A former physician has pleaded guilty to violating the US Health Insurance Portability and Accountability Act (HIPAA). Frank Alario pleaded guilty “to conspiring to wrongfully disclose patients’ individually identifiable health information to pharmaceutical sales representative Keith Ritson in violation of the criminal provisions of the Health Insurance Portability and Accountability Act (HIPAA).” Ritson is scheduled to face trial in late November.
Note
- Two issues of note with this one: (1) This was essentially undetected insider fraud – the physician allowed the sales rep to use his account for a long time to access sensitive information in a way that was probably well outside normal behavior profile of physician access. This should have been a low false positive detection for any user behavior analysis. (2) Direct criminal prosecution of HIPAA violations has not happened often but can and does. Making sure management is aware of (2) can help justify the need for being able to do (1) in healthcare systems
- The information was leveraged to determine which patients had insurance that would cover the non-FDA approved compound medications sold by Riston’s company, and when authorized, Alario received commissions and other benefits. Alario granted access to patient records, beyond levels allowed to staff as well as introducing Riston to patients as an affiliate or employee of the practice. While it’s not clear if Riston was simply allowed to use the computer with Alario’s credentials, it is clear that he was permitted free access to digital and physical records beyond regular office hours. While it’s tough to stop someone surrendering their credentials, or just handing over control once logged it, it is possible to monitor access for anomalous patterns. Track access to sensitive information, particularly outside business hours. Make sure that you have sufficient separation of duties, limiting who can grant permission to information, consider multi-person rules. Closely monitor changes to access controls on sensitive information.
Read more in
