Jump to Navigation

Criminal Conviction

David Ginsberg
About the Author: 
<p>Mr. Ginsberg, president of PrivaPlan Associates Inc., is a leading authority on the application of HIPAA and how physician practices can comply with the regulation. He is the official HIPAA advisor to the California Medical Association</p>
Published date: 
October 1, 2008
visible to all

Many physicians mistakenly believe that HIPAA is not being enforced. Recently, a landmark criminal investigation and resulting conviction occurred. This case shows how vulnerable medical practices, billing services, and even health plans are to a new trend: medical identity theft.

The case concerned a billing service/claims submission company that purchased patient information from a former Cleveland Clinic employee. The employee accessed the clinic’s computers to download more than 1,100 patients’ information. The patient information was not used for typical identity theft (creating false identities, credit cards, etc.) but rather to create false Medicare claims. These claims were filed and many of them paid, with the defendant fraudulently taking the funds.

The United States government investigated the case using FBI and Centers for Medicare and Medicaid Services (CMS) resources and then prosecuted it under the HIPAA statutes. Ultimately, the owner of the billing service/claims submission company was convicted of conspiring to defraud the United States; computer fraud; wrongful disclosure of individually identifiable protected health information (PHI); and multiple counts of identity theft. The former Cleveland Clinic employee had previously pled guilty and testified against the billing service/claims submission company owner.

Medical identity theft is on the rise. In some cases PHI is stolen to create fraudulent claims and payments, and, in other cases, it is used to obtain healthcare (stealing the identity of an insured individual). Physicians should be concerned about the vulnerabilities this creates, especially since this criminal case involved an employee. We can only guess at the time and cost the investigation caused for the Cleveland Clinic.

Some Practical Steps You Can Take

Ultimately, compliance with HIPAA privacy and security standards is essential. However there are a few lessons learned that may be worthwhile. For example:

  • Do you have workforce clearance procedures, and do you follow them? It is increasingly important to do effective clearance, for example, criminal background checks on employees who will have access to PHI. Be sure to follow state and federal laws regarding how you notify a new employee of an impending background check and how you apply the findings.
  • Do you have effective workforce access and authorization protocols in place? In the “old days” it would take a large truck to steal information on 1,100 patients. Today it requires a USB “thumb” drive and a few minutes. As more and more organizations convert to electronic health records and use portable devices, this threat becomes greater. Are employees restricted to accessing only the information needed for their jobs?
  • Do you have effective workforce termination procedures? When someone is fired or quits, are you sure all access is denied and terminated?
  • Are you routinely reviewing system activity and conducting technical audits to monitor suspicious activity? Sometimes the data breach is done by a trusted, current employee who is being forced or extorted to steal information by someone else.

These steps are just a small part of your overall privacy and security compliance program. Make certain that your organization has done everything it can to avoid having a breach of access occur.

CMS Announces Notice of Proposed Rulemaking: Remote Use of Computers

CMS released a Security Guidance for Remote Use document earlier this year as a way to provide additional information on how to apply the HIPAA Security Rule. The guidance document begins, “There have been a number of security incidents related to the use of laptops, other portable and/or mobile devices, and external hardware that store, contain, or are used to access Electronic Protected Health Information (EPHI) under the responsibility of a HIPAA covered entity.”

We have learned that CMS now plans to introduce legislation for a new HIPAA rule related to the remote use of computers. The notice of proposed rulemaking (NPRM) is expected to be released July 2007, with, as is usually the case, a period of public comment followed by the publication of the final rule. This means that we will have an additional rule meant to strengthen or specify some of the areas originally in the Security Rule and address new areas of concern. In the guidance document, CMS states that covered entities should specifically place emphasis on risk analysis and risk management strategies; policies and procedures for safeguarding EPHI (electronic protected health information); and security awareness and training on these policies and procedures.

The guidance document goes on to describe risks and possible safeguards for password and logon access, unauthorized employee remote access, home or offsite workstations left unattended, viruses that make a computer accessible, lost or stolen laptops or back up devices, data interception during transmission, and so forth. Of course these issues speak to the necessity of conducting periodic evaluations (and, if you have not done so, an initial risk analysis).

An excellent resource is available to all SDCMS member physicians. The CMA/PrivaPlan HIPAA Privacy and Security ToolKit provides step-by-step guidance, forms, policies, and procedures for physicians. The toolkit incorporates the latest California laws and has been extensively reviewed by CMA’s legal team. For more information, visit www.privaplan.com or call (877) 218 7707 — and be sure to mention you are an SDCMS member so that you can obtain your discount.

Find a Doctor

Search by specialty, location, health plans accepted, and more.