News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

HHS Announces Culpability Limits for HIPAA Violations, Drops Annual Fines Owed by Providers

Clinical laboratories need to understand how their patients’ protected health information is being used and secured by vendors to avert data breaches and HHS penalties

Most readers of The Dark Report, the sister publication to the Dark Daily, are aware that more than 24-million clinical laboratory patients had their protected health information (PHI) stolen during several recent data breaches involving multiple medical laboratory companies.

The first public statements made by clinical lab companies about breaches of protected health information were issued in June. Collectively, the following three lab companies announced that the data of more than 20 million patients was compromised:

In the eight weeks that followed, additional medical laboratory companies publicly disclosed breaches of their patient data, including:

What all these clinical lab companies had in common was that they had contracted with American Medical Collection Agency (AMCA) to process lab test claims. AMCA is where the data breaches originated.

Under the rules established by the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, responsibility for the security of patient PHI falls to covered entities and business associates. This includes healthcare providers, health plans, and healthcare clearinghouses, such as AMCA. For clinical laboratories, this also includes vendors who receive patients’ PHI to complete their service contracts.

Until recently, any violation of HIPAA could draw down enormous fines—called Civil Money Penalties (CMPs)—by the US Department of Health and Human Services (HHS). Fines could reach $1.5 million annually across four categories, or tiers, of violations, depending on HHS’ determination as to the “level of culpability” of the violator. Those categories and min/max fines include:

  • No Knowledge, $100-$50,000 fine, $1.5 mil annual limit.
  • Reasonable Cause, $1,000-$50,000 fine, $1.5 mil annual limit.
  • Willful Neglect-Corrected, $10,000-$50,000, $1.5 annual limit.
  • Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit.

Earlier this year, HHS released a “Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.” In it, HHS revised its interpretation of the law and reduced CMPs, while more clearly defining how provider culpability ties to the ultimate amount of the fines:

  • No Knowledge, $100-$50,000 fine, $25,000 annual limit.
  • Reasonable Cause, $1,000-$50,000 fine, $100,000 annual limit.
  • Willful Neglect-Corrected, $10,000-$50,000, $250,000 annual limit.
  • Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit

In the notice, HHS stated, “the Department recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers ‘for each violation,’ each of which provided a penalty amount ‘for all such violations’ of an identical requirement or prohibition in a calendar year). To resolve this inconsistency, with the exception of violations due to willful neglect that are not timely corrected, the [interim final rule] adopted a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year.”

Modern Healthcare reports that “organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty than those who are found neglectful.”

Thus, the new HHS guidelines will be of interest to clinical laboratories, which must ensure the privacy of patients’ PHI, including being keenly aware of how vendor business associates are handling their patients’ data.

In an exclusive interview with The Dark Report, James Giszczak (above), Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins, said two important steps clinical laboratories must take include, “ensuring that your vendor has appropriate insurance policies in place that cover PHI breaches, and confirming that vendors comply with laws governing the protection of patients’ information.” To do that, he says, every lab needs to ensure that all critical provisions are covered in each contract it has with each vendor. (Photo copyright: Institute of Continuing Legal Education.)

Did HHS Go Too Far?

Some experts, however, wonder if HHS went too far in reducing annual penalties providers may owe. Could lower annual CMP caps cause organizations to relax strict PHI policies? Some privacy authorities urge caution and raise concern about how incentives may be perceived by providers and others.

“HHS is adopting a much lower annual cap for all violations except those due to willful neglect, which means significantly lower penalties for large breaches and for ongoing persistent violations of the rules,” Deven McGraw, Chief Regulatory Officer at Citizen Corporation and former Deputy Director Health Information Privacy for HHS’ Office for Civil Rights, told FierceHealthcare.

“Arguably,” she continued, “the incentive to fix these persistent failures is much less because the potential fines for failing to do so will not be very large. Same is true for large breaches—if you breach 10 records, at a minimum penalty of $1,000 for a breach due to reasonable cause, your fine would be $100,000, which is the annual cap.”

New Annual Limits Recognize ‘Unintentional’ Violations

But not all experts agree. Prior to HHS’ announcement, minimum to maximum penalty violations were the same as noted in the tiers above. The annual limits ($1.5 million), however, were the same for each of the four tiers.

Matthew Fisher, Partner at Mirick O’Connell and Chair of the Worcester, Mass. firm’s health law group, says the new penalty structure “is arguably good in terms of aligning potential penalties with the level of culpability.”

“If a violation was clearly unintentional and without knowledge, why should a potentially massive fine follow? While the discretion existed, the interpretation will now be binding and remove the potential uncertainty,” he told FierceHealthcare.

Advice for Clinical Laboratories

Labs are advised to develop appropriate procedures to safeguard their patients’ PHI under federal and state laws. And this includes knowing how vendors handle PHI. 

“Every lab should be proactive and do a review to understand each vendor’s policies, procedures, training, and response in the event of a breach,” James Giszczak, Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins in Bloomfield Hills, Mich., told The Dark Report (TDR).

“By being prepared, clinical laboratories can save themselves many headaches,” he said. “Ultimately, these proactive steps may help laboratories save time, money, and costly bad publicity.”

Following that advice, along with understanding the new HHS notice, will help medical laboratory managers ensure the privacy and security of their client’s PHI.

—Donna Marie Pocius

Related Information:

HHS Implements HIPAA Fine Caps Based on Level of Culpability

Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties

HHS Moves to Reduce HIPAA Fines Lowering the Cap More Than $M for Some Violations

HHS to Cap HIPAA Fines Based on “Culpability”

Labs Should Heed Lessons from Huge Data Breach

Late-Breaking Lab News: Add Eight More Laboratories to the List of Lab Companies Whose Patient Data Were Breached

Six Health IT Companies Join Forces to Develop Interoperable EHR Systems to Better Compete Against Epic’s EHR Product

CommonWell is the name of the new organization formed to create the interoperability that would enable universal access to each patient’s health care records

It was big news in the healthcare IT world when six major healthcare IT companies joined together on March 4 and announced a collaboration intended to develop electronic health record (EHR) systems that are interoperable. That is a goal that can come none too soon for clinical laboratories and anatomic pathology groups.

The collaboration will take the form of an independent nonprofit organization to be called CommonWell Health Alliance. The six companies contributing to the formation of CommonWell are:

(more…)

How Clinical Pathology Laboratories Are Preparing to Support EMR Adoption by Office-Based Physicians

Some U.S. laboratories already ramping up their LIS resources to meet demand for LIS-to-EMR interfaces


Clinical laboratory managers and pathology groups need to prepare for what is expected to be a tsunami of requests by physicians who want their newly-implemented electronic medical record (EMR) systems to be interfaced with their laboratory’s LIS. This approaching tsunami is a consequence of the billions in federal incentive payments designed to encourage doctors to adopt EMRs.

It means lab managers and pathologists must actively prepare their medical laboratory to step up and support the “meaningful use” needs of client physicians. As mandated by the HITECH Act, healthcare providers are required to engage in “meaningful” patient health information (PHI) exchanges. Because more than 400,000 physicians will implement electronic medical records (EMR) in the next 60 months, labs should not delay in establishing a strategy.

(more…)

$17 Billion in HITECH Act Funding Encourages Doctors to Adopt EMRs; Integration with the Clinical Laboratory LIS is Crucial

Surge of requests for LIS-to-EMR interfaces will soon hit clinical pathology laboratories

EMR adoption by office-based physicians is about to seriously challenge the capability of the nation’s clinical pathology laboratories to quickly build interfaces with the electronic medical record (EMR) systems of their client doctors. That’s the prediction of one of the nation’s foremost experts on how to connect clinical pathology laboratories with physician EMRs.

“Today, only one of four physicians uses electronic medical records. To encourage more physicians to adopt medical record systems over the next five years, the ARRA stimulus package is offering major financial incentives,” observed Pat Wolfram, Vice President of Marketing and Customer Service at Ignis Systems Corporation in Portland, Oregon. “In fact, if the federal government achieves its goals as set forth in the current stimulus package, we can expect more than 300,000 physicians to adopt EMRs over the next five years!”

(more…)

HITECH Law Requires Privacy Breach Responses by Clinical Labs and Pathology Groups

“Securing” Protected Health Information (“PHI”) allows medical laboratories to avoid HITECH breach notification requirements

As of February 22, 2010, clinical laboratories, pathology groups, and other health providers have new breach notification requirements relating to protected health information (PHI). This is mandated in the legislation known as the HITECH ACT.

Dark Daily reported extensively on the breach notification requirements imposed by the HITECH ACT. Under the breach notification requirements a covered entity—such as a clinical laboratory or pathology group—is obligated to notify patients and the Department of Health & Human Services (HHS)  of the breach. In some cases, the entity must also notify the media.

(more…)

;