Header graphic for print

HIPAA, HITECH & HIT

Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Doctor is Arrested for Allegedly Stealing Thousands of Patient Records

Posted in Privacy & Security

Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her recent article in Medical Practice Compliance Alert entitled “Doctor is Arrested for Stealing Thousands of Patient Records.”  While the full text can be found in the February 16, 2015 issue of Medical Practice Compliance Alert, the following considerations are based upon points discussed in the article.

A theft of patient protected health information (“PHI”) may invoke more than federal and state privacy laws.  It can also mean criminal charges under state penal laws. Radiologist James Kessler learned the hard way when he was arrested for allegedly stealing the PHI of nearly 100,000 patients.

Elizabeth was quoted as observing, “There is no indication that it was difficult for Kessler to do this.  He didn’t treat all 100,000 patients, so why did he have the ability to copy all of those files?  There are technical safety mechanisms and audit controls to limit that access.”

The article pointed out that in some multi-physician situations, ownership of records may need to be negotiated, and the contract may need to specify who gets which records in the event of a separation.  For example, if a physician brings patients to a practice, the employee may be entitled to own and take those patients’ records.

I was quoted by Marla: “Implement safeguards to reduce the risk that an employee can access records outside of his or her job responsibilities.  Also ensure that the practice provides HIPAA training, so that if an employee does violate HIPAA the action is less likely to be attributed to the employer.”

In the article Elizabeth explained that it is important to have an action plan to handle data breaches.  “Be prepared to investigate an incident that may be a security breach using the four steps required by HIPAA’s breach-notification requirements to see whether the breach needs to be reported,” she noted.  “Also be prepared to report a breach not only to the HHS and the state under HIPAA and state-notification laws but also to law enforcement when dealing with criminal activity such as theft and hacking.”

Elizabeth also advises in the article to make sure that the employment agreement complies with state law.  “Many states have laws regarding the reach of an employment agreement with physicians, such as reasonable non-competes and continuity of care provisions,” she says. “For instance, it varies whether an individual doctor or the practice itself is seen as having the relationship with the patients; there may even be state laws on the rights of patients in the event of a physician’s separation from a practice.”

The article points out that there are many complexities involved in the ownership, custody, creation, access, use, maintenance, transmission and retention of PHI. It may not be possible to prevent hacking or theft of PHI, even with reasonable security and privacy policies and procedures in place that are being followed.  However, if a breach or other adverse event occurs, the covered entity or business associate will be well-served by being able to demonstrate that it had and followed such policies and procedures if and when a regulatory authority or court is reviewing a HIPAA violation and determining potential responsibility and liability.

When HIPAA Applies to Patient Assistance Programs (and When it Doesn’t), Part 2

Posted in Privacy & Security

I posed a question in Part 1 of this post which I will summarize here:  is personal health information provided to a Patient Assistance Program (PAP) in order to help with covering the cost of prescription drugs protected as “protected health information” (PHI) under HIPAA?

Let’s use two examples.  Say Patient A, who knows he can’t afford the out-of-pocket costs for a branded drug prescribed by his doctor, goes to the pharmaceutical manufacturer’s website where he sees that the company has a PAP and on-line application form into which he enters his personal information to see if he qualifies for assistance.  Patient B is also concerned about the cost of a non-formulary drug prescribed for her, but the hospital where Patient B’s physician works has an arrangement with the PAP whereby the PAP will work with a patient’s insurance carrier to get coverage for drugs not included on the carrier’s formulary.  What happens if the PAP’s system is hacked and the personal health information of both Patient A and Patient B is compromised?  Does HIPAA apply and will the PAP notify Patient A and Patient B of the breach?

The answer is a qualified “yes”, because HIPAA would be applicable only if the PAP is functioning as a covered entity or business associate as those terms are defined under HIPAA when it receives and maintains the personal health information.  It’s the role the PAP plays with respect to the patient (and his or her information) that matters when trying to figure out whether the patient’s information is HIPAA-protected as PHI, rather than just the type of information the PAP receives and maintains.

Generally speaking, a pharmaceutical manufacturer (and its PAP) will be a “covered entity” under the HIPAA regulations if it is a “health care provider who transmits any health information in electronic form in connection with a transaction . . . .” (italics added).  The term “health care provider” is defined very broadly under the HIPAA regulations, and a “transaction” is defined (in relevant part) as “the transmission of information … to carry out financial or administrative activities related to health care.”  The manufacturer (and its PAP) is a “business associate” if it performs functions on behalf of a covered entity that require it to create, receive, maintain or transmit PHI.

The same mini-analysis can be applied to other business entities that “create, receive, maintain or transmit” PHI as a useful first step to understanding whether and how the personal health information may be protected.

Hacked Health Records Prized for their Black Market Value

Posted in Articles, Health IT, Medical Identity Theft, Privacy & Security, Sensitive Health Information

I received a disturbing robo-call over the weekend informing me that someone had attempted to use my credit card number fraudulently in a retail store in the next county. When I called back and verified these were not legitimate charges, my card issuer assured me that I would not be financially responsible, canceled my card and sent me a replacement. My imposter was prevented from accessing my account by the issuer’s tight security system. Victims of healthcare identity theft may not get off so easily, which may explain why smarter thieves are increasingly targeting health records.

The relative value of health records and financial data can vary greatly according to different sources. As the Pittsburgh Post-Gazette reported today,

“The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud,” said David Dimond, chief technology officer of EMC Healthcare, a Massachusetts-based technology provider. Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care, he noted.

Reuters reports that medical information is worth 10 times more than credit card numbers on the black market.

Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.

Medscape reports that a stolen chart may be worth as much as $50, citing an FBI bulletin from April 2014:

Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number. EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.

Criminals can monetize stolen health data in other creative ways. For example, some healthcare providers and their business associates have been victimized by so-called “ransomware,” which infects computers and encrypts files, then demands payment (often in untraceable Bitcoin) to unlock them. See the FBI’s January 20, 2015 alert entitled Ransomware on the Rise.

Willie Sutton was famously quoted as selecting banks for his robberies because “that’s where the money is.” Today’s healthcare scammers and hackers may be following his lead by focusing their efforts on the asset most valuable to illicit purchasers.

MINNESOTA BLUES GET HEALTH RECORDS SNOOPING BLUES

Posted in Articles, HIPAA Enforcement, Security Breach Notification

A registered nurse employed by Minnesota Blue Cross Blue Shield (BC/BS) with a history of drug offenses allegedly accessed a prescription drug database 249 times without a legitimate purpose, according to a report by Minneapolis CBS affiliate WCCO posted by reporter Esme Murphy.

The nurse, Jim Johnson, reportedly had been previously assigned by BC/BS under the insurer’s contract with the state Department of Health to monitor prescription drug use in state-run medical programs. In that capacity, he was given access to the Minnesota Prescription Monitoring Program (MNPMP), which is generally limited to licensed prescribers and pharmacists, and their delegated staff. The MNPMP was established to detect diversion, abuse and misuse of prescriptions for controlled substances.

For a period of eight months after Johnson had been reassigned to other duties, he apparently had not been removed from the list of authorized users despite BC/BS having notified the state of the change. WCCO reports that during that time Johnson had accessed 56 individuals’ records, and had viewed a number of records multiple times. Investigations also revealed that Johnson had accessed some of these same individuals’ social media profiles. There reportedly is no indication at this time that Johnson disclosed any of the information he obtained or that he misused that information to obtain narcotics.

State Nursing Board disciplinary records indicate that Johnson had been fired by two previous employers because of narcotic violations. He reportedly admitted to stealing drugs from Children’s Hospital in St. Paul in 2000 and was fired by Unity Hospital after admitting to stealing morphine. He had not been charged criminally but had been fined and subjected to additional supervision. BC/BS was apparently unaware of Johnson’s disciplinary history when he was hired.

There is plenty of blame in this situation to go around. Although the MNPMP apparently had a process in place for credentialing legitimate users, it failed to revoke those credentials when they were notified that Johnson’s job no longer required him to access the database. BC/BS may have failed to monitor its employees’ access to such a highly-confidential trove of information, and may have exercised poor judgment in not thoroughly vetting an employee before assigning him to such a sensitive role.

Employee “snooping” has led to serious consequences in a number of high profile cases, including a Vermont ultrasound technologist who peeked at her ex-husband’s family’s records, a UCLA researcher who was sentenced to prison for looking at celebrity charts, California and New York hospital workers who accessed celebrity records and 16 Houston hospital employees fired for accessing a resident’s medical records after she was injured in a shooting incident.

A surprising footnote to WCCO’s story is the fact that the state Department of Health reportedly misstated HIPAA’s breach reporting requirements and claimed that only breaches involving 500 or more individuals were reportable. Such large-scale breaches require notice within 60 days of discovery, but, as indicated in the WCCO report, breaches involving fewer than 500 individuals must still be reported within 60 days of the close of the calendar year.

This is not BC/BS’s first brush with medical privacy violations. According to the Star Tribune, in 2010, a subscriber sued the insurer for violating the Minnesota Health Records Act and breaching her privacy by disclosing her name and providing confidential information about her medical treatment. Amazingly, the patient’s information was reproduced in illustrations that appeared in handbooks and marketing pamphlets instead of “dummy” information. Her ID and claims information appeared in 400 copies of a pamphlet and in 95,000 copies of a member handbook. Previously, the State Department of Commerce suspended the license of a BC/BS agent after a life insurance customer complained that the agent had improperly disclosed the customer’s personal information.

Once again the temptation to rummage around in an inadequately-secured repository of information has proven too hard for an employee to resist. Few covered entities and business associates have implemented safeguards to protect data from curious (or dishonest) employees’ eyes. Heightened employee training about prohibition of snooping with emphasis on discipline up to and including discharge is one step. However, the time may have come when relying on the honor system and training may be insufficient to meet HIPAA’s poorly-defined “minimum necessary” standard and more robust technical solutions may be called for. Even when, as in this case, only certain individuals are given access to PHI on a need-to-know basis, there is room for improvement of monitoring and oversight of those individuals’ actual behavior.

When HIPAA Applies to Patient Assistance Programs (and When It Doesn’t)

Posted in Privacy & Security

Patient Assistance Programs (PAPs) have proliferated in recent years, despite the fact that many commonly-prescribed medications have lost patent protection and the Affordable Care Act (ACA) has attempted to eliminate pre-existing condition discrimination by insurance companies.  Still, drug costs remain unaffordable to many patients, particularly those with high-cost, chronic conditions, even when patients have insurance coverage.  An article published recently in the New England Journal of Medicine suggests that the ACA has increased insurance coverage for an estimated 10 million previously uninsured individuals in 2014, some insurers are structuring drug formularies in a manner that discriminates against (and discourages enrollment of) patients suffering from particular high-cost conditions.

Regardless of the cause, the need for and utilization of PAPs raises interesting questions related to privacy and security of protected health information (PHI).  I had the opportunity to co-present a workshop session on HIPAA at CBI’s 16th Annual Patient Assistance and Access Programs Conference in Baltimore, MD this week with Paula Stannard, Esq. of Alston & Bird.  The conference was well-attended, and Paula and I were asked a number of questions during and after our workshop that showed interest in HIPAA compliance by PAP entities, as well as confusion regarding it.

Paula and I crafted a scenario in which a PAP’s data system is hacked, and the hacker gains access to individually identifiable health information stored on the system.  Both Patient A and Patient B have insurance, but suffer from a condition requiring a medication not on their carriers’ formularies.  Patient A put his own information into the PAP system after learning about the PAP from TV ad.  Patient B let his physician put her information into the PAP system, after the physician explained that the hospital at which the physician works has an arrangement with the PAP whereby the PAP will help with getting insurance coverage.

We asked the audience whether the hacker’s access to Patient A’s and Patient B’s information in the PAP was a HIPAA breach.  A follow up to this blog will discuss the factors relevant to deciding when HIPAA applies to PAPs (and individually identifiable information they maintain) and when it doesn’t.

Protecting Health Information in the Context of Divorce Proceedings and Domestic Relations – Part III

Posted in Privacy & Security, Sensitive Health Information

(Part III continues Part I and Part II of this series on privacy of health information in the domestic relations context, which may be found here and here. Capitalized words not defined in this Part III shall have the meanings assigned in Part I or Part II.)

6. The situation can be further complicated by the fact that the Affordable Care Act requires Insurers that offer dependent coverage to make the coverage available until the adult child reaches the age of 26 to avoid loss of health insurance for students after they graduate from college. Most Insurers permit adult children of 18 or over (e.g., those emancipated under state law) to block access to claims information by their parents, regardless of the fact the parent is paying for the coverage. Such an adult child is typically not a party to divorce settlements or decrees. In some states even minor children below the age of 18 may be permitted to block access to claims information by their parents.

7. HIPAA permits an individual to require a Provider to agree to the request of such individual to restrict disclosure of protected health information (“PHI, as defined in HIPAA) about such individual to an Insurer if:

a. The disclosure is for the purpose of carrying out payment or health care operations (but not treatment) and is not otherwise required by law; and

b. The PHI pertains solely to a health care item or service for which the individual, or person other than the Insurer on behalf of the individual, has paid the Provider in full.

Adopting this payment approach may allow an individual to prevent his/her spouse from learning about specific events of diagnosis and treatment relating to such individual or his/her custodial children that would otherwise be available by access to claims information through an Insurer.

8. HIPAA provides that individuals have the right to request restrictions on how a Provider will use and disclose PHI about them for treatment, payment, and health care operations. A Provider is not required to agree to an individual’s request for a restriction, but is bound by any restrictions to which it agrees. This type of self-help initiative may enhance efforts to block access by a spouse or former spouse, either alone or in aid of other measures.

9. HIPAA also provides that individuals may request receiving confidential communications from a Provider, either at alternative locations or by alternative means. For example, an individual may request that her Provider call her at her office, rather than her home. A Provider must accommodate an individual’s reasonable request for such confidential communications. An Insurer must accommodate an individual’s reasonable request for confidential communications, if the individual clearly states that not doing so could endanger him or her. Again, as in item 8, this type of self-help initiative may enhance efforts to block access by a spouse or former spouse, either alone or in aid of other measures.

10. A wide range of changes in circumstances, such as a change in employment and/or Insurer, obtaining services from a new Provider, relocation to a different state, changes in state law, reaching of majority age by children and/or life event changes that relate to provisions in a divorce or separation agreement or decree warrants revisiting these tips from time to time. HIPAA rights and responsibilities must be re-evaluated regularly in the context of the facts and circumstances involved at any given time.

Conclusion

The foregoing discussion refers to only a few of the many permutations of issues that may arise regarding IHI in the domestic relations context. It is intended to indicate the wide diversity of challenges and opportunities that spouses and domestic partners may encounter regarding access and blocking access to IHI. Individuals who need advice regarding legal aspects of their domestic relationships and/or disputes should seek counsel of professionals who have familiarity with the ramifications, complexities and continuous changes involving HIPAA, state privacy laws and IHI.

Protecting Health Information in the Context of Divorce Proceedings and Domestic Relations – Part II

Posted in Privacy & Security, Sensitive Health Information

(Part I of this series on privacy of health information in the domestic relations context may be found here. Capitalized words not defined in this Part II shall have the meanings assigned in Part I.)

Tips on dealing with IHI Issues in the Domestic Relations Context

1. Whether an individual is in a stable domestic relations environment or involved in the breakdown of a relationship, careful attention should be given the Notice of Privacy Practices (“NPP”) of the healthcare provider (“Provider”) or health insurer or health plan (collectively, “Insurer”) as to (i) who is entitled to access IHI in the possession of such Provider or Insurer and (ii) the extent to which a patient or subscriber has the right to block such access. For example, an employee subscriber of an employer health plan typically has access not only to all of his/her claims information, but also to all of the claims information of a covered estranged spouse and of dependents, even if such subscriber is not the custodial parent.

2. To the extent that an NPP of a Provider or Insurer does not answer a question about IHI access and blocking in the domestic context, an individual should direct the question to the Provider or Insurer, as applicable. However, there may not be a clear answer forthcoming.

3. Most Insurers permit a covered spouse to block access to his/her claims information from the other spouse, even if such other spouse is the employee subscriber or person responsible for paying for health care coverage. This is a matter that should be addressed in a domestic relations agreement because the spouse that is paying for health care coverage may have his/her premiums, copays, deductibles and limits of coverage affected by the claims of the other spouse. The desire to block access to IHI by the other spouse may be heightened in the case of diagnosis and treatment for sensitive health matters, such as mental illness, substance abuse, infectious diseases, etc. (This last consideration can be present even in a stable domestic relationship where a spouse wants to avoid disclosure regarding such potential ailments, even perhaps to prevent undue anxiety by the other spouse.)

4. Similarly, many Insurers will permit a spouse who has custody of children to block access to the claims information of such children from the other spouse, even if such other spouse is the employee subscriber or person who is paying for the health care coverage for the children. Again, consideration should be given to addressing this matter in a domestic relations agreement or divorce order or agreement because the spouse that is paying for health care coverage may have his/her premiums, copays, deductibles and coverage limits affected by unknown claims of children with respect to whom he/she lacks custody. Moreover, the custodial parent may wish to prevent access by the other parent to prevent what the custodial parent deems to be potential interference with the custodial parent’s discretion as to the appropriate course of treatment and provision of health care services to the children. The HIPAA Privacy Rule generally allows a parent to have access to the child’s medical records and claims information as the child’s personal representative, as long as such access is not inconsistent with state or other applicable law.  Regardless, however, of whether a parent is the personal representative of a minor child, the HIPAA Privacy Rule defers to state or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child.

5. Where there is shared custody of children, the issue can become even murkier. Without an agreement, there can be a new and unexpected domestic battlefield regarding access, control and blocking of IHI. While HIPAA requires a covered entity Insurer or Provider to treat a person that has authority (under applicable law) to act on behalf of another individual as the individual’s personal representative (thereby treating the personal representative as the individual), a Provider may choose not to treat a parent as a personal representative in certain circumstances, including where the Provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child.

(Part III of this series on privacy of health information in the domestic relations context will be posted shortly.)

 

Protecting Health Information in the Context of Divorce Proceedings and Domestic Relations – Part I

Posted in Privacy & Security, Sensitive Health Information

The November 2014 ruling in the Connecticut Supreme Court in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., — A.3d —-, 2014, WL 5507439 (2014) (the “Byrne case”) has been discussed in a number of posts on this blog, including those here and here. The main focus of such posts has been the Byrne case’s recognition of potential use of HIPAA’s requirements as a standard of care in a state breach of privacy lawsuit, even though an individual cannot sue under HIPAA itself. In those earlier blog entries, we observed that the Connecticut case may spawn copycat lawsuits using HIPAA the same way for state breaches of privacy, negligence and other causes of action.

This blog entry will focus more on facts of the Byrne case and some of their implications for individual health information (“IHI”) privacy in the context of domestic relations – both in the divorce or legal separation context and even in a less confrontational domestic environment. In the divorce or breakup context, consideration should be given to privacy issues of IHI in settlement agreements and divorce decrees. While settlement agreements and divorce decrees often address healthcare and health insurance issues, especially where there are custodial children involved, addressing IHI issues is much less common.

The Byrne Case

We recently co-authored an article entitled “Utilizing HIPAA as a Basis for State Negligence Actions” that was first published in Volume 11 Issue 12 of Data Protection Law & Policy (December 2014). The article, which may be found here, focused more on the facts of the Byrne case than our earlier blog posts and illustrates how IHI issues may infiltrate the break-up of domestic relationships. Among other things, the plaintiff in the Byrne case complained that, upon the end of her five month relationship with an individual (the “Individual”), she instructed the defendant physician practice group (the “Group”), as permitted under the Notice of Privacy Practices (“NPP”) of the Group, not to release her medical records to the Individual. Thereafter, the Group was allegedly served with a subpoena requesting its presence, together with the plaintiff’s medical records, at a court proceeding. The Group apparently did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court, but rather mailed a copy of the plaintiff’s medical file to the court. The Individual later allegedly informed the plaintiff by telephone that he had reviewed the plaintiff’s medical file in the court file.

(Part II of this series on privacy of health information in the domestic relations context will be posted shortly.)

“Digital Quarantine” or Vaccination? What Cybersecurity Experts Can Learn from Health Care

Posted in Health IT, Privacy & Security

Perhaps the health care industry has a cybersecurity solution staring us in the face:  vaccines.  Perhaps we should be trying to vaccinate our data storage systems rather than relying on firewalls to quarantine them.  In an article posted on www.philly.com, Associated Press author Youkyung Lee says cybersecurity defense has traditionally been based “on the idea that computers could be protected by a digital quarantine.” Instead, posits Lee, experts need to focus on neutralizing attackers once they get inside a data system, rather than continuing the often-futile attempt to keep them out of the system.

Sounds like a digital vaccination to me.  According to the Centers for Disease Control, the United States is facing a multi-state measles outbreak associated primarily with unvaccinated individuals, and much has been written about parents who refuse to vaccinate their children and thereby unnecessarily and irresponsibly expose others to risk of infection.  When it comes to protecting the safety and wellbeing of protected health information and personal data maintained in a computer system, perhaps the vaccination approach is the way to go.

I turned to www.vaccines.gov for a quick description of how vaccines work in the human body.  Under “Mounting an Immune Response”, the site describes the skin in a way that makes it sound like a computer system’s firewall – it “provides an imposing barrier to invading microbes.  It is generally penetrable only through cuts or tiny abrasions.”  The digestive and respiratory tracts also work like firewalls, using acids and respiratory reflexes (coughs and sneezes) to destroy or expel invading microbes.  If the invading microbes succeed in crossing the body’s natural firewalls, the body’s immune system will kick in to thwart invading bacteria, viruses and parasites.  That’s where vaccines become helpful:

“Vaccines consist of killed or modified microbes, parts of microbes, or microbial DNA that trick the body into thinking an infection has occurred.  A vaccinated person’s immune system attacks the harmless vaccine and prepares for invasions against the kinds of microbe the vaccine contained.  In this way, the person becomes immunized against the microbe:  if re-exposure to the infectious microbe occurs, the immune system will quickly recognize how to stop the infection.”

The HIPAA Security Rule also seems to reflect a “digital quarantine” or firewall approach when it comes to implementing technical safeguards, describing implementation of access control, authentication procedures, and transmission security. (However, the requirement that covered entities and business associates implement audit controls that “record and examine activity in information systems that contain or use electronic protected health information” sounds a bit like the first step needed to develop an effective vaccine against hackers.)

So, since efforts to thwart hackers by using a “digital quarantine” (Lee’s description) or firewall type of barrier have been about as successful as relying on hand-washing and avoidance of theme parks to thwart measles, let’s hope cyber experts start to focus on developing digital vaccines.  These vaccines could not only train data systems to detect and stop a hacker after it has entered the system and before it can damage, remove, or copy the data, but also perhaps even trap the virus or other hacking mechanism for identification, analysis, and law enforcement purposes.

Welcome to “Fraud Fridays”

Posted in Health IT, New Jersey, Privacy & Security, Security Breach Notification, Sensitive Health Information

This post, written by my colleague Elizabeth Hampton, originally appeared on Garden State Gavel, a new blog focusing on New Jersey litigation topics.


Fraud is on the rise in every industry and the lengths that some people will go to make money by “gaming” the system is both fascinating and alarming.  Look for some of these stories in this regular feature designed to inform you of the latest fraud trends and provide practice tips to safeguard your business from unwelcome intruders.

Steps to Fraud- Proof Your  Professional Practice

Fraud is an increasingly lucrative “ business” that weaves its web of deception through corporations, religious and educational institutions, and the provision of health care. The recent data breaches a la Target and Sony are just some of the more highly publicized examples of the breadth of this problem for businesses and their customers.

But did you know that the healthcare industry tops the charts of data breaches and fraud costs?    In fact, The Economist (31 May, 2014) suggests that healthcare fraud in this country contributes to $272 billion dollars in incremental costs to the system.

Health records are like gold to fraudsters because they often contain financial information, insurance numbers and personal data that can be used to obtain drugs or other benefits.  Converting this information in order to submit false healthcare claims has been a regular practice for some scammers.

As government and private insurers have stepped up their fraud detection models, medical providers likewise need to review their policies and step up their own monitoring to protect their practice from potential data breaches and fraud claims.

Have you considered whether your business is at risk for a data breach? Are you taking steps to “fraud- proof” your health care practice?  Consider the following:

1. Perform a “Check- up.”  Every practice needs one. Conduct a random review of your patient files to ensure that all information is appropriately filed and that the files are complete.  Have your patients completed intake forms? Is there proper documentation of an accident or injury?  How is the health information protected from improper disclosure?

2. Review Protocols. When was the last time you reviewed your policies? Have they been updated to comport with new HIPAA standards? Do you understand what the standards mean for you and your employees?

3. Billing. Make sure that your billing is done correctly and that those who have been entrusted to perform this function are on top of things. Have there been trends in collection? Have insurers rejected claims? Find out why.

4. Employees. Do not assume that your employees are aware of the dire consequences associated with the improper disclosure of health care information.  Educate them and set a high bar for security of this information.

Stay tuned for more fraud stories and ways that you can prevent it from damaging your business.