CEO SUMMARY: “Nothing teaches like experience.” That adage aptly describes the lessons learned at a Seattle hospital after a case of patient identity theft surfaced. Laboratories and pathology groups must be just as alert to the potential for patient identity theft as they are to inappropriate disclosures of a patient’s health record. It’s one of the fastest-growing crimes in the Internet era.
FOR THE PAST TWO DECADES, laboratories and pathology group practices have concentrated on protecting patient health records. Well-established compliance programs to protect patient privacy are widespread.
Probably the most familiar example is HIV testing. Labs go to great lengths to ensure that only authorized individuals have access to the results of an HIV test.
However, how many laboratories and pathology groups have reviewed their patient privacy policies and procedures in the context of patient identity theft? This a relatively new threat and there’s been an explosion in the number of identity theft cases. It is a crime which is relatively easy, carries minimal risk of prosecution (at this time), and can be accomplished by people with few resources.
Identity theft is finding its way into healthcare. THE DARK REPORT predicts that protecting patient information from identity thieves will rapidly become the most important function of patient privacy policies and procedures. If this proves true, then laboratories and pathology group practices will want to be ahead of this trend—not behind it.
To help in this effort, THE DARK REPORT conducted exclusive interviews with two individuals. Julie Hamilton is the Corporate Integrity Officer at Seattle Cancer Care Alliance (SCCA). James J. Fredman, III, an attorney with Foster Pepper & Shefelman, served as outside counsel for SCCA during the federal investigation into the case of phlebotomist Richard W. Gibson, who committed patient identity theft and was convicted under the HIPAA statute. (See pages 2-4 and pages 9-10.)
With the help of Hamilton and Fredman, lab managers and pathologists will get answers to three basic questions triggered by this landmark case. First, how does law enforcement investigate these types of crimes? Second, why was the decision made to prosecute phlebotomist Gibson under HIPAA, instead of other criminal statutes? Third, what lessons has this hospital learned about improving its defense against patient identity theft?
Call To Privacy Hotline
Julie Hamilton laid out the story of this case, as it affected SCCA. “In early 2004, a patient telephoned the privacy hotline at SCCA, alleging that he had been the victim of identity theft involving credit cards and a Seattle address,” she stated.
In public statements, the patient, who lived in California, has stated that he traveled to Seattle to seek treatment at SCCA for acute lymphoblastic leukemia, an often fatal form of cancer, not often seen in adults. “This patient felt strongly that his critical privacy data had been stolen during his stay in Seattle,” recalled Hamilton.
TV News Broadcast
“Our privacy coordinator here at SCCA returned the patient’s call. On his own, the patient was deep in an investigation and provided us with a stack of information,” explained Hamilton. “About the time the patient contacted us, he had also caught the attention of a reporter at KING5 Television. They were preparing to broadcast a videotape the patient obtained from a local retailer’s surveil- lance tapes. The patient had obtained the cooperation of a retail store that had film of the suspect making a purchase at the cash register with a fraudulent credit card.
“Within minutes of the videotape’s broadcast, SCCA fielded calls from individuals who identified the suspect on the tape as one of our employees,” Hamilton recalled. “In fact, this tape was aired repeatedly. So we received calls from several people offering useful tips. We turned all that information over to the Seattle police.
“Within the hospital, we immediately investigated the situation,” said Hamilton. “We could not find any irregularities or unauthorized access to our multiple computer systems. We also audited scheduling and medical records systems and found nothing.”
“When we confirmed that the suspect was one of our employees, actions were taken to terminate the employee for cause,” stated Hamilton.
Once it was known that the suspect was Richard W. Gibson, newscasts began to broadcast his name and picture over several days. The suspect, in the company of his attorney, eventually turned himself in to the Seattle Police Department.
“The patient was not happy with the lack of response by the local police,” said Hamilton. “The patient informed us that he was contacting other government agencies, such as the FBI. After the FBI contacted us, we worked with them, providing education about our policies and procedures for patient privacy protection.
“To build their case, the FBI needed to know our policies, job functions of various personnel, which staff members have access to patient information, and why they need access to this information. We also took them through our electronic and paper-based systems so they could understand at what point a given employee would see critical identity data,” Hamilton noted.
“Throughout this phase of the investigation, we could never pinpoint how this patient’s information was obtained,” she added. “Between our internal audits and the FBI’s scrutiny, every aspect of our policies, operational practices, and documentation was intensely reviewed.
“In fact, because we could not pin-point the breach, after the FBI investigation was completed, we hired our own investigator—a retired FBI investigator—to do forensic analysis of our systems and the perpetrator’s computer,” she continued. “There was no unusual electronic access that we were able to find. Nor did we find evidence that other patient information might have been compromised.”
Because the patient had stirred up a large amount of publicity in Seattle about the theft of his identity by a phlebotomist while he was a severely-sick patient in a hospital bed, SCCA took proactive steps to assure its patients about the situation.
“Immediately we posted posters in the lobby which communicated our concerns about protecting patient privacy,” said Hamilton. “We also placed extra notices at all front desks regarding our privacy practices.
Communicating With Staff
“At the same time, we communicated with our staff. They were given ‘talking points’ to help them discuss privacy concerns with patients and their families,” she stated. “Because we had fielded several calls once the story broke on the news, I knew the concerns and questions to which our employees would need to respond.”
“Next was the issue of Social Security numbers (SSNs). SCCA does not use SSNs as patient identifiers. We assign unique patient numbers. But SCCA must obtain the SSN for patient safety and billing reasons. So it is in our system, although SSNs do not appear on a lot of paper,” emphasized Hamilton.
“For example, blood centers use SSNs, so we must use them for patient safety,” she continued. “Many insurance companies use SSNs as an identifier, although some are now eliminating that practice.
“To protect SSNs and other critical information, we took additional steps,” noted Hamilton. “We are further limiting the number of employees through- out our health system who have access to screens that contain SSNs.
Blinding The SSN
“One step we’ve taken is to upgrade our systems to blind the first several numbers of the SSN. For instance, laboratory personnel who only have access to the laboratory system can now see only the last four digits of the number,” she said. “We started with our LIS because it was a manageable system with a manager who could immediately implement the upgrade.
“SSNs in our electronic medical record system were also blinded in a similar fashion,” she explained. “We continue to upgrade other systems in our hospital with this blinding feature.
“Another change we implemented was to put temporary employees through the same training as permanent employees,” stated Hamilton. “In fact, training and awareness on this issue has been increased in all areas of our hospital. Now that a case of patient identity theft has occurred, it’s caught everyone’s attention. This type of crime is no longer theoretical for our staff. It’s real and people are on the alert.”
THE DARK REPORT observes that SCCA’s experience offers three critical lessons that labs and pathology groups can use to better protect against patient identity theft. First, raise the awareness of staff, patients, and their families through ongoing education. This must include how to protect against patient identity theft and what to do whenever it s suspected that a case of patient identity theft has occurred.
Second, limit access to SSNs and other sensitive patient information. Blocking some of the nine digits of the SSN on computer screens is one method that can add protection.
Third, in the event of a patient complaint involving possible identity theft, take immediate action and assure the patient that the provider will provide support in response to the situations. When the U.S. Attorney’s office evaluated SCCA’s compliance program, the fact that the patient said positive things about SCCA’s response and support may have been a determinant in the decision to pursue only the suspect as the guilty party.
Attorney Stresses Importance Of Effective Compliance Procedures
IN THE HIPAA CONVICTION involving patient identify theft by phlebotomist Richard W. Gibson, one individual with a front-row seat was attorney James J. Fredman, III, of Foster, Pepper, & Shefelman in Seattle, Washington.
As outside legal counsel to the Seattle Cancer Care Center (SCCA), Fredman worked with FBI investigators and the U.S. Attorney’s Office during the course of the investigation. He gained direct experience in how such agencies work with a provider to resolve these types of crimes.
“We wanted to be as cooperative as possible with the federal investigation,” stated Fredman. “Our fundamental argument was that the perpetrator acted out- side the scope of his employment when he committed the identity theft,” he explained. “Susan Loitz, the Assistant District Attorney who prosecuted the case (see pages 2-4) was amenable to our position. One major reason for this outcome was both the tight compliance of SCCA on HIPAA polices and SCCA’s cooperation throughout the investigation.
“SCCA is an organization that does as well as any provider can to maintain a high level of compliance,” he added. “It was also helpful that the patient victimized by the identity theft testified that, once he alerted SCCA to the crime, it responded appropriately to support him and his efforts to identify the criminal and bring him to justice.”
For Fredman, there is one key lesson to add to others identified by Julie Hamilton, Corporate Integrity Officer at SCCA. “It is important for each provider to regularly reassess its risk to these types of crimes on an ongoing basis. It is just as important that these assessments trigger proactive action on the issues identified.
“For SCCA, it was both its solid compliance program and an effective policy of ongoing risk assessment that played an important role in the decision by federal prosecutors to hold neither the institution nor individual managers responsible for the HIPAA violations committed by Gibson.
“That should send a clear message to all healthcare administrators and physicians,” offered Fredman. “A provider’s best defense in these situations is a well-executed compliance program. This is the best and most effective way to protect the provider and its management team, in the event that a renegade employee commits crimes that violate the HIPAA statute.”