Theft of thousands of schedules raises alarm for surgery managers

Tips offered for avoiding HIPAA case at your facility

A woman stole paper surgery schedules for about 4,500 patients at an Alabama hospital and used the names, dates of birth, and Social Security numbers to commit identity fraud, according to a media report.1

She has been charged with violations of the Health Insurance Portability and Accountability Act (HIPAA) and faces up 10 years in prison and a fine of up to $250,000 if convicted.

The woman took the schedules for previous years from a patient registration area while she was visiting a hospital patient several times between March 22, 2011, and April 8, 2011. "From the story...it appears that the hospital was keeping books of past surgical schedules," says Jonathan Beal, JD, health policy consultant for the Ambulatory Surgery Center Association. "She stole the books that had many records in them."

The police found the surgery schedules at a search of her house while conducting a fraud investigation, according to a newspaper report.

The hospital notified the patients whose records were stolen and offered a year of free credit monitoring. "As a result of the theft, the hospital is increasing security by changing access to the registration area of the involved department," the hospital said on its web site.2

Surgery providers should take note: They potentially could be liable for medical record theft, even if criminal activity is involved. "It would likely depend upon the foreseeability and whether the provider's security efforts were reasonable," says Robert Markette, of counsel at Benesch, Friedlander, Coplan & Aronoff, Indianapolis, IN. "If this was a preventable crime, the government might determine to assess a penalty."

While the Centers for Medicare and Medicaid Services (CMS) and accreditation groups have requirements about what identifying information must be included in the medical record, "none of this, however, means that this information has to be on the schedule," Beal says.

The Alabama theft appears to be caused due to problems with controlling access, Markette says. "If she was able to get back into the registration area on multiple occasions, she was probably also able to then grab a pile or pile of patient records. Laying stacks of old surgery schedules around seems like a risky way to do business," says Markette, who acknowledges that the records might simply have been in an unlocked file cabinet. If a staff member responsible for controlling access to an area has to leave, he or she should put protected health information (PHI) away and lock cabinets, he says.

"If an individual gains unauthorized access to an area, but is unable to obtain PHI, because the information is secured in cabinets or otherwise, this type of `crime of opportunity' might be prevented," Markette says.

Understand that medical record theft can happen anytime, Markette advises. "Thefts can occur while the hospital is open and staff are present," he says. "Some criminals are bold enough to simply try to walk into an area to see what they can get."

Don't allow visitors to be unaccompanied, Beal suggests. Staff members must be aware and must keep an eye on what individuals are coming and going, Markette says. "A staff person cannot leave the door unattended and just assume that because it is normal business hours, everything is OK," he says. "Hospital privacy officers need to train the personnel that facility access must be monitored at all times."

When your facility experiences theft of patient data, first determine the scope of the theft, Markette advises. Report the crime, and notify patients, he says. "Often, contemporaneously with this effort, policies and procedures should be reviewed to see if changing the policies and procedures would prevent a similar theft in the future," Markette says.

Include your HIPAA policies and procedures, he says. "Generally, they should be reviewed annually, but incidents like this can lead to the decision to review more frequently," Markette says.

Reference

  1. Goedert J. Woman Faces Criminal Charges for HIPAA Privacy Violations. HDM Breaking News. Accessed at http://www.healthdatamanagement.com/news.
  2. Trinity Medical Center. Trinity Medical Center Reports Unintentional Disclosure of Patient Information. Web: http://www.trinitymedicalonline.com/News.