RE: Patient Identification Theft - Records Stolen -- Need suggest...

[Guest guest]

Dear ,

I had a PT practice contact me for consulting services after one of their

employee's stole the credit card number for three patients and used it to

purchase nearly $4K in goods and services from local merchants. We

immediately implemented Red Flag Rule policies and procedures, paid for each

patient to run a history of their credit for the next three years ($49 year),

purchased an identity theft policy for each patient (less than $100 for one

year) and paid back each patient for the amount that was fraudulently charged

to their credit card along with interest (upon the advise of the client's

attorney). Additionally, all four of his current financial/administrative

employees went through a thorough background check and are now bonded. The

client chose not to file charges against the employee as he felt that he

did not have proper internal controls in place to avoid this from happening.

All three of the patients were satisfied that the client took proper

measures to make them whole again and more importantly, to avoid (hopefully)

this from happening in the future and thusly, no legal action was taken

against the client. A detailed incident report completed by the clinic owner

and signed by all three patients is on file in the event one or all three

patients later decide to take legal action against the clinic.

On a similar note, we have clients who have adopted very strict policies

against removing medical records/files/patient financial records and lap tops

from the office for this very reason. Stuff happens! While I am not an

attorney, I work with a number of attorneys that I feel strongly would

advise your colleague to adopt a similar policy and complete an incident

report

for both HIPAA and compliance purposes.

Wishing you and your colleague the best of luck in finding an answer to

this dilemma.

Sincerely,

Vickie

D. Cavitt, President

Medical Legal Alliance, L.L.C.

600 Guilbeau Road, Suite A

Lafayette, LA 70506

In a message dated 3/30/2011 3:09:21 P.M. Central Daylight Time,

pkovacek@... writes:

PTManagers

I am hoping someone on this list can help with a situation that I have no

experience with.

A PT colleague of mine had his car broken into and a small number of

patient

records were stolen. Patient records were typical notes etc but were full

charts with patient specific information that would be valuable to an

identity thief.

The therapist has identified all the missing charts, met with each patient

to explain the situation and provided each patient with an identify theft

protection plan for at least the next 12 months. Fortunately, because he

got

to the patients immediately, there is not a public relations issue with the

patients.

If anyone else has [unfortunately] had any experience with this sort of

event, are there other actions that the therapist should take to

protect himself, his company and his patients?

Thanks in advance for your ideas and suggestions.

Kovacek, PT, DPT, MSA

_PKovacek@..._ (mailto:PKovacek@...)

Cell

Personal Fax (313) 286-0913

www.PTManager.com

[Non-text portions of this message have been removed]

[Guest guest]

Dear ,

I had a PT practice contact me for consulting services after one of their

employee's stole the credit card number for three patients and used it to

purchase nearly $4K in goods and services from local merchants. We

immediately implemented Red Flag Rule policies and procedures, paid for each

patient to run a history of their credit for the next three years ($49 year),

purchased an identity theft policy for each patient (less than $100 for one

year) and paid back each patient for the amount that was fraudulently charged

to their credit card along with interest (upon the advise of the client's

attorney). Additionally, all four of his current financial/administrative

employees went through a thorough background check and are now bonded. The

client chose not to file charges against the employee as he felt that he

did not have proper internal controls in place to avoid this from happening.

All three of the patients were satisfied that the client took proper

measures to make them whole again and more importantly, to avoid (hopefully)

this from happening in the future and thusly, no legal action was taken

against the client. A detailed incident report completed by the clinic owner

and signed by all three patients is on file in the event one or all three

patients later decide to take legal action against the clinic.

On a similar note, we have clients who have adopted very strict policies

against removing medical records/files/patient financial records and lap tops

from the office for this very reason. Stuff happens! While I am not an

attorney, I work with a number of attorneys that I feel strongly would

advise your colleague to adopt a similar policy and complete an incident

report

for both HIPAA and compliance purposes.

Wishing you and your colleague the best of luck in finding an answer to

this dilemma.

Sincerely,

Vickie

D. Cavitt, President

Medical Legal Alliance, L.L.C.

600 Guilbeau Road, Suite A

Lafayette, LA 70506

In a message dated 3/30/2011 3:09:21 P.M. Central Daylight Time,

pkovacek@... writes:

PTManagers

I am hoping someone on this list can help with a situation that I have no

experience with.

A PT colleague of mine had his car broken into and a small number of

patient

records were stolen. Patient records were typical notes etc but were full

charts with patient specific information that would be valuable to an

identity thief.

The therapist has identified all the missing charts, met with each patient

to explain the situation and provided each patient with an identify theft

protection plan for at least the next 12 months. Fortunately, because he

got

to the patients immediately, there is not a public relations issue with the

patients.

If anyone else has [unfortunately] had any experience with this sort of

event, are there other actions that the therapist should take to

protect himself, his company and his patients?

Thanks in advance for your ideas and suggestions.

Kovacek, PT, DPT, MSA

_PKovacek@..._ (mailto:PKovacek@...)

Cell

Personal Fax (313) 286-0913

www.PTManager.com

[Non-text portions of this message have been removed]

[Guest guest]

, Vickie, et. al.

Strong agreement about keeping records inside the clinic. Whei I operated

several private clinics, we once had a severely injured patient who'd been a

reseacher for a major pharmaceutical manufacturer. She had been

transporting a number of clinical research records in her personal

automobile when she was unfortunately " T-Boned " by an 18-wheeler, scattering

car and contents, strewing paper everywhere!

The research was lost. She survived, but had residual disability. It

wasn't her fault. Since I had been accustomed to taking charts home with me

to bring up to date from time to time, I learned a lot from that tragedy.

Dr. Dick Hillyer

(Off to Orlando today for the FPTA Spring Conference!)

Hillyer, PT,DPT,MBA,MSM

Hillyer Consulting

700 El Dorado Pkwy W.

Cape Coral, FL 33914

Mobile

_____

From: PTManager [mailto:PTManager ] On Behalf

Of mlavcavitt@...

Sent: Thursday, March 31, 2011 1:58 AM

To: PTManager

Subject: Re: Patient Identification Theft - Records Stolen --

Need suggest...

Dear ,

I had a PT practice contact me for consulting services after one of their

employee's stole the credit card number for three patients and used it to

purchase nearly $4K in goods and services from local merchants. We

immediately implemented Red Flag Rule policies and procedures, paid for each

patient to run a history of their credit for the next three years ($49

year),

purchased an identity theft policy for each patient (less than $100 for one

year) and paid back each patient for the amount that was fraudulently

charged

to their credit card along with interest (upon the advise of the client's

attorney). Additionally, all four of his current financial/administrative

employees went through a thorough background check and are now bonded. The

client chose not to file charges against the employee as he felt that he

did not have proper internal controls in place to avoid this from happening.

All three of the patients were satisfied that the client took proper

measures to make them whole again and more importantly, to avoid (hopefully)

this from happening in the future and thusly, no legal action was taken

against the client. A detailed incident report completed by the clinic owner

and signed by all three patients is on file in the event one or all three

patients later decide to take legal action against the clinic.

On a similar note, we have clients who have adopted very strict policies

against removing medical records/files/patient financial records and lap

tops

from the office for this very reason. Stuff happens! While I am not an

attorney, I work with a number of attorneys that I feel strongly would

advise your colleague to adopt a similar policy and complete an incident

report

for both HIPAA and compliance purposes.

Wishing you and your colleague the best of luck in finding an answer to

this dilemma.

Sincerely,

Vickie

D. Cavitt, President

Medical Legal Alliance, L.L.C.

600 Guilbeau Road, Suite A

Lafayette, LA 70506

In a message dated 3/30/2011 3:09:21 P.M. Central Daylight Time,

pkovacek@... <mailto:pkovacek%40ptmanager.com> writes:

PTManagers

I am hoping someone on this list can help with a situation that I have no

experience with.

A PT colleague of mine had his car broken into and a small number of

patient

records were stolen. Patient records were typical notes etc but were full

charts with patient specific information that would be valuable to an

identity thief.

The therapist has identified all the missing charts, met with each patient

to explain the situation and provided each patient with an identify theft

protection plan for at least the next 12 months. Fortunately, because he

got

to the patients immediately, there is not a public relations issue with the

patients.

If anyone else has [unfortunately] had any experience with this sort of

event, are there other actions that the therapist should take to

protect himself, his company and his patients?

Thanks in advance for your ideas and suggestions.

Kovacek, PT, DPT, MSA

_PKovacek@... <mailto:_PKovacek%40PTManager.com> _

(mailto:PKovacek@... <mailto:PKovacek%40PTManager.com> )

Cell

Personal Fax

www.PTManager.com

[Guest guest]

Thanks for all the good responses. We've gotten a great deal of information to

proceed. One piece I left off of the original post. The patients were being

seen as outpatients in the home - there is no clinic location. Records that

were in the car were those for patients that had been seen that day only. This

makes a bit of an argument for electronic [server based] documentation

but...that is a whole 'nuther can of worms.

Thanks again for all the great responses

>

> , Vickie, et. al.

>

> Strong agreement about keeping records inside the clinic. Whei I operated

> several private clinics, we once had a severely injured patient who'd been a

> reseacher for a major pharmaceutical manufacturer. She had been

> transporting a number of clinical research records in her personal

> automobile when she was unfortunately " T-Boned " by an 18-wheeler, scattering

> car and contents, strewing paper everywhere!

>

> The research was lost. She survived, but had residual disability. It

> wasn't her fault. Since I had been accustomed to taking charts home with me

> to bring up to date from time to time, I learned a lot from that tragedy.

>

> Dr. Dick Hillyer

> (Off to Orlando today for the FPTA Spring Conference!)

>

>

> Hillyer, PT,DPT,MBA,MSM

> Hillyer Consulting

> 700 El Dorado Pkwy W.

> Cape Coral, FL 33914

>

> Mobile

>

>

> _____

>

> From: PTManager [mailto:PTManager ] On Behalf

> Of mlavcavitt@...

> Sent: Thursday, March 31, 2011 1:58 AM

> To: PTManager

> Subject: Re: Patient Identification Theft - Records Stolen --

> Need suggest...

>

>

>

>

> Dear ,

>

> I had a PT practice contact me for consulting services after one of their

> employee's stole the credit card number for three patients and used it to

> purchase nearly $4K in goods and services from local merchants. We

> immediately implemented Red Flag Rule policies and procedures, paid for each

>

> patient to run a history of their credit for the next three years ($49

> year),

> purchased an identity theft policy for each patient (less than $100 for one

> year) and paid back each patient for the amount that was fraudulently

> charged

> to their credit card along with interest (upon the advise of the client's

> attorney). Additionally, all four of his current financial/administrative

> employees went through a thorough background check and are now bonded. The

> client chose not to file charges against the employee as he felt that he

> did not have proper internal controls in place to avoid this from happening.

>

> All three of the patients were satisfied that the client took proper

> measures to make them whole again and more importantly, to avoid (hopefully)

>

> this from happening in the future and thusly, no legal action was taken

> against the client. A detailed incident report completed by the clinic owner

>

> and signed by all three patients is on file in the event one or all three

> patients later decide to take legal action against the clinic.

>

> On a similar note, we have clients who have adopted very strict policies

> against removing medical records/files/patient financial records and lap

> tops

> from the office for this very reason. Stuff happens! While I am not an

> attorney, I work with a number of attorneys that I feel strongly would

> advise your colleague to adopt a similar policy and complete an incident

> report

> for both HIPAA and compliance purposes.

>

> Wishing you and your colleague the best of luck in finding an answer to

> this dilemma.

>

> Sincerely,

> Vickie

>

> D. Cavitt, President

> Medical Legal Alliance, L.L.C.

> 600 Guilbeau Road, Suite A

> Lafayette, LA 70506

>

>

>

>

>

>

>

> In a message dated 3/30/2011 3:09:21 P.M. Central Daylight Time,

> pkovacek@... <mailto:pkovacek%40ptmanager.com> writes:

>

> PTManagers

>

> I am hoping someone on this list can help with a situation that I have no

> experience with.

>

> A PT colleague of mine had his car broken into and a small number of

> patient

> records were stolen. Patient records were typical notes etc but were full

> charts with patient specific information that would be valuable to an

> identity thief.

>

> The therapist has identified all the missing charts, met with each patient

> to explain the situation and provided each patient with an identify theft

> protection plan for at least the next 12 months. Fortunately, because he

> got

> to the patients immediately, there is not a public relations issue with the

> patients.

>

> If anyone else has [unfortunately] had any experience with this sort of

> event, are there other actions that the therapist should take to

> protect himself, his company and his patients?

>

> Thanks in advance for your ideas and suggestions.

>

> Kovacek, PT, DPT, MSA

>

> _PKovacek@... <mailto:_PKovacek%40PTManager.com> _

> (mailto:PKovacek@... <mailto:PKovacek%40PTManager.com> )

> Cell

> Personal Fax

> www.PTManager.com

>

>

[Guest guest]

Thanks for all the good responses. We've gotten a great deal of information to

proceed. One piece I left off of the original post. The patients were being

seen as outpatients in the home - there is no clinic location. Records that

were in the car were those for patients that had been seen that day only. This

makes a bit of an argument for electronic [server based] documentation

but...that is a whole 'nuther can of worms.

Thanks again for all the great responses

>

> , Vickie, et. al.

>

> Strong agreement about keeping records inside the clinic. Whei I operated

> several private clinics, we once had a severely injured patient who'd been a

> reseacher for a major pharmaceutical manufacturer. She had been

> transporting a number of clinical research records in her personal

> automobile when she was unfortunately " T-Boned " by an 18-wheeler, scattering

> car and contents, strewing paper everywhere!

>

> The research was lost. She survived, but had residual disability. It

> wasn't her fault. Since I had been accustomed to taking charts home with me

> to bring up to date from time to time, I learned a lot from that tragedy.

>

> Dr. Dick Hillyer

> (Off to Orlando today for the FPTA Spring Conference!)

>

>

> Hillyer, PT,DPT,MBA,MSM

> Hillyer Consulting

> 700 El Dorado Pkwy W.

> Cape Coral, FL 33914

>

> Mobile

>

>

> _____

>

> From: PTManager [mailto:PTManager ] On Behalf

> Of mlavcavitt@...

> Sent: Thursday, March 31, 2011 1:58 AM

> To: PTManager

> Subject: Re: Patient Identification Theft - Records Stolen --

> Need suggest...

>

>

>

>

> Dear ,

>

> I had a PT practice contact me for consulting services after one of their

> employee's stole the credit card number for three patients and used it to

> purchase nearly $4K in goods and services from local merchants. We

> immediately implemented Red Flag Rule policies and procedures, paid for each

>

> patient to run a history of their credit for the next three years ($49

> year),

> purchased an identity theft policy for each patient (less than $100 for one

> year) and paid back each patient for the amount that was fraudulently

> charged

> to their credit card along with interest (upon the advise of the client's

> attorney). Additionally, all four of his current financial/administrative

> employees went through a thorough background check and are now bonded. The

> client chose not to file charges against the employee as he felt that he

> did not have proper internal controls in place to avoid this from happening.

>

> All three of the patients were satisfied that the client took proper

> measures to make them whole again and more importantly, to avoid (hopefully)

>

> this from happening in the future and thusly, no legal action was taken

> against the client. A detailed incident report completed by the clinic owner

>

> and signed by all three patients is on file in the event one or all three

> patients later decide to take legal action against the clinic.

>

> On a similar note, we have clients who have adopted very strict policies

> against removing medical records/files/patient financial records and lap

> tops

> from the office for this very reason. Stuff happens! While I am not an

> attorney, I work with a number of attorneys that I feel strongly would

> advise your colleague to adopt a similar policy and complete an incident

> report

> for both HIPAA and compliance purposes.

>

> Wishing you and your colleague the best of luck in finding an answer to

> this dilemma.

>

> Sincerely,

> Vickie

>

> D. Cavitt, President

> Medical Legal Alliance, L.L.C.

> 600 Guilbeau Road, Suite A

> Lafayette, LA 70506

>

>

>

>

>

>

>

> In a message dated 3/30/2011 3:09:21 P.M. Central Daylight Time,

> pkovacek@... <mailto:pkovacek%40ptmanager.com> writes:

>

> PTManagers

>

> I am hoping someone on this list can help with a situation that I have no

> experience with.

>

> A PT colleague of mine had his car broken into and a small number of

> patient

> records were stolen. Patient records were typical notes etc but were full

> charts with patient specific information that would be valuable to an

> identity thief.

>

> The therapist has identified all the missing charts, met with each patient

> to explain the situation and provided each patient with an identify theft

> protection plan for at least the next 12 months. Fortunately, because he

> got

> to the patients immediately, there is not a public relations issue with the

> patients.

>

> If anyone else has [unfortunately] had any experience with this sort of

> event, are there other actions that the therapist should take to

> protect himself, his company and his patients?

>

> Thanks in advance for your ideas and suggestions.

>

> Kovacek, PT, DPT, MSA

>

> _PKovacek@... <mailto:_PKovacek%40PTManager.com> _

> (mailto:PKovacek@... <mailto:PKovacek%40PTManager.com> )

> Cell

> Personal Fax

> www.PTManager.com

>

>