American Medical Collection Agency (“AMCA”), a collection agency that works primarily with health care companies, recently announced a breach of protected health information (“PHI”) and personally identifiable information (“PII”) affecting over 19.6 million patients. Quest Diagnostics and LabCorp, both clients of AMCA, have reported that their patients have been impacted by the incident. AMCA has engaged forensic experts to assist in its ongoing investigation.
Health care providers that use Quest and LabCorp for clinical laboratory services have begun to inquire about how the breach may impact them. Generally clinical laboratories, such as Quest and LabCorp, operate as covered entities subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). As covered entities, patient information collected, created, utilized and maintained by clinical laboratories such as test orders, ordering provider information, billing information, insurance information and test results become a part of the laboratory’s designated record set. This information must be safeguarded by the laboratory in the same manner as any other HIPAA covered entity. Although health care providers routinely share PHI with clinical laboratories, PHI collected, created, utilized and maintained by a clinical laboratory for its own treatment, payment and operations purposes is the responsibility of the clinical laboratory, not the providers. Accordingly, the laboratory would not be required to provide notice of a breach to the health care providers.
However, there may be instances where a clinical laboratory functions as a business associate of a health care provider. In those instances, a breach involving PHI provided by the health care provider would be the health care provider’s responsibility, and the laboratory would be required to notify the health care provider of the breach. If a health care provider contracts directly with AMCA for collection services, its PHI could be impacted through that relationship, and AMCA would be required to notify the health care provider of the breach directly.
In light of the above, health care providers that are covered entities under HIPAA should determine whether they have any current or past business arrangements with AMCA, Quest or LabCorp, and review those arrangements to assess whether AMCA, Quest or LabCorp hold the health care provider’s PHI as a business associate or as a covered entity. Health care providers also should consider how to communicate with their patients who receive notice of this breach from Quest or LabCorp and who have questions about how their information became involved.
We are closely monitoring this incident. If you are a covered entity that believes its business arrangement with AMCA, Quest Diagnostics and/or LabCorp has been impacted by this breach, please contact the following for assistance in determining what state and federal legal obligations your organization may have with respect to this incident: