And You Thought Identity Theft Was Bad

How many times have we heard the story of a laptop being stolen or lost that contained detailed medical records and information of thousands of patients? It seems like these stories are becoming increasingly common.

As the healthcare industry is finally modernizing into the Information Age with electronic health records (EHR), the issue of medical identity theft has been pushed to the forefront. Medical identity theft “…tends to be focused on the use of someone else’s information to gain goods, services and health care, which can affect a victim’s medical record and future care” (Booz, Allen, and Hamilton, 2009). Electronic health records hold the potential to minimize medical identity theft altogether yet, if proper protections are not addressed, thieves may have an easier way for private information to be breached.

Medical identity theft is nothing new to the health care industry. For example, as a health care provider, there have been times that I have been asked to write prescriptions under another family member’s name since that member had health coverage and the patient that I was treating did not. This is often a precarious situation that I am placed in and will not partake in fraudulent practices, no matter how benign it seems to be. Another potential issue is that patients are not typically asked to show any form of photo identification when seeking health care. Most institutions are so focused on payment that they are quick to ask for one’s insurance identification card, but make little to no effort to ensure that the person holding the insurance card is the rightful owner. Fortunately, this trend is becoming increasingly recognized and institutions are putting steps and procedures in place, with the assistance of health information technology, to combat these practices. Mancilla and Moczygemba (2009) studied medical information theft in acute care facilities and identified the following themes: most cases involving theft occur through the emergency department, organizations are beginning to use photographic images to identify individuals, time constraints on registration staff may lead to poor organizational compliance to policy and procedures, biometrics are a possible solution, and avoiding the use of Social Security numbers (p.4-5). The authors concluded, “…stronger technology support may be needed particularly in the form of biometric identification verification” (p. 8). The use of such systems will help to mitigate fraud especially in the aforementioned example.

Conversely, automating health information and making it available via portals in cyberspace makes it a potential target for cyber criminals. The government attempted to address this via the Federal Trade Commission’s [FTC], Red Flag Rule (FTC, n.d.). According to the FTC (n.d.), “the Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or “red flags” — of identity theft in their day-to-day operations” (“Fighting fraud,” n.d.). Unfortunately, there were major issues with this ruling as it applied to health care professionals and institutions. The Rule was deemed too broad and over-reaching and was thus excluded from including physicians (Gallegaos, 2010).

Medical identity theft will continue to be an issue especially as more Americans will be insured under the Patient Protection and Affordability Act and as records become electronic. While the Health Information Portability and Accountability Act (HIPPA) attempts to safeguard protected health information (PHI), there is very little protection and enforcement at the organizational level to prevent medical identity theft. Therefore, it is necessary for health care providers and institutions to take the issue of medical identity theft very seriously and implement regular audits and updated polices to prevent its occurrence. Most Americans have an expectation that their personal health information is private and should be protected with the utmost security and handling. As the transition to EHRs is underway, time will tell if the health care system is doing an adequate job.

 

 

References

Booz Allen Hamilton (2009, January 15). Medical Identity Theft Final Report. Rockville, MD: Booz Allen Hamilton.

Federal Trade Commission (n.d.). Fighting fraud with the red flags rule. Retrieved from: http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml

Gallegos, A. (2010, December 20). Congress exempts doctors from “red flags” rule. American Medical News. Retrieved from: http://www.ama-assn.org/amednews/2010/12/20/gvl21220.htm

Mancilla, D., & Moczygemba, J. (2009). Exploring medical identity theft. American Health Information Management Association, 6, 1-11. Retrieved from: http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2804460/?tool=pubmed