Steps to Prevent Back-Office Fraud
Determining if employees are using sensitive information improperly, and how to stop it
By Carrie Rossenfeld
Ideally, all your employees and outsourced personnel would have a strong enough moral compass to
keep personal information such as patient records, payment information and other sensitive data
private and only used the way it was intended. The reality is that back-office fraud happens more often
than you might think, and it can seriously damage your practice in more ways than one.
“Back-office fraud is more prevalent than people believe,” says Howard E. Bogard, a partner at Burr &
Forman LLP in Birmingham, Ala. “A few hundred dollars here and there soon adds up to significant
losses.”
In addition to affecting your bottom line, back-office fraud can also damage your reputation and your
patients’ privacy, which can further affect you financially. “[Back-office fraud can] expose the medical
practice to derivative liability, to the extent that the fraudulent activities involve or affect third parties,
such as patients (where the fraudulent practice includes disclosing confidential and privileged patient
information to third parties),” says Robert Berg, a member of EptsteinBeckerGreen in Atlanta. “Even
though the employee or employees involved undoubtedly would be acting outside the course and scope
of employment, injured parties most certainly would look to the medical practice, as the employer and
obvious ‘deep pocket,’ to be liable for the damages resulting from the acts of employees.”
Also, fraudulent activities and their aftermath can negatively affect the smooth running of your practice.
“Once the fraudulent scheme is discovered, the disruption in the medical practice—e.g., the distraction
on normal functioning, the impact on employee morale, etc.—can be costly,” Berg adds.
How does back-office fraud present itself?
Back-office fraud in a medical practice typically arises in two forms: embezzlement of funds or identity
theft, says Bogard. (Read MOT’s article: “5 Steps to Prevent Patient Identity Theft”) Embezzlement
seems to be more prevalent in smaller physician offices where one person may handle receivables,
accounts payable and have access to the practice’s bank account, while identity theft can occur in all
medical practices, especially if the medical charts contain social security numbers and financial
information.
Michael Collins, VP Central US for Shred-it in Oakville, Ontario, Canada, says that the Word Privacy
Forum estimates that there are approximately 250,000 to 500,000 medical identity theft issue per year
in the US, and on average, it costs organizations $6.3 million per breach. “The majority of all security
breaches are insider issues and involve employees that aren’t compliant with a facility’s policy.”
He adds that, in assessing risk in healthcare organizations, his firm sees a lot of security gaps that can
lead to fraud issues. (Read MOT’s article: “Data Security: Protecting Against Insider Threats”) “One
major issue surrounds how employees are handling the hard drives in their copiers and laptops, and, of
course, whether or not paper is disposed of in a secure manner.”
Employee theft of retired computer equipment is a common situation that creates massive liability for
unknowing medical practices, says Kyle Marks, CEO of Retire-IT LLC in Columbus, Ohio. (Read MOT’s
article: “Improving Your Electronic Data Security”) “Frequently retired computers contain private data
that can create massive liability for a medical practice when it is lost, stolen or inadvertently disclosed.”
Be aware that back-office fraud is not limited to highly sophisticated schemes requiring specialized
knowledge to uncover. “Quite the contrary, exceedingly simple fraudulent plans—pocketing a small
amount from each day’s deposit of cash co-payments, using an unknown extra corporate credit card,
creating a bogus vendor for highly used supplies, etc.—can prove to be extremely costly,” says Berg.
What should practices do to prevent back-office fraud?
The medical community and, in particular, administrators need to think about medical files that may be
left unattended or unsecured, says Collins. “There may be people coming and going that are not
background checked, and they walk into unrestricted areas, and that can lead to a security breach.”
Obviously, protecting your data is the first step toward prevention. Physically destroying documents to
ensure that sensitive information doesn’t get into the wrong hands is primary, but there’s more you can
do. “Organizations should also use locked, non-pliable containers that can’t be moved to ensure that
confidential information is securely held prior to pick-up and destruction,” says Collins. “On-site
destruction is recommended as the most secure way to guarantee a secure chain of custody for all
confidential information.”
It’s very important to have checks and balances in place to make sure that no one person is in a position
to implement a fraudulent scheme, says Berg. “Once the system of checks and balances is in place, it is
critical to follow the system and not take shortcuts. In many cases, the success of a fraudulent plan
comes about because medical practice staff get used to taking shortcuts, skipping steps, ignoring certain
rules, etc., which, if not done, might have kept the scheme from being implemented or from
succeeding.”
Berg’s firm also advises medical practices to be vigilant in checking on all systems periodically and, when
something looks out of whack, following up to make sure it is not the tip of the fraudulent-scheme
iceberg. “It is amazing how a medical practice will be totally surprised by a back-office scheme which has
been in place for many years, despite obvious visible signs that it existed, which were, in essence,
ignored or dismissed as immaterial.”
The same person should not be involved in both collections and accounts payable, says Bogard. Access
to the practice’s bank account should be closely monitored, and checks or withdrawals above a certain
dollar amount ($500 or $1,000, for example) should require a signature of a physician owner. Someone
other than the employee cashing and writing checks should review bank statements to identify any
suspect or suspicious withdrawals.
Also, to combat identity theft, discontinue the use of social security numbers, limit access to medical
charts and patient financial information on a need-to-know basis, and train employees on the
importance of protecting patient confidentiality, Bogard adds. If you accept credit cards, limit access to
that information to only those employees who need it to process payment. In addition, keep an eye out
for employees that seem to be making purchases or taking trips that appear excessive given their
compensation.
What if a practice suspects fraud is taking place?
Any suspect activity should be quickly investigated, and if embezzlement or identity theft is believed to
have occurred, notify the local police, says Bogard. Once the fraud has been discovered, it is critical to
move quickly and decisively, adds Berg. “In many cases, the employee involved will have a good
reputation and will have worked for the practice for several years. Oftentimes, it is this clean,
trustworthy reputation that allows the employee to ‘get away’ with the plan for long periods of time.”
If your first inclination is to be gracious and avoid taking drastic steps—such as suspending or
terminating the employee, involving law enforcement, having the employee arrested or getting forensic
accountants involved—don’t listen to it. “This is usually a bad move, as over time, the medical practice is
likely to learn the full extent of the scheme and the resulting financial damage to the practice,” says
Berg. “It is much better to assume the worst, get to the bottom of the fraudulent scheme as soon as
possible and act accordingly.”
It may also be appropriate for you to carry insurance coverage for employees’ fraudulent acts, such as
embezzlement. Coverage is not overly expensive and can come in very handy in the typical back-office
fraud scenario, Berg adds.
Other steps you can take to prevent back office fraud include:
 Listing all information security risks specific to your organization so you’re aware of where you
might be vulnerable.
 Develop stringent and enforceable policies regulating access to sensitive patient information
and authorization and authentication of individuals accessing health information.
 Train your employees in best practices in secure information management and destruction.
 Securely destroy all medical information—in electronic and paper form—that is no longer
required to be kept on record.
 Outsource information destruction to high-quality professional providers who ensure the total
security of the information destruction process and can provide documentation to certify that
the chain of custody has been maintained and the work has been completed.
 Partner with a document-destruction specialist to audit your operations and help you identify
gaps in security.
 Have a clearly defined security policy and make sure that all employees are accountable in
upholding it.
 Hire a reputable “IT asset disposal” vendor to ensure that retired electronics are responsibly
recycled.