Sensitive Health Information

The aftermath of the Orlando nightclub tragedy has led to much discussion about ways that healthcare providers can and should deal with compliance with health information privacy requirements in the face of disasters that injure or sicken many individuals in a limited time frame. One aspect is the pressure to treat patients while simultaneously fulfilling the need to supply current and relevant information to family, friends and the media about patient status without breaching HIPAA by improperly disclosing protected health information (PHI).

Our partner Elizabeth Litten has already posted a prior blog entry on some HIPAA issues that surfaced in the Orlando disaster. She and I were recently featured again by our good friend Marla Durben Hirsch in her article in the August, 2016 issue of Medical Practice Compliance Alert entitled “After Orlando: Keep family, friends informed without violating HIPAA.” Full text can be found in the August, 2016 issue, but a synopsis is below.

Some of the tips provided by Litten and Kline in the article include the following:

  1. Kline: Review and update your practice’s disaster/emergency plan. “[Orlando] was such a disaster, and [there was an appearance created that] the hospital didn’t approach it with calmness and a professional approach.”
  2. Litten: One of the easily forgotten parts of HIPAA is that a covered entity can exercise professional discretion. “It’s best if the patient can agree [to the disclosure]. But if the patient can’t give consent, the provider has ways to provide information and exercise that discretion.” Kline added, “So there’s no need for a HIPAA waiver; the rule anticipates such situa­tions.”
  3. Litten: Make sure that the practice’s desig­nated spokesperson is knowledgeable about HIPAA. “This includes what can and can’t be divulged to friends, family members and the media.
  4. Litten: Educate clinicians on professional discretion. “Remember when disclosing information to view it through the eyes of the patient. If you reasonably believe that a patient would want the information communicated, it’s OK. The professional is acting as proxy for a patient who can’t speak.” 
  5. Kline: Share contact information so staff can quickly get guidance from the practice’s compliance officer, especially during emer­gency situations. “For instance, a clinician being bombarded in the emergency department may have a question regarding whether she can tell a patient’s relative that the patient has been treated and released (she can).”
  6. Kline: Add this information to your practice’s HIPAA compliance program. “If you have policies and procedures on this, docu­ment that training occurred, and [if it] can show you attempted to comply with HIPAA, a court would be very hard pressed to find liability if a patient later claims invasion of privacy.” 
  7. Kline: Don’t discriminate. “So clinicians exercis­ing their professional discretion in informing friends and family members need to be gender neutral and objective.”
  8. Kline and Litten: Train administrative staff about HIPAA. “Not only should medical staff know the rules, but so should other staff members such as front desk staff, managers and billing personnel. It’s pretty bad when the head of a hospital is so uninformed about HIPAA that he provides misinformation to the mayor.”
  9. Kline and LittenHighlight the limitations of the disclosure. “You can’t go overboard and reveal more than is allowed. For instance, a provider can tell a friend or family member about an incapacitated patient’s location, general condition or death. But that doesn’t mean that he can divulge that the lab tests indicate the patient has hepatitis. HIPAA also requires that a disclosure be made only of information that’s ‘minimally necessary.'”

Planning ahead by healthcare providers can help them comply with HIPAA if a disaster situation occurs to keep family and friends informed as to patient status, while contemporaneously carrying out their most important tasks: saving lives, alleviating pain and providing quality care to victims. This approach, however, combined with a good helping of common sense and professionalism, is not confined to disasters – it should be the practice of providers for non-emergent situations as well.


Our partner Elizabeth Litten and I were featured again by our good friend Marla Durben Hirsch in her article in the April 2016 issue of Medical Practice Compliance Alert entitled “5 safeguards to take with patient-employee health records.” Full text can be found in the April, 2016 issue, but a synopsis is below.

For her article, Marla asked us to comment about physician medical practices that provide medical treatment to their own employees and other staff or affiliates (collectively, “Patient-Employees”). She observed that “These medical records [of Patient-Employees] are not fair game for colleagues to view unless there’s a job-related reason for them to do so.”

Marla quoted Kline as saying that “It’s human nature to talk about others [that you know]. You also have rogue employees who are ‘frenemies’ [Or simply curious about a co-worker’s treatment].” Nonetheless, as Marla observed, events of improper access are not just potential HIPAA violations; they can also have a negative impact on the workplace.

Our five tips for reducing the risks of improper breaches of Patient-Employees’ health information that were developed with Marla follow:

Litten: Include employee privacy in your HIPAA education. “This is a topic for specific training.” For example, make sure that everyone in the office knows the practice’s HIPAA policies and procedures, and that all patients, even those who are employees are entitled to their privacy rights. Emphasize the fact that employees should only review records when it is necessary to do their job.

Kline: Limit access to the records. “For instance, not all employees need unfettered access to electronic medical records, so different staff members can have different levels of access.    Human resources shouldn’t be able to find out that an employee came in for [medical] help.”

Litten and Kline: Take consistent disciplinary action when warranted. An employee may need to be retrained, disciplined or even fired, and treat all workforce members the same, whether licensed professionals or other staff.

Litten: Require staff to report these kinds of breaches. “At the least the practice can argue that the employee had an obligation to report, and by not doing so the fault lay with the employee, not the employer.”

Litten and Kline: Don’t let Patient-Employees take shortcuts to access their records. All patients are entitled to access their records; Patient-Employees should be required to go through the same procedures to access their records as any non-Patient-Employee.

In this ever more-challenging environment of compliance with the privacy and security requirements of HIPAA (and other applicable federal and state laws), a health care provider should limit the risks appurtenant to providing treatment to its own employees as patients, especially since it may be an economical and efficient alternative. There are enough external risks lurking about. Through establishing discrete policies and procedures, a provider can do much to control its internal risks involving Patient-Employees.

We know by now that protected health information (PHI) and other personal information is vulnerable to hackers.  Last week, the Washington Times reported that the Department of Health and Human Services (HHS), the agency responsible for HIPAA enforcement, had suffered security breaches at the hands of hackers in at least five separate divisions over the past three years.  The article focused on a House Committee on Energy and Commerce report that described the breaches as having been relatively unsophisticated and the responsible security officials as having been unable to provide clear information regarding the security incidents.

We know it’s not a question of “if” sensitive information maintained electronically will be compromised by a hacking or other type of cyber security incident, but “when” — regardless of who maintains it — and how destructive an incident it will be. Even HHS and its operating divisions, which include both the Office of Civil Rights (OCR), charged with protecting PHI privacy and security, and the Food and Drug Administration (FDA), the country’s principal consumer protection and health agency, are vulnerable.

Just one day before its coverage of the House Committee report on the cyber security vulnerabilities that exist within the very government agencies charged with protecting us, the Washington Times reported on an even more alarming cyber security risk: the vulnerability of common medical devices, such as x-ray machines and infusion pumps, to hacks that could compromise not just the privacy and security of our health information, but our actual physical health.

This report brought to mind a recent report on the ability of hackers to remotely access the control systems of automobiles.  While the thought of losing control of my car while driving is terrifying, the realization that medical devices are vulnerable to hackers while being used to diagnose or treat patients is particularly creepy.  The two situations may present equally dangerous scenarios, but hacking into a medical device is like hacking into one’s physical being.

So while it’s one thing to have PHI or other sensitive information compromised by a hacking incident, it’s much more alarming to think that one’s health status, itself, could be compromised by a hacker.

Co-authored by Nancy E. Halpern, DVM, Esq. and Elizabeth G. Litten.  Also posted on Animal Law Update.

As reported in

Joseph Larsen, a Houston­-based open records lawyer, said if Texas A&M owns the animals, the chapter cited in the attorney general’s opinion that grants veterinarian-­client confidentiality should not apply because the veterinarians are working for the university. He said the law applies only to veterinarians who see animals that are owned by someone else.

However, nothing in the Texas Veterinary Practice Act provides such an exception.

A client is defined as the “owner or other caretaker of the animal.”  § 801.351(a)(1).

Furthermore, veterinary practice requires the existence of a veterinarian-client-patient relationship which exists between laboratory animal veterinarians, Texas A&M and the animals in their care. The law sets forth requirements of the Veterinarian-Client-Patient Relationship as follows:

a) A person may not practice veterinary medicine unless a veterinarian-client patient relationship exists. A veterinarian-client-patient relationship exists if the veterinarian:

(1) assumes responsibility for medical judgments regarding the health of an animal and a client, who is the owner or other caretaker of the animal, agrees to follow the veterinarian’s instructions;

(2) possesses sufficient knowledge of the animal to initiate at least a general or preliminary diagnosis of the animal’s medical condition; and

(3) is readily available to provide, or has provided, follow-up medical care in the event of an adverse reaction to, or a failure of, the regimen of therapy provided by the veterinarian.

(b) A veterinarian possesses sufficient knowledge of the animal for purposes of Subsection (a)(2) if the veterinarian has recently seen, or is personally acquainted with, the keeping and care of the animal by:

(1) examining the animal; or

(2) making medically appropriate and timely visits to the premises on which the animal is kept.

c) A veterinarian-client-patient relationship may not be established solely by telephone or electronic means.  (Section 801.351)

There are no laws or regulations exempting laboratory animal veterinarians from licensure in Texas. However, the “board may issue a special license to practice veterinary medicine to an applicant who is: (1) a member of the faculty or staff of a board-approved veterinary program at an institution of higher education …  . ” Section 801.256.

Special licenses may also be granted to veterinarians working for the Texas Animal Health Condition or the Texas Veterinary Medical Diagnostic Laboratory, but a special license is not available for a laboratory animal veterinarian serving in that capacity for a university.

In other jurisdictions, like New Jersey, the “practice of veterinary medicine, surgery, and dentistry” does not include:

(6) Any properly trained animal health technician or other properly trained assistant, who is under the responsible supervision and direction of a licensed veterinarian in his practice of veterinary medicine, if the technician or assistant does not represent himself as a veterinarian or use any title or degree pertaining to the practice thereof and does not diagnose, prescribe, or perform surgery.  (N.J.S.A  45:16-8.1.)

However, a laboratory animal veterinarian providing for the clinical care of the animals may still have to be licensed and governed by veterinary practice state laws.

The Beagle Freedom Project, concerned that Texas may set a new precedent for universities in other states, is reportedly considering filing a lawsuit.

Notably, Florida, known for its expansively permissive open public records act, has recently adopted a law which provides for an exemption to the State’s open public records act for animal medical records held by any state college of veterinary medicine that is accredited by the American Veterinary Medical Association Council on education.

In support of this law, the

Legislature finds that the release of such animal medical records compromises the confidentiality protections otherwise afforded the owners of such animals treated by licensed veterinarians in this state . . . [and] that the privacy concerns that result from the release of animal medical records outweigh any public benefit that may be derived from the disclosure of the information.

These concerns arguably also apply to animals owned by research facilities.

Co-authored by Nancy Halpern, DVM, Esq.; also posted on Animal Law Update

HIPAA does not protect animals’ health information – it applies to the protected health information (or PHI) of an “individual”, defined as “the person who is the subject of” the PHI. However, state laws governing the confidentiality of health information also come into play and, in some cases, expand upon HIPAA’s privacy protections.

Leo Litten
Leo Litten

Physicians, for example, must abide by state law and licensing board requirements specific to medical record maintenance and confidentiality. In most states, veterinarians, like physicians, are required by law to keep the medical records of their patients confidential, unless their client — the patient’s owner — authorizes the release of the medical records, or the records are requested by the State Board of Veterinary Medical Examiners or as ordered by a court.

This requirement was affirmed in several legal opinions recently issued by the Texas Attorney General in response to letters sent from the Office of General Counsel of The Texas A&M University asking “whether certain information is subject to required public disclosure under the Public Information Act (the “Act”), chapter 552 of the [Texas] Government Code.”  Texas A&M had received at least 48 requests “for information pertaining to specified dogs and any specified protocols pertaining to the dogs at issue during a specified time period.”

The requests for information came from individuals claiming to have “virtually adopted” the dogs in question, as reported by

The Beagle Freedom Project, whose mission is to “rescue beagles used in animal experimentation in research laboratories,” encourages people to adopt research animals virtually, even though those animals are actually already owned by various research institutions and universities across the country.

The “adopters” then demand the medical records of their “adopted” animals in letters citing the state’s open public records act which sets forth requirements of various state agencies to provide requested information within a prescribed period of time.

Texas A&M has refused to provide that information, based on the opinion of the state Attorney General citing the restrictions in the Texas Veterinary Practice Act, which requires a veterinarian to maintain medical records confidentially and provides that the veterinarian can only release those records upon receipt of:

(1) a written authorization or other form of waiver executed by the client; or

(2) an appropriate court order or subpoena.

Occ. Code § 801.353 (b).

As further reported in

Joseph Larsen, a Houston­-based open records lawyer, said if Texas A&M owns the animals, the chapter cited in the attorney general’s opinion that grants veterinarian­-client confidentiality should not apply because the veterinarians are working for the university. He said the law applies only to veterinarians who see animals that are owned by someone else.

However, nothing in the Texas Veterinary Practice Act provides such an exception.

To Be Continued…

I received a disturbing robo-call over the weekend informing me that someone had attempted to use my credit card number fraudulently in a retail store in the next county. When I called back and verified these were not legitimate charges, my card issuer assured me that I would not be financially responsible, canceled my card and sent me a replacement. My imposter was prevented from accessing my account by the issuer’s tight security system. Victims of healthcare identity theft may not get off so easily, which may explain why smarter thieves are increasingly targeting health records.

The relative value of health records and financial data can vary greatly according to different sources. As the Pittsburgh Post-Gazette reported today,

“The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud,” said David Dimond, chief technology officer of EMC Healthcare, a Massachusetts-based technology provider. Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care, he noted.

Reuters reports that medical information is worth 10 times more than credit card numbers on the black market.

Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.

Medscape reports that a stolen chart may be worth as much as $50, citing an FBI bulletin from April 2014:

Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number. EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.

Criminals can monetize stolen health data in other creative ways. For example, some healthcare providers and their business associates have been victimized by so-called “ransomware,” which infects computers and encrypts files, then demands payment (often in untraceable Bitcoin) to unlock them. See the FBI’s January 20, 2015 alert entitled Ransomware on the Rise.

Willie Sutton was famously quoted as selecting banks for his robberies because “that’s where the money is.” Today’s healthcare scammers and hackers may be following his lead by focusing their efforts on the asset most valuable to illicit purchasers.

(Part III continues Part I and Part II of this series on privacy of health information in the domestic relations context, which may be found here and here. Capitalized words not defined in this Part III shall have the meanings assigned in Part I or Part II.)

6. The situation can be further complicated by the fact that the Affordable Care Act requires Insurers that offer dependent coverage to make the coverage available until the adult child reaches the age of 26 to avoid loss of health insurance for students after they graduate from college. Most Insurers permit adult children of 18 or over (e.g., those emancipated under state law) to block access to claims information by their parents, regardless of the fact the parent is paying for the coverage. Such an adult child is typically not a party to divorce settlements or decrees. In some states even minor children below the age of 18 may be permitted to block access to claims information by their parents.

7. HIPAA permits an individual to require a Provider to agree to the request of such individual to restrict disclosure of protected health information (“PHI, as defined in HIPAA) about such individual to an Insurer if:

a. The disclosure is for the purpose of carrying out payment or health care operations (but not treatment) and is not otherwise required by law; and

b. The PHI pertains solely to a health care item or service for which the individual, or person other than the Insurer on behalf of the individual, has paid the Provider in full.

Adopting this payment approach may allow an individual to prevent his/her spouse from learning about specific events of diagnosis and treatment relating to such individual or his/her custodial children that would otherwise be available by access to claims information through an Insurer.

8. HIPAA provides that individuals have the right to request restrictions on how a Provider will use and disclose PHI about them for treatment, payment, and health care operations. A Provider is not required to agree to an individual’s request for a restriction, but is bound by any restrictions to which it agrees. This type of self-help initiative may enhance efforts to block access by a spouse or former spouse, either alone or in aid of other measures.

9. HIPAA also provides that individuals may request receiving confidential communications from a Provider, either at alternative locations or by alternative means. For example, an individual may request that her Provider call her at her office, rather than her home. A Provider must accommodate an individual’s reasonable request for such confidential communications. An Insurer must accommodate an individual’s reasonable request for confidential communications, if the individual clearly states that not doing so could endanger him or her. Again, as in item 8, this type of self-help initiative may enhance efforts to block access by a spouse or former spouse, either alone or in aid of other measures.

10. A wide range of changes in circumstances, such as a change in employment and/or Insurer, obtaining services from a new Provider, relocation to a different state, changes in state law, reaching of majority age by children and/or life event changes that relate to provisions in a divorce or separation agreement or decree warrants revisiting these tips from time to time. HIPAA rights and responsibilities must be re-evaluated regularly in the context of the facts and circumstances involved at any given time.


The foregoing discussion refers to only a few of the many permutations of issues that may arise regarding IHI in the domestic relations context. It is intended to indicate the wide diversity of challenges and opportunities that spouses and domestic partners may encounter regarding access and blocking access to IHI. Individuals who need advice regarding legal aspects of their domestic relationships and/or disputes should seek counsel of professionals who have familiarity with the ramifications, complexities and continuous changes involving HIPAA, state privacy laws and IHI.

(Part I of this series on privacy of health information in the domestic relations context may be found here. Capitalized words not defined in this Part II shall have the meanings assigned in Part I.)

Tips on dealing with IHI Issues in the Domestic Relations Context

1. Whether an individual is in a stable domestic relations environment or involved in the breakdown of a relationship, careful attention should be given the Notice of Privacy Practices (“NPP”) of the healthcare provider (“Provider”) or health insurer or health plan (collectively, “Insurer”) as to (i) who is entitled to access IHI in the possession of such Provider or Insurer and (ii) the extent to which a patient or subscriber has the right to block such access. For example, an employee subscriber of an employer health plan typically has access not only to all of his/her claims information, but also to all of the claims information of a covered estranged spouse and of dependents, even if such subscriber is not the custodial parent.

2. To the extent that an NPP of a Provider or Insurer does not answer a question about IHI access and blocking in the domestic context, an individual should direct the question to the Provider or Insurer, as applicable. However, there may not be a clear answer forthcoming.

3. Most Insurers permit a covered spouse to block access to his/her claims information from the other spouse, even if such other spouse is the employee subscriber or person responsible for paying for health care coverage. This is a matter that should be addressed in a domestic relations agreement because the spouse that is paying for health care coverage may have his/her premiums, copays, deductibles and limits of coverage affected by the claims of the other spouse. The desire to block access to IHI by the other spouse may be heightened in the case of diagnosis and treatment for sensitive health matters, such as mental illness, substance abuse, infectious diseases, etc. (This last consideration can be present even in a stable domestic relationship where a spouse wants to avoid disclosure regarding such potential ailments, even perhaps to prevent undue anxiety by the other spouse.)

4. Similarly, many Insurers will permit a spouse who has custody of children to block access to the claims information of such children from the other spouse, even if such other spouse is the employee subscriber or person who is paying for the health care coverage for the children. Again, consideration should be given to addressing this matter in a domestic relations agreement or divorce order or agreement because the spouse that is paying for health care coverage may have his/her premiums, copays, deductibles and coverage limits affected by unknown claims of children with respect to whom he/she lacks custody. Moreover, the custodial parent may wish to prevent access by the other parent to prevent what the custodial parent deems to be potential interference with the custodial parent’s discretion as to the appropriate course of treatment and provision of health care services to the children. The HIPAA Privacy Rule generally allows a parent to have access to the child’s medical records and claims information as the child’s personal representative, as long as such access is not inconsistent with state or other applicable law.  Regardless, however, of whether a parent is the personal representative of a minor child, the HIPAA Privacy Rule defers to state or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child.

5. Where there is shared custody of children, the issue can become even murkier. Without an agreement, there can be a new and unexpected domestic battlefield regarding access, control and blocking of IHI. While HIPAA requires a covered entity Insurer or Provider to treat a person that has authority (under applicable law) to act on behalf of another individual as the individual’s personal representative (thereby treating the personal representative as the individual), a Provider may choose not to treat a parent as a personal representative in certain circumstances, including where the Provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child.

(Part III of this series on privacy of health information in the domestic relations context will be posted shortly.)


The November 2014 ruling in the Connecticut Supreme Court in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., — A.3d —-, 2014, WL 5507439 (2014) (the “Byrne case”) has been discussed in a number of posts on this blog, including those here and here. The main focus of such posts has been the Byrne case’s recognition of potential use of HIPAA’s requirements as a standard of care in a state breach of privacy lawsuit, even though an individual cannot sue under HIPAA itself. In those earlier blog entries, we observed that the Connecticut case may spawn copycat lawsuits using HIPAA the same way for state breaches of privacy, negligence and other causes of action.

This blog entry will focus more on facts of the Byrne case and some of their implications for individual health information (“IHI”) privacy in the context of domestic relations – both in the divorce or legal separation context and even in a less confrontational domestic environment. In the divorce or breakup context, consideration should be given to privacy issues of IHI in settlement agreements and divorce decrees. While settlement agreements and divorce decrees often address healthcare and health insurance issues, especially where there are custodial children involved, addressing IHI issues is much less common.

The Byrne Case

We recently co-authored an article entitled “Utilizing HIPAA as a Basis for State Negligence Actions” that was first published in Volume 11 Issue 12 of Data Protection Law & Policy (December 2014). The article, which may be found here, focused more on the facts of the Byrne case than our earlier blog posts and illustrates how IHI issues may infiltrate the break-up of domestic relationships. Among other things, the plaintiff in the Byrne case complained that, upon the end of her five month relationship with an individual (the “Individual”), she instructed the defendant physician practice group (the “Group”), as permitted under the Notice of Privacy Practices (“NPP”) of the Group, not to release her medical records to the Individual. Thereafter, the Group was allegedly served with a subpoena requesting its presence, together with the plaintiff’s medical records, at a court proceeding. The Group apparently did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court, but rather mailed a copy of the plaintiff’s medical file to the court. The Individual later allegedly informed the plaintiff by telephone that he had reviewed the plaintiff’s medical file in the court file.

(Part II of this series on privacy of health information in the domestic relations context will be posted shortly.)

Copyright: / 123RF Stock Photo
Copyright: / 123RF Stock Photo

This post, written by my colleague Elizabeth Hampton, originally appeared on Garden State Gavel, a new blog focusing on New Jersey litigation topics.

Fraud is on the rise in every industry and the lengths that some people will go to make money by “gaming” the system is both fascinating and alarming.  Look for some of these stories in this regular feature designed to inform you of the latest fraud trends and provide practice tips to safeguard your business from unwelcome intruders.

Steps to Fraud- Proof Your  Professional Practice

Fraud is an increasingly lucrative “ business” that weaves its web of deception through corporations, religious and educational institutions, and the provision of health care. The recent data breaches a la Target and Sony are just some of the more highly publicized examples of the breadth of this problem for businesses and their customers.

But did you know that the healthcare industry tops the charts of data breaches and fraud costs?    In fact, The Economist (31 May, 2014) suggests that healthcare fraud in this country contributes to $272 billion dollars in incremental costs to the system.

Health records are like gold to fraudsters because they often contain financial information, insurance numbers and personal data that can be used to obtain drugs or other benefits.  Converting this information in order to submit false healthcare claims has been a regular practice for some scammers.

As government and private insurers have stepped up their fraud detection models, medical providers likewise need to review their policies and step up their own monitoring to protect their practice from potential data breaches and fraud claims.

Have you considered whether your business is at risk for a data breach? Are you taking steps to “fraud- proof” your health care practice?  Consider the following:

1. Perform a “Check- up.”  Every practice needs one. Conduct a random review of your patient files to ensure that all information is appropriately filed and that the files are complete.  Have your patients completed intake forms? Is there proper documentation of an accident or injury?  How is the health information protected from improper disclosure?

2. Review Protocols. When was the last time you reviewed your policies? Have they been updated to comport with new HIPAA standards? Do you understand what the standards mean for you and your employees?

3. Billing. Make sure that your billing is done correctly and that those who have been entrusted to perform this function are on top of things. Have there been trends in collection? Have insurers rejected claims? Find out why.

4. Employees. Do not assume that your employees are aware of the dire consequences associated with the improper disclosure of health care information.  Educate them and set a high bar for security of this information.

Stay tuned for more fraud stories and ways that you can prevent it from damaging your business.