- Healthcare organizations of all sizes need to utilize proper audit controls to ensure that employees are remaining compliant and following proper procedure. Lacking administrative safeguards could lead to numerous types of malicious activity, such as medical identity theft or exposure of patient personal health information.
For example, a dental hygienist was recently sentenced following charges of healthcare fraud and aggravated identity theft.
Trial evidence showed that Cherie Dillon was working to defraud healthcare benefits programs, including Medicare, between January 1, 2010, and December 31, 2013 in Idaho.
“Even though Dillon was only a dental hygienist, she performed and billed for dental treatments that may only be performed by a dentist,” a Department of Justice statement explained. “These treatments included fillings, extractions, and dentures. Dillon also billed for dental hygiene services performed without the supervision and direction of a dentist, contrary to state law and licensing requirements.”
Dillon then received payments for the services, and fraudulently misrepresented that the treatments had been performed and supervised by a dentist.
"Fraudulent billings to Medicaid by unqualified providers diverts funding from this vital health care program and the vulnerable individuals who rely on it," Special Agent in Charge for the Office of Inspector General of the U.S. Department of Health and Human Services Steven Ryan said in a statement. “This sentence should be a warning to criminals considering plunder of government health care programs.”
The HIPAA minimum necessary standard is an important aspect of HIPAA compliance, and requires covered entities to “make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.”
“The minimum necessary standard requires that a covered entity limit who within the entity has access to protected health information, based on who needs access to perform their job duties,” HHS states on its website. “If a hospital employee is allowed to have routine, unimpeded access to patients’ medical records, where such access is not necessary for the hospital employee to do his job, the hospital is not applying the minimum necessary standard.”
Another recent DOJ case also highlights how administrative safeguards, including strong audit controls, can help organizations monitor how employees handle patient data.
A former Tufts Health Plan employee was sentenced toward the end of May 2017 for stealing patients’ personal identifying information.
Emeline Lubin started working at Tufts Health Plan in 2010, according to a DOJ statement. Lubin gave lists of customers’ personal identification information to another individual “in a scheme to steal Social Security benefits and to collect fraudulent income tax refunds by using stolen identities to file false income tax returns.”
DOJ added that 8,700 customers had their personal data affected in the incident. The information included names, dates of birth, and Social Security numbers, primarily of customers over the age of 65.
While no organization can fully guarantee that incidents of fraud or inappropriate access will never take place, entities should maintain current HIPAA safeguards. For example, updated audit controls can help organizations monitor which employees access certain databases or networks and when those systems are accessed.
OCR even reiterated the necessity of audit controls in its January 2017 cybersecurity newsletter.
“Audit logs are records of events based on applications, users, and systems,” OCR stated, citing NIST standards.
Then there are audit trails that consist of audit logs of applications, users, and systems, and are designed to “maintain a record of system activity by application processes and by user activity within systems and applications.”
Application audit trails, system-level audit trails, and user audit trails can all be implemented for stronger audit controls.
“The majority of information systems provide some level of audit controls with a reporting method, such as audit reports,” OCR maintained. “These controls are useful for recording and examining information system activity which also includes users and applications activity.”