Question

Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:

“Hi, Todd. I could use your help. I recently discovered that a long-time, trusted employee has been embezzling money from my practice. The employee has been terminated and I’ve changed passwords and permissions with our banks and insurance providers. I’ve involved both a forensic accountant and local law enforcement. Both require access to practice records that contain patient health information. Do I need to do anything, or require anything from law enforcement, before I give them access to the information they’re requesting?”

Thank you for the question. I am so sorry you are going through this. It's not every day that you find yourself facing a situation like discovering a long-time, trusted employee has been embezzling money from your practice. Bringing in a forensic accountant and involving law enforcement is a wise move. You will need help to unravel the financial mess and involving law enforcement is essential for pursuing legal action against the embezzler. It's a tough pill to swallow, but you're not alone in this journey.

Let’s explore what guidance the HIPAA law provides that we can apply to this situation.

Is It PHI?

Our first step is always to ask if the information we are concerned about is actually protected health information? Remember, PHI includes any data about a healthcare treatment or payment that could be linked to a particular person.

Before granting access to your practice records, you need to ensure you understand what data they need access to, determine if it is PHI, and understand if the disclosure is allowed under a permitted disclosure rule, or if you need to get patient authorization instead.

In this case, depending on how your financial records are maintained, it might be possible to give the accountant and law enforcement the data they need without disclosing any PHI.  Some systems allow you to store financial data without any personal identifying information. Work with these professionals to ensure you have a clear understanding of what they need and why. If they can get what they need without gaining access to any individually-identifiable patient data, then there are no HIPAA concerns. However, if it looks like they need deeper access, then we need to determine if that is allowed. Consider working with your Practice Management Software tech support to find out if you can get the financial data without disclosing data that identifies your patients.

Three Exceptions

Next, let's see if HIPAA allows the disclosure. Remember our basic rule is that you cannot disclose PHI without patient authorization, unless there is a specific permitted disclosure rule that applies. The big three permitted disclosure rules, treatment, payment, and healthcare operations, do not apply here, so we will need to look deeper.

The HIPAA Law

Regarding your forensic accountant, there is not a specific permitted disclosure rule, but they would be acting as your Business Associate, so they can access any PHI that they need in order to perform their job. Clearly communicate your concerns about patient data confidentiality and have them sign a BAA.

As for law enforcement, they will not be a Business Associate, but there is a specific disclosure rule that applies to this situation. Section 164.512(f)(5) states that a covered entity can disclose PHI to law enforcement that it believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.

In both cases, ensure that any information shared with forensic accountants or law enforcement is done in compliance with HIPAA rules. Limit the sharing of patient data to what's necessary for the investigation, and be diligent about maintaining records of who accessed what.

Keep meticulous records of all interactions, permissions granted, and access to patient health information. This documentation will not only help you stay compliant, but also serve as a valuable resource in case you need to take legal action or seek restitution.

This is a complex situation, so don't hesitate to consult with an attorney specializing in healthcare or business law. They can guide you through the legal aspects, including how to safeguard patient data and ensure your actions are in line with the law.

Finally, stay vigilant. Even after the immediate crisis is resolved, continue monitoring your practice's financial transactions and data security. Implement tighter controls and regularly review access permissions to prevent future breaches.

You're taking the right steps to rectify the situation and protect your practice's integrity. It's a challenging journey, but with patience, professionalism, and a commitment to safeguarding patient health information, you can navigate through it successfully.

Have a HIPAA Question?

If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted, but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.