By Jason Kraus
The digital age has ushered in many opportunities and threats that a decade ago didn’t even exist. Whether it’s social networking fueling revolutions in far-away lands or blogs giving voice to ordinary people, we know we aren’t in Kansas anymore! Only by looking back through the lens of history will we properly be able to understand the full impact of the information age. But for now, we all simply live it and hopefully benefit from the access to the information that is at the heart of it all.
Improved technology can also usher in some unwanted changes. Entirely new types of criminal behaviors have resulted from our conversion from an analog world to a digital one. While most people use the almost overwhelming access to information for personal, commercial, or social good, there are those whose motives are more nefarious. New types of financial schemes, fraud and other scams have evolved, as the tools to perpetrate them have become better.
Hits on healthcare
The most ubiquitous of the lot is identity theft. Although we often associate this particular crime with financial transactions, medical identity theft is very much on the rise. In 2006, between 250,000 and 500,000 American medical identities were stolen. In 2010, the Coalition Against Insurance Fraud reported that this number had jumped to more than 1.4 million Americans.
According to the Federal Trade Commission (FTC), medical identity theft occurs when someone uses another person’s name or insurance information to get medical treatment, prescription drugs, or surgery. It also happens when dishonest people working in a medical setting use another person’s information to submit false bills to insurance companies. Healthcare providers have certain obligations under the Health Insurance Portability and Accountability Act (HIPAA) to protect private medical information. These safeguards should be reviewed and updated by your practice to keep pace with the ever changing world of technology and data transmission.
Medical identity theft could have very serious consequences for both patients and their caregivers. Every time someone uses a stolen identity to receive medical care, a medical note is created or appended. These new or appended notes may contain inaccurate or damaging information. An inaccurate blood type, test result, or history of alcohol or drug abuse may become part of your patient’s record. Any of these could lead to improper treatment for that patient in the future.
Identifying a problem
Unlike financial identity theft, which shows up in bank or credit card statements, medical identity theft may be hidden for years. There are instances where medical offices may observe the first indications that something is amiss. One red flag may be that the payment behaviors of longstanding patients have changed. Patients are often oblivious to the details contained in EOBs (explanations of benefits) or billing statements if they don’t believe they owe any money. Another red flag might be a reimbursement denial for a lifetime cap having been reached. It may be the result of someone other than your patient consuming these benefits. If you or members of your office staff have these suspicions, immediately alert your patients so they can investigate further.
While you probably gave your patients a copy of the Notice of Privacy Protection at some earlier point, it is a good idea to provide them with an additional copy. It is important that this Notice include the name of somebody in the practice who can assist them with any concerns that they might have regarding their protected information. Because of the complex healthcare system and lack of centralized medical record keeping, it is not always easy to determine where a privacy breach occurred. Even though your patients many bring this concern to your attention, the stolen information could have originated at another point in the healthcare infrastructure, including other physicians, labs, or pharmacies.
Patients’ rights
If you or your patients suspect that they have been victimized by medical identity theft, you should encourage your patients to take advantage of their rights under HIPAA.
- The HIPAA Privacy Rule gives people the right to copies of their records maintained by covered health plans and medical providers. Patients are entitled to request, and you are required to supply, copies of their medical and billing records to help identify the impact of the theft, and to review their records for inaccuracies before seeking additional medical care. Because there is no central repository for medical records, your patients should secure information from all sources of their care. You are entitled to charge a fee to cover the cost of copying and mailing their records.
- Patients have the right to have their medical and billing records amended or corrected. If a medical theft in fact has been committed, it is important to amend any incorrect information that is contained in your patient’s medical record. Your patients, after reviewing their records and identifying incorrect information, should be instructed to write a letter to you to dispute the inaccurate information contained in their record. Tell them to include copies (they should keep the originals) of any documents that support their position. Their letter should identify each disputed item, the reasons for disputing it and a request that each error be corrected or deleted. Patients may want to include a copy of their medical or billing record with the items in question circled.
- Patients have the right to an accounting of disclosures from their medical providers and health plans. An accounting is a report of certain disclosures made of the patient’s medical information by the medical provider. Although some disclosures that occur often or as a matter of routine – for example, a doctor’s disclosure of treatment information to another healthcare provider or payment information to an insurer for reimbursement – do not need to be included in the accounting, it would include information that may be relevant to medical identity theft, such as misdirected faxes or e-mails or any information released based on an invalid patient authorization. An accounting of disclosures may help indicate to patients whether there has been an inappropriate release of their medical information.
The law allows your patients to order one free copy of the accounting from each of their providers and health plans every 12 months. The accounting is a record of:
- The date of the disclosure;
- The name of the person or entity who received the information;
- A brief description of the information disclosed; and
- A brief statement of the purpose of the disclosure or a copy of the request for it.
The FTC offers a free brochure that provides patients with information that is useful in determining whether they have been victimized by medical identity theft, as well as providing useful tips on safeguarding their personal information. You can download this brochure at www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt10.shtm. It is a good idea to make these brochures available to patients in your office.
Minimizing risk
Additionally, the HIPAA Privacy and Security Rules include a number of requirements that, when followed, will substantially reduce the risk of medical identity theft. For example, the Privacy Rule requires HIPAA covered entities, including practitioners, to verify the identity of persons requesting protected health information and to have reasonable and appropriate administrative, technical and physical safeguards to protect the privacy of protected health information. This includes training employees on how to handle and dispose of health information and how to keep health information physically secured. This can include the use and assignment of password-protected access to confidential information, properly designing your office so check in and check out functions maintain patient privacy, and vetting your outside vendors’ procedures for securing the confidential information that they need to provide services to your practice. Like all issues of compliance, it is always recommended that all staff be fully trained and that periodic practice audits be undertaken. Establishing a single person to function as the compliance officer for the practice can help.
If a case of medical identity theft is uncovered, the patient should be encouraged to notify their local police and the fraud department of their health insurance company, and file a complaint at the FTC at http://www.ftc.gov/idtheft . Because there are often unpaid bills associated with medical identity theft, patients should also be advised to check their credit reports for any negative impact. If your practice provides debt reports to credit agencies, be aware that the Fair Credit Reporting Act prohibits you from reporting any debt associated with the theft. An identity theft report is a police report that contains enough detail for the credit reporting companies and the businesses involved to verify that the consumer is a victim. The report also states which accounts and inaccurate information resulted from the theft.
Although most practitioners already feel overwhelmed with the administrative and other compliance issues being thrust upon them by regulators and insurers, the migration to electronic health records will bring its own set of responsibilities. Centralized electronic record keeping will surely add new efficiencies to medical practices, but new headaches as well, and these include medical identity theft.
Jason Kraus is executive vice president of Langer Biomechanics and former partner in the practice consulting firm SOS Healthcare Management Solutions.
