Check security of 'up front' areas

Penalties are very high

Unintentional fraud can take many forms in patient access areas, including some involving protected health information (PHI), says Dan Schulte, executive vice president of revenue cycle solutions at The Outsource Group in St. Louis, MO.

"Patient access areas are up front in the organization," he says. "Each entry point multiplies the opportunity for identity theft. Hospitals need to rigorously maintain the same level of security at every site."

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) are federal laws that allow the courts to assess civil monetary penalties ranging from $100 to $50,000 per violation, with an annual limit of up to $1.5 million.

These same laws permit a judge to assess up to five years in prison for criminal acts regarding privacy breaches, he warns. In addition, states' attorneys general can levy fines and assign attorney costs to the convicted defendant.

There are hundreds of examples of lost and stolen PHI in the news, including a national drugstore chain penalized $2.25 million for mishandling its PHI, and another group fined $100,000 for losing laptops and data files, says Schulte. "These fines are the direct result of a lack of discipline regarding PHI," says Schulte. "Criminal activity by employees will reflect negatively on hospitals, as well."

The False Claims Act, the Civil Monetary Penalty Laws, HIPAA, and HITECH have significantly increased the need for careful stewardship of data in healthcare, with a growing ability for the government to impose severe sanctions on accidental and intentional violations of patient privacy, says Schulte.

"Healthcare has seen a consistent increase in regulatory policy since the early 1990s, as an outgrowth of audits and fallout from the aerospace and banking industries' failure to establish compliant cultural environments," Schulte says.