The theft of PHI by healthcare staff is a difficult issue for HIPAA-covered entities to prevent, and each year many healthcare employees are indicted for fraud and improper accessing of patient data. For some employees, the value of the data and the goods and services which that information can be used to obtain proves to be to much of a temptation.
A recent report on Atlanta Radio Station, WABE highlighted the problem. The station reported on a wellness nurse practitioner in Stone Mountain who had accessed the confidential PHI of at least 20 individuals and then used the information to make fraudulent claims for services which she did not perform.
Daphne Patterson was indicted by a grand jury this week and is alleged to have used her position to inappropriately obtain PHI, and then to use it to commit identity and healthcare fraud. She is alleged to have billed five health insurance companies for bogus treatments and services performed including a number of tests for allergies.
Theft of PHI by Healthcare Staff is Difficult to Prevent
Even though she never met many of the patients, let alone provided medical services, she was able to obtain their information and use their insurance provider details to bill insurers for the treatments. The claims are reported to have been for more than $2.2 million and allowed her to fuel her extravagant lifestyle. She used the money she was able to obtain – reported to be around $1 million – to make expensive and extravagant purchases, mostly jewelry and watches.
The offenses took place between May 2013 and September 2014, and according to the prosecutors, first occurred when she was working part time at Lawrenceville’s Family Medical Center and she continued to fraudulently use patient data from her own private Stone Mountain Practice; Healthier U 4 Ever. Medical insurance fraud carries stiff penalties, and if found guilty, Patterson could be sentenced to up to 20 years in prison for the offenses.
In this case the person responsible is being brought to justice; however, each year many cases of employee theft and snooping go unreported. Covered entities have a duty to protect the privacy of patients and need to implement the appropriate administrative, technical and physical controls to safeguard their data and internal controls must be used to restrict access to the data. It is not possible to eliminate the threat of theft of PHI by healthcare staff; however, it is possible to implement safeguards to reduce the risk to a minimal level.