Clinical laboratories need to understand how their patients’ protected health information is being used and secured by vendors to avert data breaches and HHS penalties
Most readers of The Dark Report, the sister publication to the Dark Daily, are aware that more than 24-million clinical laboratory patients had their protected health information (PHI) stolen during several recent data breaches involving multiple medical laboratory companies.
The first public statements made by clinical lab companies
about breaches of protected health information were issued in June.
Collectively, the following three lab companies announced that the data of more
than 20 million patients was compromised:
What all these clinical lab companies had in common was that they had contracted with American Medical Collection Agency (AMCA) to process lab test claims. AMCA is where the data breaches originated.
Under the rules established by the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, responsibility for the security of patient PHI falls to covered entities and business associates. This includes healthcare providers, health plans, and healthcare clearinghouses, such as AMCA. For clinical laboratories, this also includes vendors who receive patients’ PHI to complete their service contracts.
Until recently, any violation of HIPAA could draw down enormous fines—called Civil Money Penalties (CMPs)—by the US Department of Health and Human Services (HHS). Fines could reach $1.5 million annually across four categories, or tiers, of violations, depending on HHS’ determination as to the “level of culpability” of the violator. Those categories and min/max fines include:
No Knowledge, $100-$50,000 fine, $1.5 mil annual
limit.
Reasonable Cause, $1,000-$50,000 fine, $1.5 mil
annual limit.
In the notice, HHS stated, “the Department recognized that
section 13410(d) contained apparently inconsistent language (i.e., its
reference to two penalty tiers ‘for each violation,’ each of which provided a
penalty amount ‘for all such violations’ of an identical requirement or
prohibition in a calendar year). To resolve this inconsistency, with the
exception of violations due to willful neglect that are not timely corrected,
the [interim final rule] adopted a range of penalty amounts between the minimum
given in one tier and the maximum given in the second tier for each violation
and adopted the amount of $1.5 million as the limit for all violations of an
identical provision of the HIPAA rules in a calendar year.”
Modern Healthcare reports that “organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty than those who are found neglectful.”
Thus, the new HHS guidelines will be of interest to clinical
laboratories, which must ensure the privacy of patients’ PHI, including being
keenly aware of how vendor business associates are handling their patients’
data.
In an exclusive interview with The Dark Report, James Giszczak (above), Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins, said two important steps clinical laboratories must take include, “ensuring that your vendor has appropriate insurance policies in place that cover PHI breaches, and confirming that vendors comply with laws governing the protection of patients’ information.” To do that, he says, every lab needs to ensure that all critical provisions are covered in each contract it has with each vendor. (Photo copyright: Institute of Continuing Legal Education.)
Did HHS Go Too Far?
Some experts, however, wonder if HHS went too far in
reducing annual penalties providers may owe. Could lower annual CMP caps cause
organizations to relax strict PHI policies? Some privacy authorities urge
caution and raise concern about how incentives may be perceived by providers
and others.
“HHS is adopting a much lower annual cap for all violations except those due to willful neglect, which means significantly lower penalties for large breaches and for ongoing persistent violations of the rules,” Deven McGraw, Chief Regulatory Officer at Citizen Corporation and former Deputy Director Health Information Privacy for HHS’ Office for Civil Rights, told FierceHealthcare.
“Arguably,” she continued, “the incentive to fix these
persistent failures is much less because the potential fines for failing to do
so will not be very large. Same is true for large breaches—if you breach 10
records, at a minimum penalty of $1,000 for a breach due to reasonable cause,
your fine would be $100,000, which is the annual cap.”
New Annual Limits Recognize ‘Unintentional’ Violations
But not all experts agree. Prior to HHS’ announcement,
minimum to maximum penalty violations were the same as noted in the tiers
above. The annual limits ($1.5 million), however, were the same for each of the
four tiers.
Matthew Fisher, Partner at Mirick O’Connell and Chair of the Worcester, Mass. firm’s health law group, says the new penalty structure “is arguably good in terms of aligning potential penalties with the level of culpability.”
“If a violation was clearly unintentional and without
knowledge, why should a potentially massive fine follow? While the discretion
existed, the interpretation will now be binding and remove the potential
uncertainty,” he told FierceHealthcare.
Advice for Clinical Laboratories
Labs are advised to develop appropriate procedures to
safeguard their patients’ PHI under federal and state laws. And this includes
knowing how vendors handle PHI.
“Every lab should be proactive and do a review to understand
each vendor’s policies, procedures, training, and response in the event of a
breach,” James
Giszczak, Data Privacy and Cybersecurity Attorney and Chair of the
Litigation Department at McDonald
Hopkins in Bloomfield Hills, Mich., told The
Dark Report (TDR).
“By being prepared, clinical laboratories can save
themselves many headaches,” he said. “Ultimately, these proactive steps may
help laboratories save time, money, and costly bad publicity.”
Following that advice, along with understanding the new HHS notice,
will help medical laboratory managers ensure the privacy and security of their
client’s PHI.
Medical fraudsters are targeting Medicare recipients with schemes to persuade them to agree to genetic tests advertised as informing them if they are predisposed to specific chronic diseases or cancer
Medicare scams involving orders for unnecessary, expensive testing are not new. However, clinical laboratory managers and anatomic pathologists need to be aware—particularly those working in hospital and health system labs—that an entirely new wave of fraud involving medical laboratory testing is gaining momentum. This time, instead of specialty cardiology, toxicology, and pain management testing, the scam involves genetic tests.
The shifting focus to genetic tests by fraudsters is a
recent development to which many hospital-based medical laboratory
professionals may be unaware. One reason that the hospital lab managers can be
extraordinarily compliant with federal and state laws is because they don’t
want to threaten the license of their hospital. So, hospital lab staff often
are unaware of the types and extent of fraud involving certain lines of clinical
lab testing that surface in the outpatient/outreach market.
The growing number of fraudulent activities associated with genetic tests is now an issue for federal healthcare fraud investigators. Former US attorney Robert M. Thomas, Jr., a whistleblower attorney, adjunct professor at Boston University School of Law, and a civil rights advocate, wrote in STAT, “What’s going on here is the same pattern of activity that has occurred throughout the healthcare system: a great majority of law-abiding actors and a few that seek out opportunities to game the system of government reimbursement. If you can get a saliva swab and a Medicare number [to provide a specimen for a genetic test] from an unsuspecting senior and falsify a doctor’s order (or find a shady doctor to write one), there’s an easy four-figure sum to be had.”
This aligns with a recent fraud alert from the US Department of Health and Human Services Office of Inspector General (OIG) that states: “Scammers are offering Medicare beneficiaries ‘free’ screenings or cheek swabs for genetic testing to obtain their Medicare information for identity theft or fraudulent billing purposes. Fraudsters are targeting beneficiaries through telemarketing calls, booths at public events, health fairs, and door-to-door visits.
“Beneficiaries who agree to genetic testing or verify
personal or Medicare information may receive a cheek swab, an in-person
screening or a testing kit in the mail, even if it is not ordered by a
physician or medically necessary.
“If Medicare denies the claim, the [Medicare] beneficiary
could be responsible for the entire cost of the test, which could be thousands
of dollars.”
In a STAT column, former US attorney Robert M. Thomas, Jr. (above), noted that “All a scammer must do is find a medical laboratory willing to split the profit from the testing once the DNA samples are in hand. With more and more labs opening, there are plenty of doors upon which to knock.” This makes it imperative that clinical laboratory managers train their staff to identify and question potentially fraudulent test orders. (Photo copyright: Twitter.)
How the Scam Works
As with similar fraud cases, the scamsters pay inducements
to often-unaware patients, physicians, and others to encourage an order for a
genetic test. They then bill federal health programs and private insurers at
inflated prices.
Thomas describes one such scenario used to increase genetic
test orders. “A typical scheme might go something like this: A scammer offers
free ice cream sundaes, gift cards, or even casino chips at a retirement
community or ‘Medicare expo’ for anyone who would like to hear about the
exciting new technology of genetic testing and what it might reveal about ‘your
family’s risk of cancer’ or some other come-on,” explained Thomas. “The scammer
describes this sophisticated technology and downplays or ignores the medical
necessity criteria and the need for a doctor’s order. He or she persuades some
attendees to provide saliva samples and gets identifying information, such as
the senior’s name, date of birth, and Medicare number.
“The scammer then approaches a testing lab, saying, ‘I can find you a lot more business and get you a lot more patients if you share the proceeds with me.’ This, of course, violates the federal anti-bribery law known as the Anti-Kickback Act. But the lure of high-volume profits can be strong enough for some to ignore that roadblock,” he noted.
What Medical Laboratories Need to Know about Fraud and
Genetic Tests
Regardless of how the fraudster proceeds—whether asking the
lab company outright to split profits or by simply sending a high volume of the
same genetic test to the lab without explanation—clinical laboratory managers
should be alert to such activities.
Thomas writes: “An ethical lab would detect that something
is amiss with such a request [involving a genetic test]. An alert lab might
question how an individual, who is not a doctor, has gotten so many saliva
samples and [so much] personal information from so many ‘patients.’ Other [genetic
testing] lab companies may simply play the game without asking enough
questions, or worse, knowing that the tests are not medically necessary, as
required by the rules. The promise of easy money can be just too alluring.”
Physicians and medical laboratories that participate in
these scams are in violation of the federal anti-bribery laws. In “Federal
Investigations into Alleged Kickback Schemes between Hospitals and Physicians
Increase in Number and Scope,” Dark Daily reported on new OIG
investigations into hospitals alleged to have violated anti-kickback
legislation.
Current Cases Involving Genetic Testing Scams
Fraudulent medical test ordering schemes are an ongoing problem that Dark Daily has repeatedly covered. Though the genetic testing aspect is relatively new, there are several recent and current cases that outline the consequences of participating in the new scam.
For example, in February GenomeDx Biosciences Corp. (GenomeDx) agreed to pay $1.99 million to settle a federal case regarding unnecessary genetic testing. In this case, post-operative prostate cancer patients were given a genetic test called Decipher even though they “did not have risk factors necessitating the test,” a Department of Justice (DOJ) press release states. The DOJ claimed GenomeDx fraudulently billed Medicare for the tests, violating the False Claims Act.
A similar federal case involved a doctor who was charged with ordering genetic tests for patients he never saw or treated. Though the doctor was licensed to practice medicine in Florida, the “patients” in question resided in Oklahoma, Arizona, Tennessee, and Mississippi. One patient testified to having responded to a Facebook ad that offered a $100 gift card “for people interested in genetic testing,” a press release from the US Attorney’s Office District of New Jersey stated.
One important recommendation is that medical laboratory
professionals learn how to spot and question potentially fraudulent testing
requests. This shift to genetic testing is just the latest threat. Even clinical
labs that are well prepared could be caught unaware, particularly if the
fraudster sends genetic test orders to multiple labs to process what are
probably medically-unnecessary tests.
This is important for clinical laboratory leaders to watch, because medical labs often interface with hospital EHRs to exchange vital patient data, a key component of complying with Medicare’s EHR incentive programs. If claims of interoperability are shown to be false, could labs engaged with those hospital systems under scrutiny be drawn into the DOJ’s investigations?
Violating the False Claims Act
In May, Coffey Health System (CHS), which includes Coffey County Hospital, a 25-bed critical access hospital located in Burlington, Kan., agreed to pay the US government a total of $250,000 to settle a claim that it violated the False Claims Act.
CHS’ former CIO filed the qui tam (aka, whistleblower) lawsuit, which allows individuals to sue on behalf of the government and share in monetary recovery. He alleged that CHS provided false information to the government about being in compliance with security standards to receive incentive payments under the EHR Incentive Program.
According to a DOJ press release, “the United States alleged that Coffey Health System falsely attested that it conducted and/or reviewed security risk analyses in accordance with requirements under a federal incentive program for the reporting periods of 2012 and 2013. The government contended that the hospital submitted false claims to the Medicare and Medicaid Programs pursuant the Electronic Health Records (EHR) Incentive Program.”
“Medicare and Medicaid beneficiaries expect that providers ensure the accuracy and security of their electronic health records,” said Stephen McAllister (above), United States Attorney for the District of Kansas, in the DOJ press release. “This office remains committed to protecting the federal health programs and to hold accountable those whose conduct results in improper payments.” (Photo copyright: US Department of Justice.)
The Recovery Act allocated $25 billion to incentivize healthcare professionals and facilities to adopt and demonstrate meaningful use (MU) of electronic health records by January 1, 2014. The federal Centers for Medicare and Medicaid Services (CMS) released the incentive funds when providers attested to accomplishing specific goals set by the program.
The website of the Office of the National Coordinator for Health Information Technology (ONC), HealthIt.gov, defines “meaningful use” as the use of digital medical and health records to:
Improve quality, safety, efficiency, and reduce
health disparities;
Engage patients and their families;
Improve care coordination and population and
public health; and
Maintain privacy and security of patient health
information.
The purpose of the HITECH Act was to address privacy and security concerns linked to electronic storage and transference of protected health information (PHI). HITECH encourages healthcare organizations to update their health records and record systems, and it offers financial incentives to institutions that are in compliance with the requirements of the program.
When eligible professionals or eligible hospitals attest to being in compliance with Medicare’s EHR incentive program requirements, they can file claims for federal funds, which are paid and audited by the Department of Health and Human Services (HHS) through Medicare and Medicaid.
Institutions receiving funds must demonstrate meaningful use
of EHR records or risk potential penalties, including the delay or cancellation
of future payments and full reimbursement of payments already received. In
addition, false statements submitted in filed documents are subject to criminal
laws and civil penalties at both the state and federal levels.
EHR Developers Under Scrutiny by DOJ
EHR vendors also have been investigated and ordered to make
restitutions by the DOJ.
In February, Greenway Health, a Tampa-based EHR developer, agree to pay $57.25 million to resolve allegations related to the False Claims Act. In this case, the government contended that Greenway obtained certification for its “Prime Suite” EHR even though the technology did not meet the requirements for meaningful use.
And EHR vendor eClinicalWorks paid the government $155 million to settle allegations under the False Claims Act. The government maintained that eClinicalWorks misrepresented the capabilities of their software and provided $392,000 in kickbacks to customers who promoted its product.
Legal cases such as these demonstrate that the DOJ will
pursue both vendors and healthcare organizations that misrepresent their
products or falsely attest to interoperability under the terms laid out by
Medicare’s EHR Incentive Program.
Clinical laboratory leaders and pathology groups should carefully
study these cases. This knowledge may be helpful when they are asked to create
and maintain interfaces to exchange patient data with client EHRs.
Growing interest in more transparency for the prices of prescription drugs is reflected in a study published in the Journal of the American Medical Association (JAMA) that highlights disparities in pharma prices for patients, pharmacies, and payers
However, while reference pricing and pricing databases help savvy patients compare prices across a range of procedures, much about pharmaceutical pricing remains shrouded in mystery. This is why calls for greater transparency in how prescription drugs are priced are increasing as well.
The Trump administration, state governments, and advocacy groups have each targeted drug costs as a problem in the current healthcare system. And a March 2018 study published in the Journal of the American Medical Association (JAMA) may further fuel the fires facing big pharma.
Overpayments and the Silence Behind Them
Analyzing 9.5 million claims from Optum’s Clinformatics Data Mart over the first half of 2013, researchers found that approximately 23% of all claims involved overpayments—situations in which the co-pay charged to the patient exceeded what the insurer paid the pharmacy to fill the prescription.
While data from 2013 might not reflect the current state of pharmaceutical pricing, the study brings exposure to trends in both politics and media coverage surrounding the industry.
The study authors found that overpayments totaled $135-million in 2013. Generic medications saw a higher portion of overpayments with more than one in four generic prescriptions costing patients more than what payers paid the pharmacy. However, in the 6% of claims involving branded medication, overpayments were nearly twice as high with an average overpayment of $13.46 per claim.
The researchers also cited data from a National Community Pharmacists Association (NCPA) survey of 628 pharmacies in which 49% claimed to have seen 10-50 occurrences of “clawback fees” in the past month. A further 35% reported seeing more than 50 clawback fees in the past month. These “fees” are part of contractual obligations that payers can use to recoup such overpayments to pharmacies.
Other contractual arrangements, such as “gag clauses” (AKA, non-disclosure agreements), wherein pharmacists cannot disclose to patients when their copay exceeds the cost of filling the prescription without coverage, have garnered coverage in the media.
The Hill recently outlined efforts from senators to stop this practice for both traditional insurance plans and Medicare Advantage and Part D participants. “Americans have the right to know which payment method—insurance or cash—would provide the most savings when purchasing prescription drugs,” Senator Susan Collins (R-Maine) told The Hill.
Rebates, Secretive Deals, and Red Tape in Government Crosshairs
Rebates are another contested aspect of current pricing models. Traditionally, pharmacy benefit managers (PBMs) serve as a middleman between pharmaceutical companies and pharmacies to negotiate prices and maintain markets. PBMs negotiate deals for insurers in the form of rebates. Insurers, however, are using these savings to offer lower premiums, rather than forwarding the savings directly to the customer.
UnitedHealthcare unveiled plans to pass these rebates directly to consumers in early March, The Hill reported.
In a press release, Department of Health and Human Services (HHS) Secretary Alex M. Azar II stated, “Today’s announcement by UnitedHealthcare is a prime example of the movement toward transparency and lower drug prices for millions of patients that the Trump Administration is championing. Empowering patients and providers with the information and control to put them in the driver’s seat is a key part of our strategy … to bring down the price of drugs and make healthcare more affordable.” (Photo copyright: Washington Post.)
The Trump Administration also recently outlined their new “American Patients First” plan for reducing drug prices and out-of-pocket costs for patients.
Key elements of their proposed approach include:
Eliminating gaming of regulations, such as the Risk Evaluation and Mitigating Strategies (REMS) requirements manufacturers use to avoid sending samples to creators of generics;
Restricting rebates through Anti-Kickback Statue revisions; and,
Eliminating gag clauses or clawback fees.
However, pharma industry coverage of the plan is mixed. MarketWatch sees little to worry about, predicting, “[the plan] isn’t expected to hurt drug makers or pharmacy-system middlemen.” Meanwhile, Forbes claims, “[the plan] represents a sea of change in pharmaceutical pricing policy, one that will have a significant effect on drug prices in the future.”
Anatomic pathology groups, medical laboratories, and other diagnostics providers can view this as yet another example of healthcare providers trying to shore up financials and protect profits by protecting sensitive pricing information, as the industry faces increasing scrutiny. Nevertheless, regardless of the outcome, these latest trends emphasize the role that transparency is likely to play—and how clinical laboratories will be impacted—as healthcare reform progresses, both in terms of public relations and regulatory requirements.
In an informal Request for Information (RFI), the Center for Medicare and Medicaid Innovation (CMMI) sought feedback on a “new direction to promote patient-centered care and test market-driven reforms that empower beneficiaries as consumers, provide price transparency, increase choices and competition to drive quality, reduce costs, and improve outcomes.”
CMS to ‘Move Away’ from Engineering Healthcare ‘From Afar’
Comments from healthcare providers, clinicians, states, payers, and stakeholders were accepted through November 20, 2017.
In a Wall Street Journal (WSJ) op-ed, CMS Administrator Seema Verma explained the agency’s process moving forward. “We will move away from the assumption that Washington can engineer a more efficient healthcare system from afar—that we should specify the processes healthcare providers are required to follow,” she wrote.
CMS Administrator Seema Verma (above) plans to lead the Center for Medicare and Medicaid Innovation “in a new direction” and may be signaling a willingness to give providers more flexibility with value-based care payment models for Medicare services. (Photo copyright: Healthcare Dive.)
The RFI states the new model design will follow six guiding principles:
1. Choice and competition in the market;
2. Provider choice and incentives;
3. Patient-centered care;
4. Benefit design and price transparency;
5. Transparent model design and evaluation; and,
6. Small scale testing.
Providers Need Freedom to Design New Approaches to Healthcare
Verma said CMS plans to review all Innovation Center models to determine “what is working and should continue, and what isn’t and shouldn’t.” She voiced concern that the complexity of some of the current models may have encouraged consolidation in the healthcare system, resulting in fewer choices for patients.
“We must shift away from a fee-for-service system that reimburses only on volume and move toward a system that holds providers accountable for outcomes and allows them to innovate,” Verma wrote in the WSJ op-ed. “Providers need the freedom to design and offer new approaches to delivering care. Our goal is to increase flexibility by providing more waivers from current requirements.”
Actual Progress of Value-based Healthcare ‘Herky-Jerky’
However, Neil Smiley, CEO of Loopback Analytics, which assists healthcare organizations with managing outcome-based care, believes the transition to value-based care may face stiffer headwinds under the new administration. He points to an August CMS proposal that canceled some mandatory bundled payment programs and scaled back others as an indication that healthcare transformation could be slowing.
“The pace at which CMS committed to rolling out value-based care is fundamentally different from the pace we’re currently seeing,” he told Health IT. “The progress toward value-based care, instead of this steady momentum they expected, is more of a herky-jerky fashion.”
The Health Care Transformation Task Force (HCTTF), a 42-member industry consortium, was among the stakeholders who responded to CMS’ RFI. In a 22-page letter, the task force reiterated its support for the healthcare system’s transformation to value-based payment and care delivery, while outlining areas for improvements. The group urged CMS to continue to develop new models while modifying, rather than abandoning, existing models that show promise and need time to achieve a lasting return.
“We would like CMS to continue support for promising models while balancing the current portfolio with new, innovative payment models,” Clare Wrobel, Director of Payment Reform Models at HCTTF, told Home Health Care News. “[But] it would be a mistake to discard current models that providers have already invested in and are showing real promise.”
Smiley, meanwhile, suggests clinical laboratory managers, pathologists, and other healthcare providers keep watch as healthcare transformation continues to evolve.
“The fee-for-service model, love it or hate it, is not dying. The organism has adapted,” he told Health IT. “For those that were aggressive early adopters of value-based care and really believed what they were hearing, and have gone fully after value-based care, some of them may feel a little exposed. If they go too hard too fast, they may suffer economically if they misjudge the pace at which this moves.”
