Five Tips to Ease the Pain of Medical ID TheftChallenges are Not Impossible to Overcome
Medical identity theft, an often underestimated crime, is one of the fastest growing offenses in America. It has claimed more than 1.8 million domestic victims so far this year - a 19 percent increase from 2012 - and is expected to get worse before it gets better.
The most common form of medical identity theft occurs when someone uses another person's identity to receive medical care, prescription drugs or medical devices. But the crime can also involve stealing a physician's credentials and fraudulently billing Medicare or private insurers for services that were not performed.
Either way, the crime can cost hundreds of thousands of dollars and, in the case of consumers, can result in a severe illness or even death. This could happen, for instance, if a patient's medical records have been contaminated and doctors aren't aware that the individual is fatally allergic to a certain drug. Or in some cases, the victim is misdiagnosed because his or her records contain another person's medical history.
Some experts believe the Affordable Care Act with its health insurance exchanges may exacerbate the situation. Why? Because of the sheer volume of applicants entering the system. The White House estimates that 7 million people will enroll in the program by the March 31, 2014 deadline. Add to that the federal incentives to store medical records electronically and that puts millions of patients' health information online, potentially exposing them to identity thieves. But California Attorney General Kamala Harris and others believe the frequency of medical identity theft will decrease following the implementation of the Affordable Care Act because as more people obtain health insurance, there will be less of a need to steal it.
Until that happens, though, many cases can be prevented, or if they do occur, the damage can be minimized by taking precautionary measures. Listed below are five tips offered by government officials and privacy experts.
1) Awareness = Prevention
You can't prevent fraud if you aren't aware of it. Studies indicate that many individuals aren't aware of the seriousness of medical identity theft. In fact, a recent study conducted by the Ponemon Institute finds that 30 percent of the respondents knowingly allowed a family member to use their personal identification to obtain medical services. This type of "Robin Hood" crime can come back to sting both the patient and medical provider who could be held liable for medical errors.
Therefore, it's crucial for doctors, hospitals and other providers to inform patients that letting someone else use their insurance to get medical services is a serious crime with severe consequences. So if a daughter lets her mom use her insurance in the ER, it is still fraud, even though they are related.
Healthcare providers should also train their staff to be on the lookout for fraud. In a doctor's office, for instance, front desk employees can ask for two forms of ID - including one with a photo - to make sure the patient isn't using someone else's insurance card.
Insurance companies can help, too. They can make their explanation of benefits easy to understand and clearly state the services that were paid. The statements should also stress the importance of checking for mistakes and how to report an error if one is found.
2) Invest in Technology
Healthcare providers and insurance companies alike should invest in the latest fraud detection software to spot anomalies, viruses, malware and other red flags in their systems. Along with the technology, organizations should have information security experts either on staff or as consultants to properly investigate red flags. In addition, many healthcare organizations are still not encrypting desktops and laptops, which results in a large percentage of breaches. Encryption is vital to the safekeeping of data.
"If I had to offer one bit of advice, it is know what protected health information is and then find it, segregate it, restrict access to it and encrypt it, " says Gant Redmon, General Counsel and VP of Business Development for Co3 Systems. "Then, have an incident response tool for when PHI is lost or mistakenly disclosed."
3) Go by the Book
Every organization should have a written response plan. The plan needs to include easy-to-understand procedures for investigating a suspicious record or the potential loss of patients' PHI. The plan should also include an incident response team just in case the suspicion turns out to be a data breach.
It's imperative that everyone on the response team knows what they're supposed to do during a breach. The team often includes members outside of the organization, such as privacy attorneys, breach resolution providers, PR consultants and law enforcement agencies. And keep in mind, the response plan won't be effective if it just sits on a shelf. It must be practiced, similar to a fire drill, and updated regularly to make sure everyone's contact information is correct. It should also be updated to reflect the new government regulations.
"For a healthcare organization, a tested security incident/breach response plan means that everyone knows his or her role and can respond quickly and efficiently - and that no required action is missed," says Paula M. Stannard, counsel for Alston & Bird, LLP. "This helps mitigate any risk arising from an incident, and it minimizes any potential exposure to heightened penalties under HIPAA/HITECH Act and the Omnibus Rule."
4) If Theft or Loss Occurs, Comfort Your Patients
Healthcare providers who believe they've experienced a breach should go beyond the call of duty to help their patients.
"A poorly handled breach can jeopardize a company's bottom line," says Alaap B. Shah, Associate, Epstein Becker Green. "To retain patients following a breach and to reduce the likelihood of lengthy and costly class action litigation, a healthcare provider should communicate with impacted patients in a timely, honest, open and accountable manner. Ultimately, the healthcare provider's communication plan must be focused on reestablishing trust with its patients."
In addition to notifying everyone of a possible breach, healthcare providers should give patients access to their medical records so they can personally check for signs of fraud. Providers can also alleviate fears by creating a website for the breach and providing patients with identity protection that includes credit monitoring.
5) Correct Fraudulent Records Promptly
If an investigation reveals that a record has been corrupted, providers and insurers should correct the record as soon as possible. Corrections within an organization, however, should follow the same procedure to be consistent. An organization, for example, might have a procedure that involves leaving the thief's information in the victim's record, but flagging it as not belonging to the victim.
Although medical identity theft does present significant challenges for the healthcare industry, they are not insurmountable. In fact, as the industry transitions into this new era of affordable healthcare, now is an opportune time to tackle these challenges and minimize the risks.
Bruemmer is Vice President, ExperianÂ® Data Breach Resolution at Experian Consumer Services, the leading provider of online consumer credit reports, credit scores, credit monitoring, other credit-related information, and protection products. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services.