.” (Photo copyright: US Department of Justice.)

How Providers Receive EHR Incentive Program Funds

The original EHR Adoption Incentive Program was part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The federal government enacted the program as part of the American Recovery and Reinvestment Act of 2009 (the Recovery Act), which was an amendment to the Health Insurance Portability and Accountability Act (HIPAA). 

The Recovery Act allocated $25 billion to incentivize healthcare professionals and facilities to adopt and demonstrate meaningful use (MU) of electronic health records by January 1, 2014. The federal Centers for Medicare and Medicaid Services (CMS) released the incentive funds when providers attested to accomplishing specific goals set by the program.

The website of the Office of the National Coordinator for Health Information Technology (ONC),, defines “meaningful use” as the use of digital medical and health records to:

  • Improve quality, safety, efficiency, and reduce health disparities;
  • Engage patients and their families;
  • Improve care coordination and population and public health; and
  • Maintain privacy and security of patient health information.

The purpose of the HITECH Act was to address privacy and security concerns linked to electronic storage and transference of protected health information (PHI). HITECH encourages healthcare organizations to update their health records and record systems, and it offers financial incentives to institutions that are in compliance with the requirements of the program.

When eligible professionals or eligible hospitals attest to being in compliance with Medicare’s EHR incentive program requirements, they can file claims for federal funds, which are paid and audited by the Department of Health and Human Services (HHS) through Medicare and Medicaid.

Institutions receiving funds must demonstrate meaningful use of EHR records or risk potential penalties, including the delay or cancellation of future payments and full reimbursement of payments already received. In addition, false statements submitted in filed documents are subject to criminal laws and civil penalties at both the state and federal levels.

EHR Developers Under Scrutiny by DOJ

EHR vendors also have been investigated and ordered to make restitutions by the DOJ. 

In February, Greenway Health, a Tampa-based EHR developer, agree to pay $57.25 million to resolve allegations related to the False Claims Act. In this case, the government contended that Greenway obtained certification for its “Prime Suite” EHR even though the technology did not meet the requirements for meaningful use.

And EHR vendor eClinicalWorks paid the government $155 million to settle allegations under the False Claims Act. The government maintained that eClinicalWorks misrepresented the capabilities of their software and provided $392,000 in kickbacks to customers who promoted its product. 

Legal cases such as these demonstrate that the DOJ will pursue both vendors and healthcare organizations that misrepresent their products or falsely attest to interoperability under the terms laid out by Medicare’s EHR Incentive Program.

Clinical laboratory leaders and pathology groups should carefully study these cases. This knowledge may be helpful when they are asked to create and maintain interfaces to exchange patient data with client EHRs.

—JP Schlingman

Related Information:

DOJ Pursues More Electronic Health Records Cases

Electronic Health Records Vendor to Pay $57.25 Million to Settle False Claims Act Allegations  

Electronic Health Records Vendor to Pay $155 Million to Settle False Claims Act Allegations

Kansas Hospital Agrees to Pay $250,000 to Settle False Claims Act Allegations

EHR Sales Reached $31.5 Billion in 2018 Despite Concerns over Usability, Interoperability, and Ties to Medical Errors

CMS Finalizes Rule Rebranding ‘Meaningful Use’ Program to ‘Promoting Interoperability’

Ongoing federal regulatory push for EHR interoperability requires medical laboratories and anatomic pathology groups to have strategies for ensuring seamless interfaces with providers and hospitals

What difference does a name make? Clinical laboratories and anatomic pathology groups soon may know the answer to that question following the renaming of the Centers for Medicare and Medicaid Services (CMS) “Meaningful Use” program to “Promoting Interoperability” (PI).

CMS first announced the rebranding in April as part of a proposed rule aimed at transforming the Meaningful Use aspect of the federal Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH has been Medicare’s roadmap to electronic health record (EHR) implementation and interoperability since it was enacted in 2009.

The final rule arrived on August 2, 2018, and it may impact how clinical laboratories interface with provider and hospital EHRs.

Removing Obstacles to Quality Patient Care

In the news release outlining the updates to Medicare payment policies and rates under the Inpatient Prospective Payment System and the Long-Term Care Hospital Prospective Payment System, CMS states the “overhaul” of the meaningful use program will:

  • Make the program more flexible and less burdensome;
  • Emphasize measures that require the exchange of health information between providers and patients; and,
  • Incentivize providers to make it easier for patients to obtain their medical records electronically.

“We’re excited to make these changes to ensure care will focus on the patient, not on needless paperwork,” CMS Administrator Seema Verma stated in the news release. “We’ve listened to patients and their doctors who urged us to remove the obstacles getting in the way of quality care and positive health outcomes. Today’s final rule reflects public feedback on CMS proposals issued in April and the agency’s patient-driven priorities of improving the quality and safety of care, advancing health information exchange and usability, and removing outdated or redundant regulation on healthcare providers to make way for innovation and greater value.” (Photo copyright: Centers for Medicare and Medicaid Services.)

According to a CMS fact sheet, key provisions of the overhaul include:

  • The rule finalized an EHR reporting period to a minimum of any continuous 90-day period in each of calendar years 2019 and 2020 for new and returning participants attesting to CMS or their State Medicaid agency;
  • For the Medicare Promoting Interoperability Program, the rule finalized a new performance-based scoring methodology consisting of a smaller set of objectives that CMS states will provide a more flexible, less-burdensome structure, allowing eligible hospitals and critical access hospitals (CAHs) to place their focus back on patients;
  • CMS finalized two new e-Prescribing measures related to e-prescribing of opioids (Schedule II controlled substances); and,
  • Beginning with an EHR reporting period in CY 2019, all eligible hospitals and CAHs under the Medicare and Medicaid PI programs will be required to use the 2015 Edition of Certified EHR Technology;
  • CMS finalized changes to measures, including removing certain measures CMS believes do not emphasize interoperability and the electronic exchange of health information.

According to CMS, about 3,300 acute care hospitals and 420 long-term care hospitals will be subject to the final rule, which takes effect October 1. Obviously, medical laboratories servicing these healthcare organizations will be similarly affected.

Rebranding More than a Name Change

Healthcare Informatics analyzed the 2,593-page final rule explaining that the “core emphasis” of the meaningful use overhaul is “on advancing health data exchange among providers.”

The initial proposal in April, according to Healthcare Informatics, invited stakeholder feedback through a request for information on the possibility of revising CMS’ “Conditions of Participation” for hospitals by requiring providers to electronically transfer medically necessary information following a patient discharge or transfer. The final rule, however, did not include that change.

Instead, the CMS Fact Sheet on the rule states the April request for information was “to obtain feedback on positive solutions to better achieve interoperability, or the sharing of healthcare data between providers, which will inform next steps in advancing this critical initiative.”

Rebranding meaningful use is CMS’s first step in implementing core pieces of the Administration’s MyHealthEData Initiative to strengthen interoperability. In remarks during the ONC Interoperability Forum in Washington, DC, CMS Administrator Seema Verma described the rebranding decision as “much more than a name change” and signaled future CMS actions.

“It is a change in direction for the programs—from programs that support the adoption of health IT, to programs that promote interoperability and patient access to data,” she explained. “To avoid payment reductions and gain incentives, doctors and hospitals will have to give patients electronic access to their health records. We are also considering whether CMS should require—as a condition of participation in the Medicare program—that providers share data with patients in a universal electronic format and hope to share more information on that soon.”

The recent changes follow passage of the Bipartisan Budget Act of 2018, which included a provision relaxing meaningful-use requirements. Though the legislation affects only hospitals and outpatient Medicaid providers, Robert Tennant, Director of Health Information Technology Policy for the Medical Group Management Association (MGMA), declared the revision a “huge win” for providers.

“I don’t think the government recognized how difficult it would be to move from stage 1 to stage 2 to stage 3 [meaningful use] requirements and the significant costs involved,” Tennant stated told Modern Healthcare. “We hope that it signals an interest in Congress in having the administration and HHS (Federal Health and Human Services) not make these quality reporting programs so onerous that it results in large swaths of providers not being successful.”

Clinical laboratories and anatomic pathology groups should be aware that interoperability between their laboratory information systems and the EHRs of providers and hospitals continues to be important. Although the term “Meaningful Use” is to be supplanted by “Promoting Interoperability,” the ability to move patient health information seamlessly among providers continues to be a major goal of this country’s healthcare system.

—Andrea Downing Peck

Related Information:

CMS Finalizes Changes to Empower Patients and Reduce Administrative Burden

In Proposed MU Rebranding Rule, CMS Raises the Interoperability Stakes

Fact Sheet: Fiscal Year (FY) 2019 Medicare Hospital Inpatient Prospective Payment System (IPPS) and Long-Term Acute Care Hospital (LTCH) Prospective Payment System Final Rule (CMS-1694-F)

H.R. 1892: Bipartisan Budget Act of 2018

Printable PDF: Final Rule (CMS-1694-F)

Speech: Remarks by Administrator Seema Verma at the ONC Interoperability Forum in Washington, DC

Congress Budget Deal Relaxes Meaningful-Use Requirements

CMS Proposes Changes to Empower Patients and Reduce Administrative Burden

CMS Proposes Meaningful Use Changes to Promote Interoperability



University of Michigan Study Predicts that Majority of Physician Practices Will Lose Money on their EHR Systems

Research study shows opportunity for clinical laboratories to help client physicians get more value from their electronic health record systems

For the majority of physicians in the United States, implementation of an electronic health record (EHRs) system in their practice may turn out to be a money-losing proposition. That is one prediction made by researchers at the University of Michigan (UM), based on a study they conducted.

Among other things, these findings indicate that progressive clinical laboratories and pathology groups have the opportunity to leverage the interface between their laboratory information system (LIS) and the client physician’s EHR to deliver added value. That’s because pathologists, Ph.D.s, and laboratory scientists know many ways that physicians can improve how they order medical laboratory tests and act upon the results of those tests.


Six Health IT Companies Join Forces to Develop Interoperable EHR Systems to Better Compete Against Epic’s EHR Product

CommonWell is the name of the new organization formed to create the interoperability that would enable universal access to each patient’s health care records

It was big news in the healthcare IT world when six major healthcare IT companies joined together on March 4 and announced a collaboration intended to develop electronic health record (EHR) systems that are interoperable. That is a goal that can come none too soon for clinical laboratories and anatomic pathology groups.

The collaboration will take the form of an independent nonprofit organization to be called CommonWell Health Alliance. The six companies contributing to the formation of CommonWell are: