Clinical laboratories need to understand how their patients’ protected health information is being used and secured by vendors to avert data breaches and HHS penalties
Most readers of The Dark Report, the sister publication to the Dark Daily, are aware that more than 24-million clinical laboratory patients had their protected health information (PHI) stolen during several recent data breaches involving multiple medical laboratory companies.
The first public statements made by clinical lab companies
about breaches of protected health information were issued in June.
Collectively, the following three lab companies announced that the data of more
than 20 million patients was compromised:
Until recently, any violation of HIPAA could draw down enormous fines—called Civil Money Penalties (CMPs)—by the US Department of Health and Human Services (HHS). Fines could reach $1.5 million annually across four categories, or tiers, of violations, depending on HHS’ determination as to the “level of culpability” of the violator. Those categories and min/max fines include:
No Knowledge, $100-$50,000 fine, $1.5 mil annual
Reasonable Cause, $1,000-$50,000 fine, $1.5 mil
In the notice, HHS stated, “the Department recognized that
section 13410(d) contained apparently inconsistent language (i.e., its
reference to two penalty tiers ‘for each violation,’ each of which provided a
penalty amount ‘for all such violations’ of an identical requirement or
prohibition in a calendar year). To resolve this inconsistency, with the
exception of violations due to willful neglect that are not timely corrected,
the [interim final rule] adopted a range of penalty amounts between the minimum
given in one tier and the maximum given in the second tier for each violation
and adopted the amount of $1.5 million as the limit for all violations of an
identical provision of the HIPAA rules in a calendar year.”
Modern Healthcare reports that “organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty than those who are found neglectful.”
Thus, the new HHS guidelines will be of interest to clinical
laboratories, which must ensure the privacy of patients’ PHI, including being
keenly aware of how vendor business associates are handling their patients’
Did HHS Go Too Far?
Some experts, however, wonder if HHS went too far in
reducing annual penalties providers may owe. Could lower annual CMP caps cause
organizations to relax strict PHI policies? Some privacy authorities urge
caution and raise concern about how incentives may be perceived by providers
“HHS is adopting a much lower annual cap for all violations except those due to willful neglect, which means significantly lower penalties for large breaches and for ongoing persistent violations of the rules,” Deven McGraw, Chief Regulatory Officer at Citizen Corporation and former Deputy Director Health Information Privacy for HHS’ Office for Civil Rights, told FierceHealthcare.
“Arguably,” she continued, “the incentive to fix these
persistent failures is much less because the potential fines for failing to do
so will not be very large. Same is true for large breaches—if you breach 10
records, at a minimum penalty of $1,000 for a breach due to reasonable cause,
your fine would be $100,000, which is the annual cap.”
New Annual Limits Recognize ‘Unintentional’ Violations
But not all experts agree. Prior to HHS’ announcement,
minimum to maximum penalty violations were the same as noted in the tiers
above. The annual limits ($1.5 million), however, were the same for each of the
Matthew Fisher, Partner at Mirick O’Connell and Chair of the Worcester, Mass. firm’s health law group, says the new penalty structure “is arguably good in terms of aligning potential penalties with the level of culpability.”
“If a violation was clearly unintentional and without
knowledge, why should a potentially massive fine follow? While the discretion
existed, the interpretation will now be binding and remove the potential
uncertainty,” he told FierceHealthcare.
Advice for Clinical Laboratories
Labs are advised to develop appropriate procedures to
safeguard their patients’ PHI under federal and state laws. And this includes
knowing how vendors handle PHI.
“Every lab should be proactive and do a review to understand
each vendor’s policies, procedures, training, and response in the event of a
Giszczak, Data Privacy and Cybersecurity Attorney and Chair of the
Litigation Department at McDonald
Hopkins in Bloomfield Hills, Mich., told The
Dark Report (TDR).
“By being prepared, clinical laboratories can save
themselves many headaches,” he said. “Ultimately, these proactive steps may
help laboratories save time, money, and costly bad publicity.”
Following that advice, along with understanding the new HHS notice,
will help medical laboratory managers ensure the privacy and security of their
Tougher payer audits, higher recovery demands, and enforcement policies that increase the personal liability of CLIA lab directors and lab executives, are reasons why attorney David W. Gee, JD, a Partner at Davis Wright Tremaine LLP in Seattle, argues that laboratories need to step up their focus on compliance and due diligence. He notes laboratories must guard against “death by 1,000 knives” in this new landscape.
Insufficient Focus on Compliance Brings Consequences to Clinical Laboratories and Their Management
“There are more and more people and agencies whose focus it is to regulate and watch the dollars and make sure there is integrity in the system,” noted Gee in an interview with Dark Daily. “That includes not only the formerly regular players—the OIG [Office of Inspector General, US Department of Health and Human Services] and DOJ [Department of Justice]—but you’ve got an increasing number of states with their own False Claims Acts. You’ve got state agencies looking at opportunities to clean up the system and to tag along with other investigations going on, as well as commercial payers who have become more active in pursuing litigation and other measures against practices they allege to be fraudulent.”
Faced with these emerging trends, Gee stresses that labs must:
1. Recognize the increased personal liability facing lab directors, owners, and management, and take steps to mitigate risk of enforcement actions that not only expose executives to potential penalties but also jeopardize the financial health of lab organizations.
2. Understand the importance of meaningful and sustained investment in compliance (including providing compliance officers with the resources to manage an increasingly complex job) and leverage OIG guidance to assess gaps and risks in compliance programs.
3. Be aware of risks inherent in third-party marketing agreements, which can result in short-term spikes in order volume, but which also could reduce “lines of sight” to clients, making it even more difficult to adhere to compliance standards.
Gee believes the emphasis labs place on cost control and “running lean” often results in a lack of attention being paid to compliance. He argues today’s competitive environment increases the need for laboratory directors to ensure proper business practices are followed and “compliance fundamentals are not overlooked in the haste to compete for the business of referral sources.”
Healthcare attorney and Partner, David W. Gee, JD, of Davis Wright Tremaine, LLP, in Seattle will be one of three featured speakers during a new Dark Daily webinar on the Medicare Part B price cuts, and the critical legal and compliance issues clinical laboratories and pathology groups face starting in 2018. (Photo copyright: Davis Wright Tremaine, LLP.)
CLIA-Lab Directors to Be Held Personally Liable for Compliance Failures
Because federal regulators are considering holding CLIA-lab directors personally liable for compliance failures, Gee suggests laboratory executives should be motivated to put effective compliance programs in place.
“The best reason I can give for insisting as a lab director that the company actually has a successful and effective compliance program is that these days they stand to lose,” he argues. “The ability to prove you are not complicit—and that you are not the driver of things that have gone wrong—comes down to having an effective and well-documented compliance program so you are on record. And so there’s evidence that, as an engaged lab leader, you tried to do the right thing.”
Educational Opportunities for Lab Leaders
To help medical laboratory and pathology group leaders prepare for the perils they face, and take proactive steps to navigate the tough lab regulations and legal issues that lay ahead, click here to register for Dark Daily’s upcoming webinar “Tougher Lab Regulations and New Legal Issues in 2018: More Frequent Payer Audits, Problems with Contract Sales Reps, Increased Liability for CLIA Lab Directors, Proficiency Testing Violations, and More,” (or place this link into your browser: https://ddaily.wpengine.com/product/tougher-lab-regulations-and-new-legal-issues-in-2018-more-frequent-payer-audits-problems-with-contract-sales-reps-increased-liability-for-clia-lab-directors-proficiency-testing-violations-and).
These three attorneys are among the nation’s foremost experts in issues unique to clinical laboratories, pathology groups, hospital labs, toxicology/pharmacogenomics labs, and molecular/genetic testing labs. Following our speakers’ presentations, there will be a question and answer period, during which you can submit your own specific questions to our experts.
You can’t afford to miss this opportunity. Click here to get up to speed on the most serious regulatory, compliance, and managed care contracting issues confronting all labs today. This webinar will provide solutions to the perils facing labs now and in 2018 by helping you map a proactive and effective course of action for your clinical lab or pathology group.
Medical labs must comply with PAMA lab test price market reporting in 2017, while pathologists will see big changes in Medicare physician payments because of MIPS
It is now budget-planning season for the medical laboratories of hospital and health systems. This fall, lab administrators report grim news as they try to anticipate all the changes coming to the clinical laboratory industry in 2017—just 11 weeks away.
There is a growing consensus among lab executives and pathologists who are the business leaders of their groups that labs will not see any relief in 2017 to the multi-year decline in lab test prices that actually intensified in the past 24 months.
Three types of clinical lab companies seem to be the highest-profile targets for these intense payer audits. Reports identify lab companies offering toxicology and pain management testing as undergoing rigorous audits. Medical lab companies with proprietary molecular diagnostic assays and genetic tests are known to have been audited in this manner. Some anatomic pathology groups are believed to have also experienced such audits. (more…)
A growing number of media stories claim medical lab companies that develop genetic screening assays oversell the accuracy of such tests and fail to educate parents and doctors about the risks of false positives and false negatives
In response to growing concerns by consumers about the accuracy of some proprietary genetic screening assays, several media outlets have begun reporting on this sector of the clinical laboratory industry.
What gives these news stories emotional punch is the fact that patients use these proprietary medical laboratory tests to make decisions that can be life-changing. In its story about these tests, the Boston Sunday Globe used the headline “Oversold prenatal tests spur some to choose abortions.” (more…)