SCGhealth Blog


Electronic HIPAA Violations

Thursday, July 20, 2017

Written by Nasir Abbas

Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is pretty ancient. It passed through Congress in 1996, but the first regulation didn’t come out until 2003. The federal law established mandates the security and protection of sensitive patient information: protected health information (PHI) and personally identifiable information (PII). Two separate regulations cover how to keep this info private and secured.


Hardware

We’ve published several blogs in the past discussing appropriate disposal of physical information and the risks associate with carelessness. Now let’s look at the electronic side of HIPAA. According to Joseph Mutlu, former Executive Vice President of Information Technology at SCG Health, two of the most often overlooked security safeguards pertain to inventory management. “Currently we are utilizing more and more removable storage options. These devices are easily lost and/or stolen, so it is wise to always keep a running inventory of these devices if they contain any sensitive information” observed Mutlu. The second issue is related to the systems themselves. “CPU cases contain the hard drive to your computer and can/should be locked. Anyone with the technical skills and know-how can effortlessly remove the hard drive in a matter of seconds, without the use of any tools.” If computers are left unattended, especially with distracted staff, one could slip out the hard drive and easily go weeks – maybe even months – undetected. By the time anyone realizes what has happened, whatever information was being stored on that hard drive would have been long gone.

Though these tips are highly beneficial and interesting, there are two procedures that should be followed to a T if you wish to protect yourself and your practice as best as possible. These two steps, if taken appropriately, make sure that even if your device is stolen or lost, your information remains hidden. Those measures are encryption and deletion.

Encryption

With that being said, it is unfortunate that the protocols that most businesses are improperly executing are encryption and deletion. Encryption is the scrambling of data files, only legible to those with the decryption key. This ensures that if sensitive information were to fall into the wrong hands, said information would still be protected. “Always make sure that when sending encrypted files via email that you send two separate emails – one with the encrypted file and another with the key. Doing so protects you and the recipient in the case that one email was to be intercepted, it would be useless without the other,” says SCG Health CEO Jennifer Searfoss.

Deletion refers to the APPROPRIATE removal of information from networks and devices. Believe it or not, there is more to deletion than just emptying the recycling bin. If that is your method of electronic disposal, you are in dangerous territory. The truth is that information is still there and is far from gone. Anyone with the time and patience can retrieve that information. Just by simply Google searching “retrieving deleted information,” you will find numerous sites containing step-by-step instructions on how to do just that.

So, what can one do to make sure they are protecting themselves from all sides?


Steps to Take

Firstly, make sure you are familiar with your state’s regulations on the retention of medical records. The HIPAA Security Rule states that clinicians must keep any documents containing PHI for six years from the creation date or last known use date, whichever is later Again, double check with your specific state as the laws from state to state are different

Make sure you perfect your encryption protocols. Encryption is your first layer of defense and should not be taken lightly. Make sure files are correctly coded, and make sure to always send two emails (the encrypted file and the decoder key). Deletion is the next layer of defense, but is still extremely important and should always be performed to the highest level of completion. To completely and appropriately destroy data files, disks must either be magnetically wiped or completely reformatted and rewritten (minimum of three times through). Companies, such as Dell, offer destruction services, but you must always make sure they are HIPAA compliant before taking any action.

Overall, HIPAA violations can be avoided with a little training, education, attention and discipline. There are plenty of ways to protect your electronic information, but by following the procedures mentioned in this article, you will undoubtedly be on the right path to being HIPAA compliant.



Resources

Retention Laws Infographic

DOJ, HHS recovered $3.3 billion in health care fraud money in FY 2014

Tuesday, April 21, 2015

by Marla Durben Hirsch

Don’t expect the government’s fraud fighting efforts to abate anytime soon. The Departments of Justice (DOJ) and Health and Human Services (HHS) are in full swing, recovering $3.3 billion in taxpayer dollars in fiscal year (FY) 2014, and garnering an eye-popping $7.70 return on investment for every dollar expended, according to their joint announcement.

The $3.3 billion recovery is less than the $4.3 billion recovered in FY 2013, but is likely more reflective of that year’s large settlements with pharmaceutical companies and the progress the government has made in preventing improper payments from being made to begin with rather than its previous “pay and chase” approach to fraud recoveries.

Overall more than $27.8 billion has been recovered from DOJ’s and HHS joint efforts to combat health care fraud.

Attorney General Eric Holder was almost giddy with excitement:

"The extraordinary return on investment we've obtained speaks to the skill, the tenacity, and the inspiring success of the hardworking men and women fighting on behalf of the American people. And with these outstanding results, we are sending the unmistakable message that we will not waver in our mission to pursue fraud, to protect vulnerable communities, and to preserve the public trust," he said in the announcement.

DOJ and HHS noted that they’re using a two-pronged strategy to ferret out fraud, using their new authority under the Affordable Care Act to prevent fraud and the Health Care Fraud Prevention and Enforcement Action Team (HEAT) to target regions in the country where health care fraud appears to be more prevalent: Miami, Los Angeles, Detroit, Houston, Brooklyn, New York, Southern Louisiana, Tampa, Florida, Chicago and Dallas.

The departments are also using other tools, like the False Claims Act, which recovered $2.3 billion in settlements and judgments in 2014, and the increased use of real time data analytics to get into the weeds of a provider’s billing practices.

Just look at this month. The OIG announced 14 criminal and civil enforcement actions in the first 15 days of April 2015 alone; that’s almost one a day.

Notably, only one settlement in that time period is with a large institutional organization: Richmond, Va. based Health Diagnostic Labs (HDL) and Alameda, Califnaoia based Singulex Inc. agreed to pay $48.5 million to settle charges that they induced physicians to refer blood test work to them by paying them “handling and processing” fees of $10-$17 per referral and causing false claims to be filed.

The other providers agreeing to civil settlements, being indicted or pleading guilty this month are a very diverse group, including several doctors, a home health agency owner, a dentist, a pharmacist, a continuing care retirement community, the office manager of a physical therapy clinic, and my favorite: two night club owners, who pled guilty to tax and fraud charges in connection with a health care benefit program. Not only were they cooking the night club’s books and destroying receipts to avoid governmental attention, they were also receiving assistance from Medicaid and LIHEAP (Low Income Heating and Energy Assistance Program) despite making substantially more than the maximum income eligibility from their Philadelphia night spot.

Yelp reports that the nightclub is now closed.

The bottom line: Increase your compliance efforts. Make sure that you’ve got internal controls to monitor your billings and that the communication lines are open with staff so they can report concerns. It is much better to catch a problem yourself than have the government do it for you.

Resources:

Joint DOJ/HHS press release on recoveries

Full list of OIG enforcement actions

Announcement regarding the nightclub owners



SCG Health blog by Email

Recent Posts


Archive


Tags

SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.