The Total HIPAA blog to-date has focused on strategies to protect your clients’/patients’ information, but we’re going to change it up this week. We recently came across a white paper from the Ponemon Institute. They reported there were over 1.8 million victims of medical identity theft in 2013.
According to this report, the risk that your Protected Health Information would be compromised went up a whopping 19% over the previous year. Most shocking, many of the issues companies and healthcare practices are running into aren’t from hackers or outsiders – they are trusted individuals inside the organization. These are a few examples of employees, business associates, and even volunteers that have stolen PHI, used it for monetary gain and what you can do to try to protect yourself.
Employees-
These 2 examples are very new, and haven’t been adjudicated, yet.
- An office worker in a medical office in Owensboro, KY used patient information to get personal loans ranging from $300 to $7,000.
- A medical records administrator in Hackensack, NJ was arrested for stealing patient identities to commit credit card fraud. She is being held on $35,000 bond at the moment.
Business Associate-
Over four years, a supervisor at a billing and collection company filed false tax returns using stolen patient information. “She was using her name, her husband’s name, her daughter’s name in order to not be detected. She started using varying forms of her name, husband’s name, to get these refund checks requested,” says U.S. Postal Inspector Jamie Portell.
Volunteer-
A volunteer working at a VA Hospital stole patient information and filed false tax returns for over $550,000.
How do you prevent these HIPAA violations in your company/practice?
- Background checks – Before hiring staff or allowing volunteers on the premises, it’s important to know with whom you’re working. This means criminal records, reference checks, and possibly a financial check before employment.
- Conduct a Risk Assessment – Many people overlook this important and required HIPAA regulation. You need to identify areas of vulnerability and what you can do to address them.
- Creating Privacy and Security Policies and Procedures – Another requirement of HIPAA, and for good reason! Make sure you develop these compliance documents and train your employees on what’s in them. The best policies and procedures are useless if no one reads or knows anything about them.
- Train your Staff – Your employees should know what are proper behaviors and use of PHI. In many of the referenced cases it wouldn’t have stopped the offenders, but perhaps a colleague would have seen irregular behavior, or access to information.
- Perform Periodic Audits – In this case, you’re looking for high-risk behaviors. Are there documentation errors? Is an employee accessing a patient record they don’t have authorization to access? Is there irregular behavior observed in the system?
Even with the best protections in place, thefts can still happen, but by being proactive you can better protect your company/practice and the information entrusted to you.
