Keeping Patient Privacy Issues Private

Medical identity theft is a disturbing and growing trend, and the onus is on physician practices to guard patient records. The cost of not doing so can be considerable: A new survey shows it takes twice as much time to detect medical fraud and more than twice as money on average to remedy each case.

More than 275,000 incidents of medical information theft occurred in the U.S. in 2009, according to a report by Javelin Strategy & Research, a Pleasanton, California-based market research firm. It’s a disturbing and growing trend, with fraud resulting from health information theft rising from 3 percent in 2008 to 7 percent in 2009. But as Deborah Williamson, senior counsel with Michigan-based law firm Warner Norcross & Judd LLP, explains, it’s not a new problem for physicians.

“I’ve been working with physicians for a long time, and even before electronic health records, physicians were wrestling with patient privacy issues,” Williamson says. Today, however, physicians also have to comply with HIPAA privacy and security rules, or face possible sanctions. Thus, the added motivation.

The Impact of Identity Theft

Williamson explains that physician practices have had to be compliant with HIPAA privacy rules since April 2003, and security regulations since 2005. In short, if physician practices have any records that are stored electronically, employees need to be trained, and extensive policies and procedures must be in place indicating what can and cannot be done with electronic medical records. In addition, a practice must conduct a full-blown risk assessment to determine risks and vulnerabilities with regard to electronic medical records. In other words, Williamson notes, the onus is on the practice.

“[The practice] is the covered entity,” she explains. “The practice will have to notify patients if there has been a breach. So, the motivation on the part of physicians should be there.”

But is it? Are physicians putting in place the proper safeguards in the form of policies and procedures to guard against a breach? “They’re starting to,” Williamson says, but admits that more often than not, physicians are “not paying attention to [the HIPAA regulations] until they’ve had a complaint filed against them. We’re five years later and they don’t have [the compliance measures] in place.”

Williamson points out that instituting such measures can be expensive for a physician practice, though according to the Javelin Strategy & Research study, it may be more expensive to ignore it. The study found that it not only takes twice as much time to detect medical information fraud, compared with other types of identity theft, it costs $12,100 to do so, or more than twice the average cost.

No Broad-Brush Approach

Paul Smith is president and CEO of PacketMotion, a Sunnyvale, California-based firm that specializes in user-activity management and compliance, including HIPAA. He explains that limiting access to patient records could also limit the ability to provide needed care, such as when a patient visits an emergency room. “You can’t use access control to control inappropriate access,” Smith explains. “Instead, you prevent patterns of access.”

The company’s PacketSentry product plugs into existing networks and allows for the monitoring of all activity. A detailed report can be run on demand showing what each person accessed, or tried to access. “We quietly sit on the network, looking at transactions across applications and across different servers, and give clients a unified picture of what transactions have occurred,” Smith explains.

Take, for example, your credit card. You might use it sparingly, but then while on a vacation 3,000 miles from home you may have the occasion to make frequent purchases. To ensure that it was you who made those purchases, your credit-card company might contact you to verify the purchases. That’s what the PacketSentry Solution does -- it monitors patterns of access and links them to specific users.

“Some tools will tell you that this IP address went to this server and touched this record,” Smith says. “But customers will tell us, ‘I can’t discipline an IT address.’ They need to know who it was. We have technology built into our product that correlates to identity.” Those reports then become documented evidence if a healthcare practitioner needs to take corrective action where an employee is concerned.

Get Outside Help

Williamson emphasizes that when physician practices look to put compliance measures in place, it’s important to bring in outside help, including lawyers and consultants, because practice staffs are already stretched thin. It’s not only costly to address compliance issues, she says, it’s time-consuming as well.

“You talk to any office manager of a physician practice and they’re doing everything as it is,” Williamson says. “Then they have the added responsibility of becoming the HIPAA privacy officer and the HIPAA security officer. And if they’re dealing with HIPAA compliance, they’re not following up on accounts receivable and billing.”