Lapses in security measure testing can give healthcare employees a false sense of protection against data breaches, says cybersecurity expert
Cyberattacks on our nation’s hospitals, clinical laboratories, other healthcare organizations, and health plans, continue to plague the healthcare industry. As of July 7, 2023, 324 data breaches have occurred and are currently under investigation, according to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach portal.
This has affected more than 39 million people, HealthITSecurity reported.
Below is a list of the data breaches this year that affected the most people.
“The way that computer network environments work today, users are acknowledged as the weakest link and offer the most potential for access to a hacker,” Ben Denkers (above), former Chief Innovation Officer at CynergisTek, told Dark Daily’s sister publication The Dark Report. He added that data breaches at clinical laboratories can start with “missteps” by lab employees who have a false sense of protection caused by lapses in testing a lab’s security measures. CynergisTek merged with Clearwater in 2022. (Photo copyright: CynergisTek.)
Top Data Breaches in First Six Months of 2023
Here are healthcare’s top 10 data breaches for the first half of 2023, listed by organizations with the most people affected, according to HHS:
Enzo Clinical Labs, clinical reference laboratory, Farmingdale, New York, 2.4 million individuals affected.
ZOLL Services, medical equipment, Pittsburgh, Pennsylvania, 997,097 individuals affected.
Community Health Systems, healthcare provider with 15,000 licensed beds at 89 acute care hospitals in 16 states, Brentwood, Tennessee, 962,884 individuals affected.
CentraState Healthcare System, healthcare provider with a 284-bed acute care medical center, an ambulatory campus, and an urgent care clinic, Freehold, New Jersey, 617,901 individuals affected.
Clinical Laboratory Brings in Cybersecurity Experts
Following a ransomware incident in April on its computer network, Enzo Clinical Labs in Farmingdale, New York, “immediately took steps to secure our systems and began an investigation with the assistance of a cybersecurity firm,” the lab’s Notice of Data Security Incident explains.
“The investigation determined an unauthorized party accessed files on our systems,” the notice continues. “The files contained patient names, dates of service, clinical test information, and, in some instances, Social Security numbers.”
Enzo “has incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter,” according to the lab’s Securities and Exchange Commission (SEC) filing.
Multiple Large Health Systems Suffer Data Breaches
At Community Health Systems (CHS) it was a security incident at Fortra, a cybersecurity firm engaged by CHS, that resulted in “unauthorized disclosure of patient information,” according to CHS’s Notice of Third Party Security Incident.
The extent of data theft from the breach of Fortra’s GoAnywhere MFT secure managed file transfer software was not immediately clear, HIPAA Journal reported.
“The personal information may have included full name, address, medical billing and insurance information, certain medical information such as diagnoses and medication, and demographic information such as date of birth and Social Security number,” the CHS notice explained.
At CentraState Healthcare System, “an unauthorized person obtained a copy of an archived database that stored certain patient information,” the healthcare provider’s Notice of Security Incident states.
“There was no financial account and/or payment card information involved in this incident,” CentraState noted.
Financial Impact of Data Breaches
One of the effects on healthcare providers is costly settlement of lawsuits following data breaches that allege failure to secure patients’ PHI. For example, according to Becker’s Health IT:
UMass Memorial Medical Center in Worcester, Massachusetts, paid $1.2 million “to settle a March 2022 lawsuit regarding a data breach of its payroll management system Kronos.”
Advent Health in Altamonte Springs, Florida, paid $500,000 “to settle a data breach lawsuit alleging that the health system failed to protect patients’ confidential information after a September 2021 data breach.”
CommonSpirit Health in Chicago spent $150 million recovering from a ransomware attack in October 2022 that also sparked lawsuits over stolen PHI.
Tips for Clinical Laboratories on Securing Patient Data
In “Labs Must Audit Their Cybersecurity Measures,” Ben Denkers, former Chief Innovation Officer at CynergisTek, an Austin-based cybersecurity company which has since merged with healthcare cybersecurity and compliance company Clearwater, told Dark Daily’s sister publication The Dark Report, “The way that computer network environments work today, users are acknowledged as the weakest link and offer the most potential for access to a hacker.”
Denkers advises that while training employees is important for cybersecurity because it aims at changing human behavior, laboratories and other healthcare organizations also need to audit the technological measures they have in place to protect data.
“What we find is that organizations have security technology or processes in place that are either not effective or not working as designed,” he said, adding that when data breaches do occur “it’s a complete blindside for a lot of organizations that think they have protections in place because they bought a product, or they developed a policy.
“Testing, validating, and auditing whether measures are working as designed is a change of mentality for a lot of organizations. I would recommend taking those steps,” he added.
Clinical laboratories hold vast amounts of patient data and cannot afford disruptions to testing and results reporting. Vigilance can help labs avoid catastrophic cyberattacks, secure their patients’ protected health information from being stolen, and prevent the subsequent lawsuits that ensue following a data breach.
US Department of Justice sends a strong message that it will continue to root out fraud involving clinical laboratory owners and operators
Arkansas clinical laboratory owner/operator Billy Joe Taylor has been sentenced to 15 years in federal prison and ordered to pay nearly $30 million in restitution, according to a June 8 press release from the US Attorney’s Office for the Western District of Arkansas.
Taylor pleaded guilty in October of 2022 to conspiracy to commit fraud and money laundering. He and his accomplices submitted $134 million in false or fraudulent claims to Medicare before and during the COVID-19 pandemic.
The claims came from five laboratory companies owned and operated by Taylor and his co-conspirators. All claims centered around respiratory illness tests or urine drug tests that were either not medically necessary or not ordered by medical providers, the DOJ’s press release states.
Taylor’s 15-year sentence in federal prison and huge restitution reinforces the fact that the federal Department of Justice (DOJ) will indict—and convict—owners and managers of clinical laboratory companies accused of healthcare fraud.
Billy Joe Taylor, owner/operator of five clinical laboratories in four states, was sentenced in June to 15 years in prison and ordered to repay nearly $30 million in fraudulent test claims made to Medicare prior to and during the COVID-19 pandemic. This conviction is part of an ongoing campaign against healthcare fraud being conducted by the US Department of Justice. (Photo copyright: Arkansas Democrat-Gazette.)
Details of Taylor Fraud Case
Taylor allegedly obtained private personal and medical data from Medicare beneficiaries and then used that information to submit and resubmit claims to Medicare for diagnostic tests. More than $38 million was received from Medicare on those fraudulent claims, the DOJ noted.
In 2021, Taylor claimed innocence and told Arkansas Business that the accusations were “sensationalism-type claims from the government that were completely erroneous and false.”
As a young man, Taylor planned to go into the clinical laboratory field when he was still in high school. He got started by volunteering at his hometown hospital in Stigler, Oklahoma, the Free Library reported. Eventually hired by the hospital to draw blood, run tests, and keep quality control and inspection data, Taylor later moved to other hospitals before partnering in 2009 to start Advanced Laboratory Services (ALS) of Oklahoma City, Oklahoma.
A pulmonary embolism and stroke forced Taylor to sell his share in ALS, and not long after returning as a consultant, his business partner sold the lab company. Taylor joined two people from a Tulsa laboratory to start a new company, acquiring Medtest Laboratories LLC of Hurricane, West Virginia, and Vitas laboratory LLC in 2017. He hoped to compete with national laboratories, earning up to $2 million per month, the Free Library reported.
Other Clinical Laboratory Testing Fraud Schemes
The DOJ’s aggressive efforts to crack down on healthcare fraud over the past years have produced multiple court cases against clinical laboratory owners, managers, and the doctors who conspire with them. Dark Daily has covered such fraud cases in numerous ebriefings over the years.
In 2021, the DOJ’s Healthcare Fraud Unit brought “criminal charges against 14 defendants, including 11 newly-charged defendants and three who were charged in superseding indictments, in seven federal districts across the United States for their alleged participation in various healthcare fraud schemes that exploited the COVID-19 pandemic and resulted in over $143 million in false billings,” a DOJ press release announced.
In a statement to the press, Deputy Attorney General Lisa O. Monaco said, “The multiple healthcare fraud schemes charged today describe theft from American taxpayers through the exploitation of the national emergency … These medical professionals, corporate executives, and others allegedly took advantage of the COVID-19 pandemic to line their own pockets instead of providing needed healthcare services during this unprecedented time in our country.
“We are committed to protecting the American people and the critical healthcare benefits programs created to assist them during this national emergency, and we are determined to hold those who exploit such programs accountable to the fullest extent of the law,” she added.
Monaco’s statement emphasizes the DOJ’s expanding focus on healthcare fraud. The DOJ formed the Health Care Fraud Strike Force in 2007 to handle cases like Taylor’s. The program is composed of 15 teams operating out of 25 federal districts. During the 15 plus years the Strike Force has been active, the DOJ has charged more than 5,000 defendants who collectively billed over $24 billion to both private insurers and federal healthcare programs.
Therefore, it behooves clinical laboratory managers to ensure all lab operations are well-within the bounds of legality. The DOJ is taking its hunt for healthcare fraudsters quite seriously.
Cybersecurity experts recommend clinical laboratories have in place a plan for performing tests and distributing results prior to a cyberattack
Hospitals of all sizes continue to be prime targets for sophisticated cyberattacks, where hackers remotely disable a healthcare network’s computer systems—including its laboratory information system—and extort ransomware payments. Similar attacks are happening to clinical laboratories and other providers, although not with the same frequency.
Recently, hospitals in Illinois, Idaho, Vermont, Indiana, and other states had their ability to treat patients severely reduced and, in some cases, completely shut down by cybercriminals, endangering lives and costing millions of dollars in damages.
Today’s hospitals rely on information technology (IT) for patient care workflow, internal/external communication, billing, and medical laboratory testing. It’s this reliance on computer/internet technology combined with the vast quantities of protected health information (PHI), that makes hospitals such ripe targets for attack.
In June, a US cancer center had to take its digital services offline which “significantly reduced patient treatment capability” following a ransomware attack by a group of hackers known as the TimisoaraHackerTeam (THT), MedCity News reported.
“Patients don’t stop getting sick just because a hospital is hit by a ransomware attack,” Christian Dameff, MD, emergency physician at UC San Diego Health and lead author of a study that looked into how cyberattacks affect other hospitals in the area, told ABC News. “They have to go somewhere. So, what this research shows is that those patients go to neighboring hospitals that can be overwhelmed.” Clinical laboratories can also become overwhelmed with test orders when nearby hospitals lose their ability to distribute the results of critical lab tests. (Photo copyright: UC San Diego Health.)
“The attack halted the hospital’s ability to submit claims to insurers, Medicare or Medicaid for months, sending it into a financial spiral,” Linda Burt, RN, Vice President of Quality and Community Services at St. Margaret’s, told NBC News. “We were down a minimum of 14 weeks. And then you’re trying to recover. Nothing went out. No claims. Nothing got entered. So, it took months and months and months.”
Meabwhile, 88-bed Idaho Falls Community Hospital experienced a cyberattack in May that required it to divert ambulances to other hospitals for 24 hours, CNN reported. The provider’s sister healthcare facility, MountainView Hospital in Las Vegas, which shares the same computer system, was also affected.
The Idaho Falls attack “forced nurses and doctors … to use pen and paper rather than computers for patient charts,” a hospital spokesperson told CNN.
At the University of Vermont Medical Center (UVM), Burlington, Vermont, a ransomware attack affected healthcare services for 28 days, costing the provider $50 million to recover, and preventing healthcare workers from accessing critical treatment plans for cancer patients, ABC News reported.
UVM’s President and Chief Operating Officer, Stephen Leffler, MD, an emergency medicine physician, told ABC News that the 2020 cyberattack significantly disrupted clinical laboratory operations at UVM.
“When the laboratory had a critical lab result on someone, they couldn’t put it in the electronic medical record,” he explained. “They couldn’t call the floor. And so, we literally had our administrators start going in the lab, standing there and running a paper result to the floors.
“Everything that we do and rely on was down,” he added. “We actually sent some staff to Best Buy to buy Walkie Talkies!
“It can happen to you—even when you think it’s impossible,” Leffler warned.
And at Johnson Memorial Health, Franklin, Indiana, clinical laboratory tests took two hours to perform instead of 30 minutes, NPR said in its report on cyberattacks affecting Indiana providers. The lab had to use “runners” to share handwritten test results with caregivers and patients, NPR explained.
“You ask many CEOs across the country, ‘What keeps you up at night?’ Of course, they talk about workforce, financial pressures, and they say, ‘the possibility of a cyberattack,” John Riggi, National Advisor for Cybersecurity and Risk at the American Hospital Association (AHA), told NPR.
Cyberattacks Affect Surrounding Hospitals
To make matters worse, cyberattacks have a “blast radius” that impacts the healthcare community around an attacked provider, Christian Dameff, MD, Assistant Professor, Emergency Medical Services, University of California, San Diego, told ABC News. Dameff was lead author in a study that looked at how healthcare providers nearby to an attacked provider are affected.
“Hospitals adjacent to healthcare delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke,” Dameff and co-authors wrote in a JAMA Open Network article titled, “Ransomware Attack Associated with Disruptions at Adjacent Emergency Departments in the US.”
“Healthcare cyberattacks such as ransomware are associated with greater disruptions to regional hospitals and should be treated as disasters,” they wrote.
Vigilance Is Required as Cyberattacks Increase
Ransomware attacks on hospitals climbed from 43 to 91 annually during the years 2016 to 2021, a separate study in JAMA Health Forum reported, adding that large organizations with multiple facilities were increasingly targeted.
The US experienced a 57% increase in cyberattacks in 2022 compared to 2021, according to a Check Point Research (CPR) report. Healthcare ranked second on the list of attacked industries due, according to Check Point, to the quantity and availability of personal and sensitive information, such as social security numbers and medical data.
“We expect the increase in cyber activity to only increase. With AI [artificial intelligence] technologies such as ChatGPT readily available, it is possible for hackers to generate malicious code and emails at a faster, more automated pace,” the CPR report noted.
For its part, the AHA said in a statement it plans to:
Work with federal agencies to mitigate cyber threats.
Advocate for increased government cybersecurity assistance.
Hospital clinical laboratory leaders need to be vigilant and work with colleagues to prevent cyberattacks. Check Point’s report advises, for example, avoiding malicious links and unexpected electronic attachments as well as verifying software is legitimate before downloading it. These are standard warnings, but they only work if staff members actually heed these actions.
Also important for diagnostics professionals is having a plan for performing clinical laboratory and anatomic pathology tests and distributing the results in the event of an attack.
CDC’s findings are a setback for the national effort to encourage hospitals and their clinical laboratories to reduce the number of nosocomial infections and practice better antimicrobial stewardship
Nosocomial infections—also known as hospital-acquired infections—increased during the COVID-19 pandemic. That’s according to a Centers for Disease Control and Prevention (CDC) report that showed increases in several HAIs, including a 14% jump in Methicillin-resistant Staphylococcus aureus (MRSA) from 2020 to 2021.
Clinical laboratory testing is part of a concerted effort in the US to reduce HAIs in acute care hospitals. Additionally, diagnostic testing is vital to antimicrobial stewardship, which is designed to help physicians prescribe to patients only those antibiotics that are appropriate and reduce the chance for antimicrobial resistance (AMR).
So, it’s disturbing to see a setback in both HAIs and antimicrobial stewardship in the wake of the COVID-19 pandemic. Burda called the CDC’s findings a “regression” that “gives new meaning to the term long COVID.”
“I think, without any proof, doctors, nurses, medical technicians, and other clinicians who provide direct patient care regressed in terms of infection control best practices,” wrote healthcare journalist David Burda in his column for 4Sight Health. Clinical laboratories that processed COVID-19 tests during the pandemic can attest to the burnout. (Photo copyright: 4Sight Health.)
CDC Report Reveals Increase in Hospital Acquired Infections
The CDC used standardized infection ratios (SIRs) in its report to detail changes in nosocomial infections. CDC calculates SIRs by dividing the number of observed infections by the number of predicted infections.
“In 2021, the nation and the world continued to experience unprecedented challenges due to the COVID-19 pandemic, which impacted surveillance for and incidence of HAIs,” the CDC explained in its report.
“Compared to pre-pandemic years, hospitals across the nation experienced higher than usual hospitalizations and shortages in healthcare personnel and equipment, which may have resulted in deterioration in multiple patient safety metrics since the beginning of the pandemic,” the CDC added.
In his 4Sight Health article, Burda noted that physicians and other care providers may have “regressed” in their infection control practices due to severe pressures during the COVID-19 pandemic. “I also think the traveling nurse and temporary staff situation had something to do with it. Who has time to learn or follow the infection control policies and protocols at every hospital when you’re moving from one hospital to the next every few weeks?” he added.
The CDC explored HAIs in acute care hospitals, critical access hospitals, inpatient rehabilitation facilities, and long-term acute care hospitals. According to the federal agency’s report, at acute care hospitals, increases in nosocomial infections from 2020 to 2021 include the following:
27 states performed better on at least two types of infection.
30 states performed worse on at least two infection types.
In response to the CDC’s report, the American Hospital Association (AHA) wrote, “In acute care hospitals, the increases seen in some HAIs in 2021 contrast with the success in reducing these infections prior to the pandemic. Despite the challenges of the COVID-19 pandemic, acute care hospitals performed significantly better than the 2015 national baseline in preventing CLABSI, CAUTI, SSIs following colon surgeries, and C. difficile infections.”
The AHA recommended that hospitals “continue to reinforce prevention practices and review HAI surveillance data to identify areas for improvement.”
Dangers of Antimicrobial Resistance
According to CDC data, in the US there are 2.8 million antimicrobial infections each year, and more than 35,000 people die as a result. Dark Daily has reported extensively on the growing danger of antibiotic resistance and outlined the importance of clinical laboratory involvement in hospital antimicrobial stewardship programs.
In “During Pandemic, Clinical Laboratories Should Be Alert for Drug Resistant Infections That Pose High Risk to COVID-19 Patients,” we covered a study conducted at the University of Minnesota which highlighted the continuing need for microbiologists and clinical laboratories to stay alert for COVID-19 patients with drug-resistant infections following a CDC report on 941 confirmed and probable Candida auris cases that had been reported in 13 states, with an additional 1,830 patients that had been found to be colonized with the multidrug-resistant fungus.
The Joint Commission’s expansion of antibiotic stewardship standards, which went into effect on January 1, 2023, could help hospitals reduce nosocomial infections and fight antimicrobial resistance.
Pew conducted research related to the requirements and found “significant room for improvement in adoption and implementation of stewardship practices” in acute care hospitals, Hyun wrote.
Allocate financial resources for staffing and IT to support the antimicrobial stewardship program.
Implement evidence-based guidelines to improve antibiotic use for infections such as urinary tract c. diff. community-acquired pneumonia.
Evaluate the program using evidenced-based criteria.
“New antibiotic stewardship standards should help limit the emergence and spread of new drug-resistant superbugs,” Hyun noted.
Clinical Laboratories Need to Deepen Involvement
By testing patients and quickly reporting results to physicians, hospital-based and independent medical laboratories play an important role in appropriate antibiotic use and elimination of HAIs.
Heightened involvement by microbiologists and other medical laboratory professionals is key to success in light of recent setbacks in elimination of HAIs and antimicrobial resistance due to the SARS-CoV-2 outbreak.
As demand for genetic tests increases, so does the call for clinical laboratories to process and analyze the data, and work with ordering physicians to explain test results to patients
According to a 23andMe press release announcing the results of two national surveys, “most people and doctors agree that genetic testing offers promise for more personalized healthcare.” This is positive for clinical laboratories that provide genetic testing. These two surveys indicate a growing understanding among physicians and healthcare consumers of genetic testing’s value to effective precision medicine.
The surveys were conducted by Medscape, an online resource of medical information owned by WebMD, and Material, an international firm that partners with companies to provide strategy, insights, design, and technology, according to its website. Direct-to-consumer (DTC) genetic testing company 23andMe commissioned the surveys.
The researchers found that 75% of patients in the US said, “they’d be more likely to follow a doctor’s advice if they knew their genetic profile was used to personalize their care.”
The survey also revealed that:
92% of doctors in the US say genetics is an important part of a patient’s complete health picture.
66% of doctors say genetic testing could help lead to better outcomes for patients.
“I am excited about a future where genetic information becomes the foundation of personalized health,” said Anne Wojcicki, 23andMe co-founder and CEO, in a press release. “And that future may help alleviate some issues already affecting the population.” Recent surveys commissioned by 23andMe that indicate both physicians and patients are becoming more accepting of genetic tests are good news for clinical laboratories that perform genetic testing. (Photo copyright: TechCrunch/Wikimedia Commons.)
Filling a Need for Personalized Healthcare
Elective genetic testing is not only becoming more popular with doctors and patients, it may also fill a key precision medicine need in the population. According to the researchers, “more than half of people surveyed (55%) said they don’t feel healthy today, and 63% said they don’t feel in control of their health. And while most people surveyed (62%) said they wanted advice from their doctors that was tailored to them personally, few, only about 36%, said that’s what they were getting,” the press release noted.
Clearly, demand for a pathway to more personalized healthcare exists in the market. Thus, companies that offer elective genetic testing are looking to fill that need.
Genetic testing kits from companies such as 23andMe and Ancestry have become increasingly popular over the past few years. People often turn to these DTC companies to learn about their heritage, but they also allow healthcare consumers to take part in elective genetic testing without needing a referral from a doctor.
Before the popularity of these DTC tests, most genetic testing only took place when ordered by a healthcare provider. But that may be changing. According to a study conducted by Global Markets Insights (GMI), the size of the DTC genetic testing market “surpassed USD $3 billion in 2022 and is predicted to expand at over 11.5% CAGR [compound annual growth rate] from 2023-2032.”
GMI also predicted that “rising prevalence of genetic disorders will accelerate [genetic testing] industry growth.”
Problems and Opportunities in Genetic Testing
As consumer demand for elective genetic testing has increased, certain issues and opportunities have arisen as well.
In an article she penned for STAT titled, “Why the Rise of DNA Testing Is Creating Challenges—and An Opportunity,” physician/scientist Noura Abul-Husn MD, PhD, Vice President of Genomic Health at 23andMe, wrote, “This rapid growth has created what some might see as a big problem and others might see as an opportunity.” Abul-Husn is also Associate Professor of Medicine and Genetics, and Clinical Director of the Institute for Genomic Health, at the Icahn School of Medicine at Mount Sinai.
“The problem? There hasn’t been a corresponding increase in genetics education and training healthcare providers about it, meaning that many people are reaching out to healthcare providers who are ill-prepared to incorporate genetic test results into clinical practice,” she wrote.
“The opportunity? Results from genetic testing can help healthcare providers engage with their patients on a deeper level about personal health risks, promoting health, and preventing disease,” she added.
Growing Need for Processing and Analyzing Genomic Tests
A YouGov survey of 1,000 adults between February 9 and February 12, 2022, showed that two of every 10 Americans have taken a DTC genetic test. But it seems healthcare professionals currently lack the training to incorporate genetic test results into their patients’ care. This may present an opportunity for the genetic testing industry to meet the demand of its consumers.
The growing popularity of elective genetic testing will also increase demand for clinical laboratories to process and analyze these types of tests. And that will drive increased revenue and job opportunities in those labs.
Another factor that is positive about the increased acceptance and interest in genetic testing by doctors and consumers is that this creates a demand by employees for their company health plan to cover genetic tests. Each year, going forward, employers will recognize that their employees want genetic tests and so will take steps to make such tests a covered benefit within the health plan. That is also a positive market factor for those medical laboratories offering genetic testing.
It seems clear that elective genetic testing offers individuals the opportunity to work with their physicians to design personalized treatments based on their unique conditions. And it gives the healthcare industry—including clinical laboratories—the opportunity to expand services and branch out. The future of precision medicine may lie within our genes.
New report notes that variations in price for common clinical laboratory tests should not exist ‘regardless of clinical setting’ and yet they do
Hospital laboratory leaders may soon observe employers—especially those in seven particular states—shopping around a bit more when it comes to insurance coverage of clinical laboratory tests for their employees. That’s because a recent study by the Health Care Cost Institute (HCCI ) found that employer-sponsored insurance pays three to six times more for lab tests performed by hospital outpatient labs compared to lab tests done by physician offices and independent clinical laboratories.
In an issue brief it developed in conjunction with West Health, the HCCI revealed that standard clinical laboratory tests cost as much as six times more when performed through hospital outpatient lab outreach programs rather than physician offices in Colorado, Indiana, Nevada, New Mexico, North Carolina, Texas, and West Virginia.
“Among individuals with employer-sponsored insurance, we observe substantially higher prices paid for common lab tests when these tests were billed by hospital outpatient departments (including on- and off-campus locations) compared to when they were performed in physician offices and independent labs,” the report authors wrote.
HCCI is a Washington, DC-based non-profit research institute focused on issues impacting the US healthcare system. West Health, in Washington, DC, and San Diego, is a nonprofit group that works to lower healthcare costs for seniors.
“By their very nature, [clinical laboratory] tests are standardized to be the same regardless of clinical settings, yet our research finds that hospital outpatient departments are typically billing private insurance three times more for the same lab test compared to physician offices and independent laboratories,” wrote Cristina Boccuti, MA, MPP, Director of Health Policy at Health West in the HCCI report. (Photo copyright: West Health.)
Price Markups Vary by Clinical Laboratory Test Type
In their HCCI issue brief, Cristina Boccuti, MA, MPP, Director of Health Policy at Health West; Senior Researcher and doctoral candidate Jessica Chang; and Aditi P. Sen, PhD, Director of Research and Policy at Health Care Cost Institute, wrote, “In this brief, we compare prices (as determined by total payments on claims) for clinical lab tests between hospital outpatient departments (25% of tests in our study) and physician offices and independent labs (75% of tests in our study) among individuals with employer-based health insurance.
“This analysis,” they added, “uses HCCI’s unique commercial claims dataset, which contains claims for 55 million Americans annually. In addition to analysis of individual clinical lab tests, we also examined variation across five broader categories following previously established methods relying on [Current] Procedural Terminology (CPT) codes.”
Those five test categories and percentage of samples studied included:
Clinical Chemistry (54%)
Microbiology (24%)
Complete blood count (10%)
Urine (9%)
Toxicology (4%)
Price markups (a calculated ratio based on each setting’s median price) varied by type of medical laboratory test and were usually three to five times higher in a hospital outpatient setting as compared to the physician office or independent clinical lab site. Some urine tests were more than seven times higher.
“Variation should not exist among clinical lab tests,” the HCCI authors wrote. “Analysis of most non-emergent clinical lab tests on a specimen, such as a blood test or urine sample, is identical regardless of factors such as where the test is performed or patient risk.”
The most frequently ordered lab tests with the highest markup included:
Urinalysis (automated with microscopy): $2.72 office/independent lab; $21.39 hospital outpatient (more than seven times price markup).
Comprehensive metabolic panel: $8.85 office/independent lab; $47.13 hospital outpatient (more than five times markup).
General health panel: $22.97 office/independent lab; $127.97 hospital outpatient (more than five times markup).
“Under commercial insurance, some hospital outpatient departments are being paid over $200 for a metabolic panel, which has a medical office-based price of (about) $9,” the HCCI report noted.
Medical Laboratory Test Prices All Over the Map
When HCCI explored clinical laboratory test pricing throughout the US, the researchers found price markups in hospital outpatient settings ranging two to six times higher than the same lab tests performed in offices and independent labs. States with low markups were North Dakota, Arkansas, and Minnesota.
Markups varied within states as well. The HCCI analysts shared an example of lipid profile testing in Pennsylvania, where the average price difference between hospital outpatient and physician offices ranged from $34 in Philadelphia to just $17 in Pittsburgh.
Big Differences in Microbiology, Toxicology Lab Test Prices
As to clinical laboratory testing categories, the report found the greatest price markups were in blood count and urine testing. The biggest median price differences—more than $30 per test—was observed in microbiology and toxicology:
Blood count: $6.34 in office/independent lab versus $29.61 in hospital outpatient setting.
Urine: $4.33 office/independent lab versus $24.39 hospital outpatient.
Microbiology: $16.50 office/independent lab versus $47.80 hospital outpatient.
Toxicology: $12.15 office/independent lab versus $43.65 hospital outpatient.
While individual lab test prices may seem low, the overall investment is huge in the context of 232 million lab tests, and spending is increasing. Nearly $7 billion was spent on medical laboratory tests in 2019, as compared to $5.8 billion on 155 billion tests in 2012, HCCI data shows.
Bill Kerr, MD, co-founder and CEO at Avalon, noted in an article he penned for MedCity News that a hospital outpatient laboratory may receive $100 for a routine test, while a non-hospital lab will get on average $20 for the same test on the same instrument.
“Hospitals frequently argue that they need to charge more to support their specialty test innovation and development. That doesn’t hold true for routine testing though,” he wrote.
Kerr pointed out that physicians could order tests as part of incentives to use hospital-affiliated labs. “Plus,” he wrote, “payers are often hesitant to educate their members about lower-cost lab testing options because of various provisions in their contracts with hospitals.”
What could help, he added, are lab testing price transparency and “payment integrity programs,” that have science “at the core” and aim to flag unneeded and as well as needed tests, especially in oncology.
HCCI Advises Site Neutral Payment, Negotiation
HCCI also made recommendations in its report. They include:
Policymakers for states with the high hospital outpatient setting markups “should use site-neutral payment policies for insurance plans regulated at the state level.”
In negotiations, health insurers and self-insured employers can aim to limit site-based payment differentials for their enrollees and employees.
For hospital clinical laboratory leaders, the HCCI is calling attention to an issue that may eventually restrict the ability of hospitals to bill outpatient lab tests using inpatient pricing.
