SCGhealth Blog

Don’t trash that! What you do with your records can come back to haunt you

Wednesday, December 27, 2017

By Marla Durben Hirsch 

If you don’t want to end up in legal hot water, make sure you have solid record retention policies – and that you follow them. 

California health system giant Sutter Health has learned this lesson the hard way. Several employers and labor unions sued Sutter in 2014 for charging inflated prices in violation of the antitrust laws. The lawsuit was recently designated a “class action” lawsuit, making the number of plaintiffs much larger. 

Sutter has now been found guilty of inappropriately destroying 192 boxes of documents in 2015 that were to have been evidence in the lawsuit. The documents were subject to a “litigation hold,” which means that they couldn’t be destroyed during the dispute. According to Sutter’s own record retention policy, the boxes weren’t slated to be destroyed until 2035. The plaintiffs asked the court to impose sanctions on Sutter. 

Sutter claims that the shredding was a mistake and routine, done on the spur of the moment. The judge didn’t buy it. He said that the shredding was intentional, that the individuals involved knew of the litigation hold, and that while sometimes it’s okay to destroy records early, there was “no good explanation for this specific and unusual destruction here.” 

There was also an incriminating email written by a Sutter employee that said, “I’ve pushed the button…I’m running and hiding… fingers crossed that I haven’t authorized something the FTC [the federal agency charged with enforcing antitrust laws] would hunt me down for.” Sutter claimed that the FTC reference was a “joke.” 

The judge was not amused. He ordered Sutter to produce back up tapes and may consider issuing an adverse jury instruction. Note that in many cases a court imposes money penalties on the offender; the plaintiffs in this situation didn’t request that. 

So how long do I keep this document?

What Sutter did crossed the legal line. But the rules regarding record retention are confusing, particularly in the complicated world of health care. 

For instance, the length of time a small business needs to keep a record for tax purposes depends on the action, expense or event which the document records. Some records need to be kept only three years; others indefinitely. And even once the deadline passes for IRS purposes, a business may still need to keep a document for other reasons, such as for insurance or creditor requirements. 

Health care records are governed by additional laws. HIPAA’s security rule requires that records containing patient protected health information be held for six years from the date of creation or date when it was last in effect, whichever is later. Hospitals need to retain a cost report for at least five years after the closure of the cost report. State medical record retention laws vary widely by type of medical record. They also typically have different retention periods based on the age of the patient (usually records need to be held for a time after the child reaches the age of majority). 

While it may be tempting to hold onto most or all records indefinitely, that’s not necessarily the best practice, either. For one, there’s the cost of storing them, particularly boxes of paper records. And there’s a risk. For example, if you hold onto medical records beyond the legally required time period and then suffer a breach, you have more records potentially compromised and more patients to notify. 

Record retention gets even more dicey if the records become relevant in an investigation or lawsuit and then can’t be destroyed. Even an innocent disposal may have negative consequences.


This is a particularly confusing issue for providers. Make sure that you:

  • Have record retention policies that comply with federal and state law. You may need to confer with your medical association or obtain outside help. 

  • Follow those policies; tread carefully if you’re going to change the rules midstream.

  • Remember that how you dispose records is also important. Lax disposal can subject you to HIPAA and other violations.

Still Confused?

For further explanation, please watch our Gimme 15 Minutes webinar on this topic or check out this infograph we've made.

New Secure Medicare Cards - What They Mean for You

Wednesday, November 01, 2017

By Audrey Landers, Intern

In April 2018, the Centers for Medicare & Medicaid Services (CMS) will be rolling out brand new ID cards without Social Security Numbers (SSN). This change is being made in reaction to the Medicare Access and CHIP Reauthorization Act (MACRA) which requires that SSNs be removed from Medicare cards by April of 2019. 

In order to help protect Medicare beneficiaries from identity theft, the SSN-based Health Insurance Claim Number (HICN) will be replaced by new Medicare Beneficiary Identifiers (MBI). These MBIs will be randomly generated 11-character alphanumeric codes with no specific meaning.

Source: Center for Medicare and Medicaid Services

CMS will be allowing an adjustment period from April 1, 2018 to December 31, 2019. SCG Health recommends that practitioners use this time to test, collect data from, and perfect their document management system (DMS) and claims submission system as well as remind patients of the change. During this time period, both the HICN as well as the new MBIs may be used to submit claims. Your practice will be expected to be able to use MBI exclusively by January 1, 2020 with limited exceptions. These exceptions include:

  • Appeals
  • Claim status query (Date of service before 1/1/2020)
  • Span-date claims (DOS before 1/1/2020)
  • Home health claims & Requests for Anticipated Payments (DOS before 1/1/2020)

Even when these exceptions apply, you are urged to use the new MBIs when possible.

Getting Ready
In order to be prepared for the transition period, your DMS and claims submission systems must be ready to accept MBIs no later than April 1, 2018. CMS is currently running a television ad campaign discussing the new cards and you can help spread awareness by making information about the new cards available in your offices. CMS suggests displaying posters and putting out pamphlets in waiting areas as well as discussing the new cards directly with your patients. They should be aware that the cards will be sent out automatically starting April 1, 2018 and all Medicare beneficiaries should have new cards by April 1, 2019. There is nothing they need to do to get a new card. You should also take the opportunity to keep your patients from getting scammed during the transition period by making sure they are aware of the following:

  • CMS will never call a beneficiary, nor will they ever ask for their SSN.
  • The new Medicare cards are free, CMS will never ask a beneficiary for payment for a new card.
  • If a beneficiary receives a phone call from someone who asks for their MBI, SSN or for payment, they should hang up immediately and call 1-800-MEDICARE
For more information on the new Medicare cards, you can visit CMS’s New Medicare Card Overview.

Electronic HIPAA Violations

Thursday, July 20, 2017

Written by Nasir Abbas


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is pretty ancient. It passed through Congress in 1996, but the first regulation didn’t come out until 2003. The federal law established mandates the security and protection of sensitive patient information: protected health information (PHI) and personally identifiable information (PII). Two separate regulations cover how to keep this info private and secured.


We’ve published several blogs in the past discussing appropriate disposal of physical information and the risks associate with carelessness. Now let’s look at the electronic side of HIPAA. According to Joseph Mutlu, former Executive Vice President of Information Technology at SCG Health, two of the most often overlooked security safeguards pertain to inventory management. “Currently we are utilizing more and more removable storage options. These devices are easily lost and/or stolen, so it is wise to always keep a running inventory of these devices if they contain any sensitive information” observed Mutlu. The second issue is related to the systems themselves. “CPU cases contain the hard drive to your computer and can/should be locked. Anyone with the technical skills and know-how can effortlessly remove the hard drive in a matter of seconds, without the use of any tools.” If computers are left unattended, especially with distracted staff, one could slip out the hard drive and easily go weeks – maybe even months – undetected. By the time anyone realizes what has happened, whatever information was being stored on that hard drive would have been long gone.

Though these tips are highly beneficial and interesting, there are two procedures that should be followed to a T if you wish to protect yourself and your practice as best as possible. These two steps, if taken appropriately, make sure that even if your device is stolen or lost, your information remains hidden. Those measures are encryption and deletion.


With that being said, it is unfortunate that the protocols that most businesses are improperly executing are encryption and deletion. Encryption is the scrambling of data files, only legible to those with the decryption key. This ensures that if sensitive information were to fall into the wrong hands, said information would still be protected. “Always make sure that when sending encrypted files via email that you send two separate emails – one with the encrypted file and another with the key. Doing so protects you and the recipient in the case that one email was to be intercepted, it would be useless without the other,” says SCG Health CEO Jennifer Searfoss.

Deletion refers to the APPROPRIATE removal of information from networks and devices. Believe it or not, there is more to deletion than just emptying the recycling bin. If that is your method of electronic disposal, you are in dangerous territory. The truth is that information is still there and is far from gone. Anyone with the time and patience can retrieve that information. Just by simply Google searching “retrieving deleted information,” you will find numerous sites containing step-by-step instructions on how to do just that.

So, what can one do to make sure they are protecting themselves from all sides?

Steps to Take

Firstly, make sure you are familiar with your state’s regulations on the retention of medical records. The HIPAA Security Rule states that clinicians must keep any documents containing PHI for six years from the creation date or last known use date, whichever is later Again, double check with your specific state as the laws from state to state are different

Make sure you perfect your encryption protocols. Encryption is your first layer of defense and should not be taken lightly. Make sure files are correctly coded, and make sure to always send two emails (the encrypted file and the decoder key). Deletion is the next layer of defense, but is still extremely important and should always be performed to the highest level of completion. To completely and appropriately destroy data files, disks must either be magnetically wiped or completely reformatted and rewritten (minimum of three times through). Companies, such as Dell, offer destruction services, but you must always make sure they are HIPAA compliant before taking any action.

Overall, HIPAA violations can be avoided with a little training, education, attention and discipline. There are plenty of ways to protect your electronic information, but by following the procedures mentioned in this article, you will undoubtedly be on the right path to being HIPAA compliant.


Retention Laws Infographic

Don’t let your disposal vendor mishandle your trash into a HIPAA violation

Tuesday, January 17, 2017

By Marla Durben Hirsch , contributing writer

Photo: Adobe Systems Incorporated.

Providers continue to be confused as to how to dispose of their trash without running afoul of HIPAA. But the stakes are now higher – because it’s often the provider’s trash collector that’s exposing the patient data that’s in the garbage.

The Department of Health and Human Services’ Office for Civil Rights, (OCR) which enforces HIPAA’s privacy and security rules, has published guidance on proper disposal methods. While HIPAA doesn’t require particular processes, OCR suggests several, such as shredding, burning, pulping or pulverizing the records so that patient protected health information (PHI) is unreadable and cannot be reconstructed. Records treated this way are considered “secure”; a breach of them doesn’t even have to be reported.

However, many providers still don’t realize that they need to take this step as part of disposal. A number of them, including CVS, Rite Aid and Cornell Prescription Pharmacy have settled alleged HIPAA violations after disposing of unsecured records and other materials containing PHI in unlocked publicly accessible dumpsters. State attorneys general have also fined providers, even solo practitioners, for faulty trash disposal.

And it gets worse, since many providers have turned to outside vendors to dispose of their trash, and the vendors are making mistakes and exposing the PHI, violating HIPAA. The provider is ultimately liable even though it has entrusted the vendor to perform the disposal.

A simple Google search reveals a multitude of these incidents.

For example, the disposal company hired by physician owned Radiology Regional Center, with several facilities in Florida, exposed patient PHI in December 2015 when the back of the truck transporting the records to an incinerator opened, spilling the contents all over the road. While the Center spent considerable time combing the area and retrieving the records, it still had to notify 483,663 patients about the breach. The incident triggered a lawsuit in 2016 from several patients who claim, among other things, that the doctors were unaware of their obligations regarding proper trash disposal and admitted ignorance regarding it. That lawsuit is still pending.

And that may not be all. OCR has for the first time has begun to train its sights on mistakes being made business associates. In 2016 the agency resolved several enforcement actions with providers and business associates for security breaches caused by the business associates. It would not be surprising for OCR to investigate Radiology Regional and other providers whose records have been compromised by their disposal company.

Review all of your business associate agreements with those handling PHI on your behalf to ensure that you are adequately protected in case the business associate exposes patient information. For example, the business associate should pay for the costs of the breach, such as the expense of notifying patients and offering them free credit monitoring. OCR has a model business associate agreement that can help you.

If you delegate trash disposal and destruction to an outside vendor, make sure you know how the vendor will safeguard the information and dispose of it. For instance, look to see if the containers the disposal company is using are sturdy. Ensure that the vendor’s staff is trained in HIPAA compliance.

Be proactive to the extent possible regarding your trash. Consider having the trash incinerated on site so it doesn’t have to be transported. Make the trash unreadable yourself before giving it to the vendor to cart away, say by shredding it or obliterating PHI with a marker. Had Radiology Regional Center taken some of those steps, it may not have been in the hot spot it is today.

Is it Time to Resurrect the National Patient Identifier?

Tuesday, October 11, 2016

By: Ben Regalado, Contributing Writer

In a continuing effort to reduce identity theft, last April Congress asked Medicare to eliminate Social Security Numbers from, as the New York Times noted, being “displayed, coded or embedded in the Medicare identification card.” 

Modern Healthcare reported that the new identification number, to be completely implemented by the end of 2019, will use randomly generated identifiers, Medicare Beneficiary Identifier (MBI), comprised of seven numeric and four alphabetical characters rather than the Social Security Number (plus 1-2 additional letters).

With the federal government urging the change since at least 2004, and as almost every commercial health plan has taken this step in the past several years, so it would seem this move would be widely applauded.  However, with implementation to begin within 18 months, what has been seen instead is complaints and concerns on everything from the need to reprogram numerous computer system to added complexity with the ever growing range of identification numbers and types. 

Of course, with Medicare closely intertwined with Social Security Administration as well at the Department of Health & Human Services (DHHS), this MACRA embedded mandate does not necessarily mean the use of Social Security Numbers is going away, only the printing of them on the Medicare ID cards. (That’s right: MACRA isn’t just about new payment models!)

Since Medicare wasn’t specifically told to generate a replacement number, much less stop using the number altogether, within a few years medical practices will find themselves in the odd position of asking for three forms of identity: the Medicare card, a photo ID, and a copy of the Social Security card.

However, while most everyone does carry their health plan card and a photo ID, few now carry their Social Security card, and fewer may be reluctant to share it. For that reason, it will be important to take steps necessary to verify information on file at each visit and not merely ask, “Has anything changed?”  Medicare patients will have to be taught to expect this, as the frequency of visits often leads to a relaxed familiarity at best to offense at being repeatedly asked for the same information at worst.

Taking a broader view, all this has many (including us here at SCG Health) wondering if it isn’t time to go to back to the future and implement a national patient identifier that was called for, but never funded (and subsequently blocked), in the original HIPAA legislation. 

The impact of a national patient identifier could be broadly positive through:

  • Easier claims processing and routing as patients migrate between health plans.
  • Allowing different health information systems and EMRs to accurately share data that is critical to successful care coordination and quality initiatives which are the framework of newer payment methodologies.
  • Limiting the dollars spent on unnecessarily complex reprogramming to handle multiple types of identification numbers.

What do you think?  Feel free to comment below, or - even better - share your thoughts with your member of Congress (which you can find at or  However, be ready to share your thoughts multiple times in the coming months. With implementation of the new number to begin in the spring of 2018, the window for Congress to act will close fast, given such legislation would likely not be taken up until the new Congress, President and his or her Administration take office in January.

Patient data breaches, HIPAA enforcement on the rise

Wednesday, February 04, 2015

by Marla Durben Hirsch

The number of data breaches tracked in 2014 hit a new high, with 783 breaches reported, up 27.5 percent from 2013, according to San Diego-based Identity Theft Resource Center. The leading cause of the breaches, 29 percent, was due to hacking, followed by third party/subcontractor breaches and accidental disclosures.

Unfortunately, the health care industry topped the data breach list, with 42.5 percent of breaches attributable to that sector. One of the largest breach was suffered by Franklin, Tennessee-based Community Health System, which reported this summer that it was hacked, compromising 4.5 million patient records. The Health System operates 206 facilities in 29 states.

These incidents have brought the number of reported breaches of 500 or more records on the Department of Health and Human Services (HHS) website – also known as the "wall of shame" to a staggering 1,196. (Breaches of less than 500 records must still be reported to HHS but are not made public).

Perhaps not surprisingly, the number of government enforcement actions against HIPAA violators have also increased in 2014. HHS' Office for Civil Rights (OCR), which is in charge of HIPAA privacy and security compliance, stated in early 2014 that enforcement will be more "aggressive" and that a report of a data breach will likely lead to a subsequent investigation. (This new stance may be due in part to a report issued by HHS’ Office of Inspector General in November 2013 that cited OCR for inadequate enforcement).

There's also been an uptick in state enforcement activity. The HITECH Act of 2009 amending HIPAA granted state attorneys general the right to enforce HIPAA, and more of them are taking advantage of this new authority. A number of states, such as Minnesota, California and Massachusetts have already settled allegations of HIPAA violations with providers and business associates. Puerto Rico levied a record $6.8 million HIPAA fine against health insurer Triple S Salid in February 2014 for a breach affecting only about 13,000 patients. In January 2015, the Indiana attorney general’s office fined a dentist $12,000 for hiring a company to dispose of patient records and did so by throwing them into a dumpster. This is the first time that this state has sued for a HIPAA violation.

And in a relatively new development, individuals have increasingly been successful in using HIPAA as the standard of care in state privacy lawsuits. HIPAA does not grant people the right to sue for HIPAA violations, known as a "private right of action." But courts are now moving to allow HIPAA's rules to be used as more of a bright line. For instance, an appeals court upheld a $1.44 million breach of privacy verdict against Walgreens and one of its pharmacists in November 2014 under that theory. The pharmacist, who was dating the patient's ex-boyfriend, had accessed the patient’s records and shared them with the boyfriend, violating HIPAA; the boyfriend then threatened to use the information against the patient in a paternity lawsuit.

However, apparently some physician practices are not getting the memo about the importance of keeping patient records secure. A new survey of 1,037 published by NueMD found that only 62 percent provided annual HIPAA training, 45 percent had a breach notification policy, 40 percent were not aware that they needed agreements with their business associates, 36 percent were not aware that the HITECH Act had increased their compliance obligations, and 23 percent didn’t even have a HIPAA compliance plan.

The bottom line: double check that your practice is in compliance with HIPAA; if it isn't, take the necessary steps to get up to speed. Even the most careful practice can suffer a data breach, and the consequences can be very far reaching.

HHS website on breach notification

Identify Theft Resource Center announcement

NueMD survey

OIG report

Walgreens court of appeals decision

Announcement of Indiana dentist's HIPAA fine

Patient identity theft to procure fraudulent medical services on the rise

Thursday, March 13, 2014

The identifying information of a patient with health insurance is an extremely valuable commodity for thieves looking to defraud health care payers by billing phony services and supplies and keeping the money. So you had better believe they’ll be snooping around medical offices looking for opportunities afforded by those who don’t properly secure patient identifying information. 

SCGhealth Resources: Video Podcast Handouts

About 3 percent of all identity theft cases involve medical services, according to data from the Federal Trade Commission. It makes sense – in order to file claims to defraud Medicare, Medicaid or another payer, there needs to be a patient on the claim that looks legitimate enough to get the payer to pay the claim. That’s where patient identity theft comes in to play.

In order to fight it, you need to be able to detect the behaviors of your staff that potentially expose your patient identifying information, implement safeguards to prevent it, know how to respond in the event it’s compromised to minimize the damage and reduce your risk by knowing how long you have to retain certain types of documentation. 

These are more than just best practices. While most providers and practice administrators and staff think of HIPAA for its requirements to protect patient privacy and have patients attest to your privacy practices, it also requires you to take steps to keep your patient identifying information secure. 

Violations can be costly. The HITECH Act of 2009 raised the potential penalties for even inadvertent HIPAA violations to $1.5 million, up from $250,000. If you knowingly sell or profit from transferring patient protected health information, you probably wouldn’t be reading a blog about not doing that, but the penalties are up to 10 years in prison and a $250,000 fine.

Where is it happening?
You’re at risk for medical identity theft regardless of where your practice is located, but a report from the World Privacy Forum suggests the highest-risk areas in the United States are Texas, Florida, Arizona, New York and Southern California.

You may remember that Texas was a major hotspot for patient identities being stolen a few years ago and used for the fraudulent procurement of power mobility devices. It led to a CMS demonstration that required patients in high-fraud areas to  to getting a power mobility device.

All of the above hotspots are on the prior authorization list except for Arizona. Illinois, Michigan and North Carolina – cited by CMS for high error and fraud rates – also appear on the CMS list.

Privacy a key consideration
While we’re focused on the security of patient identifying information, how you comply with the privacy aspects of HIPAA are a key driver in how much risk you are exposing yourself to when it comes to compliance with the security component. 

Here are some examples of privacy protections that also help to protect patient information from thieves:

Controlled layers of access: Patient PHI is generally shared throughout a medical group on a need-to-know basis, depending on the role of the person in the practice. Given the risk and prevalence of internal financial theft and loss that plagues medical practices, you would also have added protection from a rogue employee who might steal and sell patient information. In a 2009 Medical Group Management Survey, an astonishing 89 percent of respondents said they had at one point worked with someone who had stolen from a group practice.

Requests for additional documentation: When a payer asks for additional documentation as part of determining whether to pay a claim, the privacy rule dictates as part of the minimum necessary provision that you would send only the information necessary to help the payer adjudicate that claim. When you send the patient’s entire medical record, you take a risk that the information could end up compromised.

An example of how it works
To get a sense of how medical identity theft works, consider the unfortunate case of Brandon Reagin, whose medical identity was stolen prior to the HITECH Act, though that law may not have helped him much.

Reagin’s medical identity was stolen, which he didn’t realize until he was falsely accused of stealing a car. It gets worse. The thief, Arthur Watts, racked up more than $20,000 in hospital bills for hand surgery and for kidney treatments, posing as Reagin, causing hospitals to refer Reagin to collections and the state to seize his tax return.

Much of this was happening while he was serving in Iraq. What differentiates Reagin from many victims is that he was able to actually find out who the thief was, a small consideration as he fights years later to salvage his credit and continues to see collection notices.

Implications of patient identity theft
There are multiple impacts to patient identity theft on a medical group. When your practice has suffered a breach, the new HIPAA mega-rule that incorporates the HITECH Act changes presumes that the breach caused harm, and puts the onus on you to show that the breach could not have reasonably resulted in patient information being compromised.

At the very least, when your practice compromises patient information in a way that must be reported, you can expect the negative publicity of the breach being reported and the cost to ensure the credit of the impacted patients is not damaged.

You may also face a heavy fine. HHS has come down hard on recent violators, particularly those who have not acted swiftly to report and deal with breaches.

In December, a Massachusetts dermatology group paid a $150,000 fine and put in a risk assessment plan after suffering a breach that compromised the information of roughly 2,200 patients. 

One of the reasons that HHS came down so hard on the group is that the group failed to promptly report the breach and take corrective action. The result, in effect, was to leave the patients dangling out there without even knowing their information was compromised.

A medical group practice is more likely to be the victim of medical identity theft, not just for having its data stolen or compromised.

Consider that a patient may present to a group practice who is not all that he or she seems to be. When a medical identity is stolen, it is usually used to seek care or services by someone who is not the patient, as in the above case of Arthur Watts.

The practice renders the services in good faith, bills for them and gets paid. That opens up the practice to two risks.

First, the most obvious one, is that the practice is ultimately liable for repaying any insurance payments received for treating the patient who presented and was not the insured. When the payer finds out, expect it to seek prompt repayment.

The second is that medical identity thieves compromise your records. When you unwittingly provide a service for someone who misrepresents his or her identity, you end up creating a record for the person that could ultimately end up being commingled with records from other providers for the person who was the victim of the identity theft.

And sometimes, that person is in on the scam. Even as the economy struggles to recover and patients are spurred by the Affordable Care Act to find coverage, it’s not unusual for people to sell or give their medical identity to friends and loved ones who don’t have access to insurance. Sometimes, they’ll sell their own information for profit, with the buyer showing up at your practice to seek treatment.

Seek photo IDs, train staff The best protection against being victimized by patients showing up at your practice misrepresenting themselves is to look at what are known as the Red Flag Rules

Originally, the Red Flag Rules were to apply to medical group practices, until Congress clarified that they were for entitles who were granting loans and mortgages. Nonetheless, it’s a best practice to verify patient photo identifications at every visit and to authenticate change of address requests.

Don’t stop there. Make sure you have written policies in place to help detect, prevent and contain security breaches. Policies should be reviewed at least once a year by your physician board to make sure they are still current.

Appoint a privacy and security officer responsible for implementing and enforcing your privacy and security policies, as well as arranging training for new staff and refresher courses for your established staff. 

As we told you in our recent blog post on security – but it is worth repeating – make sure you are doing a thorough risk assessment of your practice at least once a year to spot and correct any vulnerabilities. You can be sure outsiders are regularly trying to hack into your system and get your patient identifying data, because it’s become too valuable for them to resist.

SCG Health blog by Email

Recent Posts



SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.