Payment Security Tips to Protect Your Practice Against Embezzlement and Fraud

Embezzlement within healthcare practices may be more prevalent than you realize, and the consequences of ignoring appropriate security measures can be severe. Medical Group Management Association surveyed nearly 1,000 medical practices and 83% reported being victims of embezzlement at some point in their operation. International Business Machines Corporation also reported in 2021 that healthcare breaches cost $9.23 million per incident — a $2 million increase over the previous year. 

Payment security measures could be the difference when protecting your practice against potential embezzlement and fraud. Know how to identify fraudulent activity and where technology comes in to help safeguard your systems from breaches and keep your patients’ payment data secure. 

What Are Some Types of Fraud? 

According to the FBI, common types of healthcare fraud include: 

Fraud Committed by Medical Providers 

• Double billing: Submitting multiple claims for the same service
• Phantom billing: Billing for a service visit or supplies the patient never received
• Unbundling: Submitting multiple bills for the same service
• Upcoding: Billing for a more expensive service than the patient actually received 

Fraud Committed by Staff 

• PHI: Using patient SSN to gain credit, copy of patient credit cards, posing as another patient to get surgery/procedures, using provider signature
• Embezzlement: Depositing insurance checks into personal account, creating refunds to their personal credit card, cash not accounted for 

Fraud Committed by Patients and Other Individuals 

• Bogus marketing: Convincing people to provide their health insurance identification number and other personal information to bill for non-rendered services, steal their identity, or enroll them in a fake benefit plan
• Identity theft/identity swapping: Using another person’s health insurance or allowing another person to use your insurance
• Impersonating a health care professional: Providing or billing for health services or equipment without a license 

Any of these tactics can be used solely or in tandem with one another to intentionally cheat the healthcare system to receive illegal payments or benefits.  

How Does It Happen? 

Unfortunately, the basis of many fraud schemes involves individuals or groups wrongfully taking advantage of access that was entrusted to them. Some behaviors that may increase opportunities for embezzlement or fraud to take place within your practice include: 

• Open permissions (too many administrators) 
• Permissions to delete payments 
• Only one person in office handles the cash 
• Access to merchant account
• Lack of checks/balances in processes
  
• Manual processes — non-integrated 

Additional warning signs to recognize are: 

• Staff members who do not take vacations
• Staff who suddenly start purchasing high-dollar items (new vehicle, jewelry, expensive shoes/bags, etc.) 
• Bank statement reconciliation not matching the system 

Real-World Costs of Fraud and Embezzlement 

Whether committing fraud is the result of a solo venture or organized group, it is not a victimless crime. It affects people at every level, from higher premiums and increased out-of-pocket costs to decreased public confidence in the healthcare system. See below for real-life instances of fraud costing more than just a hefty price tag. 

Case 1: Healthcare President Sentenced to Federal Prison 

A former healthcare executive has been sentenced to 35 months in jail and ordered to pay over $1 million after pleading guilty to embezzlement and tax evasion. 

Case 2: Plastic Surgeon Agrees to Pay Nearly $24 Million to Settle Allegations 

A plastic surgeon in Beverly Hills, Calif., has agreed to pay $23.9 million to resolve allegations that they violated the False Claims Act. 

Case 3: Clinic Employee Suspected of Stealing 15,000 Patient Records 

A plastic surgery clinic employee was suspected of stealing 15,000 patient records. It was later discovered that photographs of patients before and during surgical procedures were uploaded to Snapchat. 

How Do I Prevent It? 

Security-First Design 

Store all payment information securely, with a trusted partner who incorporates a “security-first” design into their software design versus separate pieces of software across disparate vendors. This reduces both the number of places that store your customer information as well as the associated risk, thereby minimizing opportunities for that customer information to be compromised.  

Securely Stored on File  

Offer the ability to take payments in a variety of ways by having the cards securely stored on file as a token and automatically processed per certain criteria:  

• Recurring – Securely save the card on file for ongoing payments  
• Payment plans – Securely save the card on file for installment plans that have a finite end date  
• Automatic Billing – Set up the ability to automatically bill for a predetermined sequence (daily, weekly, monthly, yearly)
  

Eliminate Paper  

Eliminate the need to keep patients’ credit card numbers on a physical piece of paper and potentially accessible to others. 

How Do We Do This? 

At Nextech, we partner with Stripe, an industry leader in payment processing. Here are some of the features that help mitigate the risk of fraudulent activity. 

Contact EMV Card Processing

Utilizes industry-standard chip technology when inserted into the card reader.

Contactless EMV Card Processing

Allows you to wave your card or Apple Pay/Samsung Pay/Google Pay over the terminal to process your payment, leveraging payment-card-industry-compliant payment terminals and card readers.  

Practice Management Integration

Provides another layer of access, protecting transaction information through user sign on and permission within the PM software, attaching the user ID of the person who initiated the transaction to each payment processed for audit purposes.  

Transaction Monitoring

Watches for irregularities that could be signs of fraud on your merchant account.  

Card Data Encryption and Tokenization

Card data is encrypted in the payment terminals and readers before being sent for processing, with the response returning a token representing the card number for storage. The encrypted message cannot be decrypted without the decryption key stored securely with our processor, and the token cannot be used to initiate a payment at any other merchant other than the one that processed the original payment. 

Best Practices for Maintaining PM Software Security

To support the specific methods we’ve explained about patient payment data security, here are some additional tips you can use to enhance the security of your practice management software.

Control Access - Permissions  

• Remove ALL options to delete → payments, bills, receipts, adjustments 
• Control options to change prices 
• Limit discounting/require a reason 
• Gift card value management 

Integrate and Automate Processes – Reduce Manual Entry 

• Credit card processing
• EFT/drop box for all insurance payments
• Online collection of payments
• Use autopay or recurring payments
• Text to pay
  

Audit Controls – Report and Review 

• Report weekly on all deleted payments 
• Report monthly on discounts (by provider) 
• Audit edited payments  
• Report on deleted appointments 
• Report on deleted charges 
• Report on edited charges 

Operational Management 

• Cameras manage both patients and staff. Don’t forget they are there to protect the practice and the patient! 
• Do not accept cash without having two staff members available to count in front of a patient — or become cashless 
• Count inventory regularly and more often the higher the value of the product  
• Make sure staff go on vacation and someone else covers  
• Reconcile systems (e.g., the total from previous day should equal the total of what was sold plus what is still available in-house) 

Here are three steps you can take now to ensure better payment security at your practice. 

• Review permissions and system access
• Do a random audit of usage
• Reconcile your PM software with your bank statement 

Preventing healthcare fraud is not the responsibility of one person, but everyone. It is a serious crime with enormous consequences that practices and individuals cannot overlook. By taking precautionary measures to keep your practice secure, you can prevent a breach before it happens. Get Nextech’s payment security overview for a convenient summary of how our solution helps keep your patient’s data secure.