Jean Baptiste Alvarez was found guilty of federal charges of conspiracy to defraud the United States with respect to false claims, misuse of a Social Security number, aggravated identity theft, and aiding or assisting in the preparation of false federal income tax returns. Alvarez was accused of stealing census sheets containing patient names, SSNs and DOBs from his employer, the Kirkbride Center, a behavioral health facility where Alvarez worked as a mental health tech. Alvarez sold the census sheets for $1,000 per sheet. The stolen information was then used to file fraudulent tax returns and obtain refunds, yielding, on average, $1,500 per refund. Due to the vulnerable nature of the victims, who struggled with mental health issues and drug addiction, Alvarez was sentenced to 5 years in prison and ordered to pay $266,985 restitution.
It is challenging, and sometimes impossible, for providers to prevent HIPAA breaches caused by determined criminals. However, providers should keep in mind that 29.7% of data breaches in the healthcare industry are caused by insiders. Almost 1/3 of data breaches come from within our own walls.
What can you do?
Screen. Be diligent about your background checks and excluded provider screens. Check references. This will minimize the likelihood of employing a criminal.
Consider insiders in your HIPAA security risk analysis and security mitigation plan. Most of our attention is spent trying to prevent ransomware, man-in-the-middle attacks, and burglars. But there are some things we can do to prevent insider attacks. For example, Alvarez was able to steal census sheets because they were stored on a floor without security cameras. Does your security camera system address insider threats, in addition to outsider threats?
The minimum necessary rule can also help mitigate threats from insiders and outsiders: only use and disclose the minimum necessary PHI needed to complete the task. In this case, a mental health tech was able to access a daily census sheet. Was this necessary? Is it necessary for a census sheet to have SSNs and birth dates? Consider these questions for all of your PHI, starting with the most used PHI and the most available.
Talk with your Security Officer and IT department about audits that can be done to flag suspicious activity in your EHR. Verify that access controls are in place, so employees cannot access records or levels of records beyond what their job function requires.
Finally, train staff to recognize potential PHI theft and report it to the Privacy or Security Officer or to your anonymous hotline, drop box or online form.
Not all HIPAA crimes can be prevented. But with a thoughtful HIPAA defense, you won’t be left wondering if you could have prevented a breach.