5 Steps to Prevent Patient Identity Theft

The digitalization of data is increasing the risk that patient information will be lost or stolen. In response to this, regulators have updated requirements and imposed stricter enforcement codes to secure protected health information (PHI).

Physicians are required to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and are subject to new regulations for breach notification issued by the Department of Health and Human Services (HHS). HITECH now imposes penalties for violations and negligent compliance practices can result in fines up to $1.5 million per incident. Furthermore, each state’s Attorney General now has the authority to prosecute.

As patients become more concerned, they will and should demand assurance that their information is safe, especially if the medical practice outsources billing or other services. Medical practices vary in size and complexity, but the following five steps provide a path toward achieving the ultimate goal of protecting patient information.

1. Take a holistic approach Good security requires you to consider the entire organization – the people, the business processes and the IT infrastructure. Failing to protect patient information can result in major costs and fines and seriously damage reputation. The cost of hiring an outside consultant to implement or test security is nominal compared to failing to protect PHI.

2. Develop a security plan A thoughtful security plan should contain policies and standards that ensure best practices are followed and that there is responsibility and accountability throughout the organization.

3. Train staff Having the most sophisticated IT security technology can’t prevent human error or weak controls. Information loss or theft is not always the result of a sophisticated attack. A lost thumb drive or sending un-encrypted PHI via e-mail can be as damaging. Small and medium size practices that don’t have the technical expertise should hire a trained IT security professional to implement or review security.

4. Implement industry best practices HIPAA and HITECH provide guidance on specific ways to protect PHI. Best practices include encrypting PHI, implementing an effective network perimeter defense, monitoring data on the system and who is accessing it, controlling access to information on a need to know basis (both physical and electronic access), log monitoring and maintenance, and updating security patches, anti-virus, and anti-spyware software. With the prevalence of data stolen or lost via USB memory sticks or e-mail, Data Loss Prevention (DLP) has become an important tool to protect PHI.

5. Obtain a SYSTRUST from outsourced vendors How do you know if you are adequately protecting patient information when services are outsourced? If any patient information is held by a third party, i.e. an outsourced billing company, the medical practice is still responsible for protecting its patients’ PHI and can require that the third party obtain a SYSTURST report issued by an independent firm. This provides assurance that the third party has adequate controls related to security, confidentiality and privacy of PHI.

Tyler Quinn provides SSAE 16 attestation and IT advisory services at Kaufman Rossin, one of the largest independent accounting and advisory firms in the Southeast. He can be reached at tquinn@kaufmanrossin.com.


Tyler Quinn, CISA, CPA, is a Assurance & Advisory Services Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.