Article Date: 9/1/2010

How Safe Are Your Patient Records?

How Safe Are Your Patient Records

A review of how your practice's information systems and office procedures can prevent potentially devastating outcomes.

Alan F. Greggo, C.P.P., C.F.E., Mason, Ohio

Over the past several years, we've all become aware of the seriousness of identity theft and violations in protecting the privacy of patient records. A breach of security that compromises the privacy of practice's data can be devastating. (See "The Case of the Hard-Working Technician," below.) The critical question to ask then, is, how secure are your practice's data?

Congress expanded the Health Information Portability and Accountability Act (HIPAA) in 2002 to provide protection for individual medical records. (The original law, which became effective in 1997, was enacted to combat waste, fraud and abuse in healthcare delivery and health insurance.) With these latest revisions in place, medical records may not be disclosed without the written permission of the patient. HIPAA regulations also require that medical records be kept under lock and key and available only on a need-to-know-basis.

All medical practices must meet these requirements as mandated by HIPAA. Yet last year, the Ponemon Institute, a firm that researches information and privacy management practices, surveyed healthcare organizations and found that 54% are aware of deficiencies in their organizations' privacy compliance programs and 58% are aware of deficiencies in security compliance programs. About one-third (34%) of the respondents stated their organizations don't perform a periodic independent evaluation of their privacy and security programs. Another 30% say their organizations don't conduct a detailed security risk analysis. Of those organizations with 100 or less employees, only 18% claim that they have no deficiencies in their privacy and security programs.

Follow these guidelines

What are the important privacy and security measures that your practice must implement according to HIPAA? I recommend the following guidelines for your practice to move closer to 100% compliance. (One hundred percent compliance is hard to achieve. Like any work in progress, compliance can always be improved.)

Network security. The convenience provided by the computer is the same convenience that makes it easy for hackers, fishers and others to steal information. Computers are usually attached to a network, which is only as secure as its weakest link. And remember: E-mail is just as vulnerable as any data storage system. As a result, protect your computer system with a strong firewall, updated virus and spyware protection and encryption of all outgoing transmissions of private health information.

Education. Train all employees to understand the importance of maintaining privacy and security. Provide written security standards to your staff and colleagues. Once in place, these standards will help prevent the many security breaches from taking place because an insider makes a bad decision or exercises poor judgment, such as leaving a computer terminal unattended.

Scrutinize accessibility. Consider who has access to each computer terminal, as well as where terminals are placed in the office. Computer monitors that are in eyeshot of the customer should be fitted with visual field screens so only the person sitting directly in front of the terminal can see the information. Control accessibility through password protection — think of it as a requirement rather than a hassle. Ensure that any computer terminal that sits idle for three minutes automatically reverts back to the password sign-on screen.

Map out your system. Begin by creating a permanent flow chart of all components of the system including the hardware: the work stations, printers, scanners, PDAs, blackberries and modems. Next, diagram the network components that include the routers, hubs, cables or phone lines and then catalog the software used for operating, accounting and databases. HIPAA requires such a risk analysis as a basis for your computer system security policies.

Plan for emergencies. Disasters, such as fire, flood, hard disc failure, viral infections and weather emergencies can throw a wrench in the operation of your practice. Therefore, create a contingency plan so your practice's information systems are operational in case the unthinkable occurs. Store your computer system's backed-up data off site in a secure location so you can be back in business without skipping a beat.

Partner with vendors and associates. HIPAA requires your practice to communicate with vendors, insurance providers and other business associates to assure that each follows the proper privacy and security standards. They must be just as vigilant as you in protecting private health information. Not only are these business associates an extension of your practice, they're part of a larger chain of trust.

As you and your staff are not trained to be experts in security and compliance issues, you might consider enlisting the help of a security and HIPAA compliance expert to take an objective look at your practice HIPAA program and to conduct the risk analysis that HIPAA guidelines require. There are several benefits to this approach, including:

► it will give you, the practice owner, a fresh and objective look at how your controls stack up against other practices that the consultant has reviewed.

► It will allow for some fresh ideas to be contributed to process improvement. With such improvements, your practice can reach beyond summary compliance to the real goal: protecting patients and their information.

Keep in mind that you can provide training on fraud prevention and proper compliance practices to your staff. By delegating, you allow yourself more time to concentrate on giving your patients the best care possible.

The cost of non-compliance

Historically, the most likely cause for an audit is a customergenerated complaint. If federal compliance auditors conduct their own audit and find violations of HIPAA mandates, they are likely to recommend penalties. Auditors categorize violations and the appropriate civil penalties into three categories:

1. If a practice didn't know that it violated HIPAA, it could be subjected to a minimum penalty of $100 per violation with an annual maximum of $25,000 for repeat violations.

2. If the violation was due to reasonable cause and not due to willful neglect, the fine could be $1,000 per violation with an annual max of $100,000 for repeat violations.

3. If the violation was due to willful neglect, but corrected within the required time period the fines range from $10,000 to $250,000. If the violation was due to willful neglect and was not corrected, the fines range from $50,000 to $1.5 million.

There are also criminal penalties for willfully and knowingly obtaining, disclosing, selling or transferring private health information. (These criminal penalties would have applied to the case study below.)

A profitable approach

In conclusion, ask yourself: "Are you ready for the worst?" With a little review, planning and follow-up, your practice can be more profitable and more resistant to risks that could drain profit dollars and damage your practice's reputation.

Engage in a thorough review of your practice for fraud, regulatory compliance and efficiency practices so you are prepared. The small price you pay now is worth the peace of mind, as you will be prepared to mitigate risks and have the confidence that your practice is on target with regulatory compliance. OM

The Case of the Hard-Working Technician
Nina, a technician employed at a medical office in Los Angeles, frequently worked on patient files. Described as a hardworking 22-year-old who appeared very conscientious about her work, Nina regularly volunteered to stay late whenever the doctors or staff needed help. She occasionally closed the office with the later-scheduled technicians and office staff. One evening before she left the office, Nina pulled four patient files and placed them into her oversized purse.

Nina's dark side
Nina's boyfriend, Clint, is a gang member who worked at the same medical office until he was terminated because he mistreated a customer. Clint and Nina started dating after they met at the office. As their relationship progressed, Clint persuaded Nina to bring him patient files from the medical office. The reason: Clint and his gang were interested in stealing patients' identities for financial gain.
I became involved in the investigation when a patient of the medical office, Ms. Moody, complained that she discovered unauthorized charges on a credit card. In the past year, she used the card only at that medical office, so it became apparent that the culprit stole Ms. Moody's credit information from the medical office.
During the course of the investigation, Ms. Moody further disclosed that she was having financial problems because her credit rating was poor. According to credit records, the 72-yearold Ms. Moody had purchased a Harley-Davidson motorcycle for more than $25,000 the previous month. She was in shock because she had no idea where that charge originated.

The theft of hundreds of thousands of dollars
By completion of this investigation, Nina admitted to stealing more than 70 patient files. Her statements were compelling enough evidence for the police to obtain a warrant for Clint's arrest and the search of his personal effects for the patient files.
When police arrested Clint, he was driving a BMW that he obtained with a loan in one patient's name. In the trunk of the car were 75 patient files, real estate documents supporting the purchase of a new home and $300,000 cash from another patient's savings account. Through patient information, Clint also purchased a $12,000 diamond engagement ring for Nina.
Clint was arrested along with four additional gang members and Nina. They were charged with misrepresentation of the truth on financial documents and making false loans. However, at the time, there were no laws on the books that made identity theft a crime. Since then, laws have been passed with clearly set definitions of what constitutes identity theft and serious penalties. Luckily for this practice, the incident was isolated and the private health information was recovered. This violation of the HIPAA laws would have been much more serious.

Mr. Greggo is the principal of Profit Rx, an asset protection firm specializing in risk and threat assessment and fraud investigation. He has 30 years of experience with retail and healthcare businesses in loss prevention and asset protection. Contact him at or (513) 236-2642. Send comments on this article to

Optometric Management, Issue: September 2010