By:
Dean Viskovich, Esq.
Principal at Dean M. Viskovich, P.A.
Sean M. Weiss
Partner & VP of Strategic Litigation Support and Regulatory Affairs at DoctorsManagement, LLC
If you thought CMS was going to roll out the next PAMA reporting cycle with a lot of noise, advance industry hand-holding, and a generous operational runway, think again.
Instead, the agency slipped out a March 17, 2026, letter to “Potential Applicable Laboratories” that, in practical terms, does one thing: it starts the compliance clock on a reporting obligation that many organizations are nowhere near ready to meet.
That is the real story here.
Buried in a routine-sounding CMS communication is a very real directive: if your organization qualifies as an applicable laboratory, you need to determine that now, identify the right reporting personnel now, build your data now, and be prepared to submit it during the reporting window that opens May 1, 2026 and closes July 31, 2026.
And if you fail to report, omit required information, or misstate what you submit, the penalty exposure is not theoretical. It is severe.
This was a quiet release with very loud consequences
Let’s be honest about what happened.
This did not arrive like a blockbuster final rule or a sweeping new enforcement announcement. It came through a legislative reset under the February 3, 2026 Consolidated Appropriations Act, followed by a short CMS action letter telling laboratories to get moving. The result is the same: the next CLFS private payor reporting cycle is live, the data collection period is fixed, and the burden is now on laboratories to figure out whether they are in and, if they are, to get the submission right.
That is exactly the kind of “under the dark of night” compliance event that catches organizations flat-footed. Not because the legal authority is hidden, but because the operational impact is grossly underestimated until the deadlines are already on top of you.
Who needs to worry: not every lab, but every lab should verify
CMS was careful in its wording. The letter went to “Potential Applicable Laboratories,” not confirmed reporting entities. That matters.
A laboratory must determine whether it qualifies as an “applicable laboratory.” In general terms, that means the lab bills Medicare Part B under its own NPI, or in the case of a hospital outreach laboratory bills on a Form CMS-1450 under TOB 14X, and satisfies the majority-of-Medicare-revenues test. In addition, it must meet the low expenditure threshold.
That sounds simple enough until you try to operationalize it inside a real health system or multisite organization.
Now you are dealing with:
• NPI-level versus TIN-level reporting structure
• hospital outreach billing distinctions
• the numerator and denominator for the majority-of-Medicare-revenues test
• low expenditure threshold validation
• entity mapping issues across lab operations, finance, and revenue cycle
In other words, before anyone starts loading files into a CMS portal, leadership needs to know with confidence whether the organization is actually a reporting entity.
Guessing is not a compliance strategy.
The biggest mistake labs will make: treating this like a contract-rate exercise
It is not.
This is not simply a matter of pulling a payer fee schedule and calling it a day. CMS is requiring applicable laboratories to report the private payor rate for which final payment was made during the data collection period and the associated volume of tests performed at each rate, by HCPCS code.
That is a much heavier lift than many organizations appreciate.
Why? Because “private payor” in this framework is broader than what many compliance teams casually call “commercial payors.” It includes:
- health insurance issuers
- group health plans
- Medicare Advantage plans
- Medicaid managed care organizations
That means this is not just a commercial managed care exercise. It is a cross-payor data reconstruction project.
And it is a hard one.
To get this right, laboratories may need to:
- identify every reportable HCPCS code furnished during the collection period
- determine the final payment rate actually paid, not merely the contracted rate on paper
- capture all distinct rates for the same test
- tie test volume to each specific rate
- account for adjustments and payment corrections
- exclude arrangements that do not belong in the reporting universe, such as capitated or similar payment methodologies
- validate whether reporting is being aggregated appropriately at the TIN level
That is a massive data integrity task. For larger organizations, this means pulling information from multiple billing systems, payment files, remittance structures, managed care sources, and internal reconciliation tools. For hospital-based and outreach laboratories, the complexity only compounds.
If you have decentralized billing or legacy reimbursement systems, this is not a light lift. It is a full compliance project.
The portal mechanics are easy. The certification risk is not.
CMS requires two individuals per TIN in the CLFS module: a submitter and a certifier.
That sounds administrative. It is not.
The submitter enters or uploads the data. The certifier reviews and certifies it on the laboratory’s behalf. But organizations should not confuse portal role assignment with legal accountability. The regulation requires an officer-level certification structure: the President, CEO, or CFO of the reporting entity, or an individual delegated authority who reports directly to one of those officers, must sign the certification statement and be responsible for assuring the data is accurate, complete, and truthful.
That means this is not something you casually hand to an analyst and hope for the best.
If the data is incomplete, if rates were incorrectly mapped, if volumes do not reconcile, or if reportable payors were omitted, the organization may be facing exposure not just for a sloppy submission, but for a false or deficient certification.
That should make every compliance officer, CFO, and laboratory executive sit up a little straighter.
The CMP exposure is the part nobody should ignore
CMS did not bury the lede. The letter plainly warns that applicable laboratories that fail to submit data may be subject to civil monetary penalties.
And the underlying law is far more explicit.
If the Secretary determines that an applicable laboratory failed to report, or made a misrepresentation or omission in reporting applicable information, CMS may impose a civil monetary penalty of up to $10,000 per day for each failure to report and for each misrepresentation or omission.
Read that again: up to $10,000 per day.
Not per audit cycle.
Not per year.
Per day.
That kind of penalty framework changes the posture entirely. This is no longer a routine reimbursement filing. It is a material enforcement-risk event.
Organizations that delay, under-resource the project, or certify data they cannot defend are taking a very expensive gamble.
The timing problem is real, and many organizations are already late
The relevant data collection period is January 1, 2025 through June 30, 2025. The reporting period is May 1, 2026 through July 31, 2026.
The problem is that many laboratories are only now waking up to what that means operationally.
By the time an organization realizes it has to compile final paid private payor rates across multiple payer classes, stratify them by HCPCS, tie them to corresponding volumes, vet exclusions, complete internal validation, and run that package through executive certification, the reporting window starts to look very short.
That is why this March 17 letter matters so much. It is not informational fluff. It is CMS telling the industry that the runway is now.
This belongs on the compliance agenda immediately
Too many organizations will route this to reimbursement or revenue cycle and assume the matter is under control. That is a mistake.
This issue belongs squarely on the compliance agenda because it implicates:
- regulatory reporting obligations
- executive certification
- data integrity controls
- enforcement risk
- civil monetary penalties
- internal governance and documentation
Every organization that may qualify should have a documented workplan now. That workplan should identify who is making the applicability determination, who owns the data extraction, who validates final payment logic, who signs off on excluded categories, who serves as submitter and certifier, and who is accountable for the final review.
If those answers are not already in place, the organization is behind.
What smart laboratories should do now
The right move is disciplined execution, not wishful thinking.
Start here:
- Confirm whether you are an applicable laboratory. Do not assume yes. Do not assume no. Work the actual majority-of-Medicare-revenues test and low expenditure threshold.
- Establish governance at the TIN level. Identify the submitter, identify the certifier, and align the certification process with officer-level accountability.
- Build the data set now. Do not wait for the portal to open. The hard part is not the upload. The hard part is assembling accurate, complete, defensible data.
- Stress-test the methodology. Validate HCPCS mapping, final payment logic, excluded payment arrangements, volume tie-outs, and rate stratification.
- Document everything. If CMS ever asks how the file was constructed, “that is what the system gave us” is not a defensible answer.
- Submit early. There is no compliance prize for waiting until the last possible day.
The Bottom line
CMS may have released this quietly, but the compliance implications are anything but quiet.
This is a serious federal reporting obligation with a compressed timeframe, a broad private payor data burden, an officer-certification requirement, and a civil monetary penalty structure that should get the attention of every laboratory executive in the country.
If your organization qualifies as an applicable laboratory, this is not business as usual.
It is a high-risk reporting event.
And the laboratories that treat it like a minor administrative task are the ones most likely to learn, too late, that CMS was not asking.