It’s well known that data breaches — whether they are the result of a hacker breaking into your computer or your iPad being stolen — are increasingly common in the day and age of electronic messaging. That’s why the government has taken so many steps to crack down on security at healthcare organizations, and why it has increased enforcement of security requirements.
But one type of data breach that has been less publicized but is becoming an increasing concern — both for patients and physicians — is medical identity theft.
A whopping 1.42 million Americans were victims of medical identity theft in 2010, according to a 2011 study on patient data privacy and security by the Ponemon Institute. A more recent Ponemon report notes that of 72 healthcare organizations surveyed, they collectively suffered an average of four data breaches over the last year. A 2010 HIMSS Security Survey revealed that 33 percent of 272 IT and security professionals at hospitals and medical practices said their organization has had at least one known case of medical identity theft, and some of those cases may not have been reported.
Medical identity theft is perpetrated for a number of reasons, attorney Ed Goodman, chief privacy officer for IDentity Theft 911, told Physicians Practice via e-mail,
In the case of patient identity theft, “oftentimes it is simply due to the fact that the ID thief needs access to healthcare and is unable to afford health insurance or pay for their treatment,” said Goodman. “Many times this type of fraud is perpetrated with knowledge of the victim, as it is committed by a family member or friend with knowledge by the victim that this is happening.”
In other medical identity theft cases by patients, perpetrators are opioid and narcotic drug seekers that steal and use identities to receive multiple prescriptions and to throw off prescription databases that track these types of trends.
One of the reasons for the increase is that, in an effort to digitize records at a fast pace, many healthcare organizations are cutting corners by not training and educating staff on proper security and management procedures, said Goodman.
Also, while using a National Provider Identifier (NPI) helps ensure timely transactions and better care coordination, the existence of NPIs makes physicians more vulnerable to security fraud.
“These NPIs are floating around, and it’s potentially a huge problem, certainly as Medicare fraud increases,” Robert Tennant, senior policy advisor for MGMA, told Physicians Practice. “The fact that these are floating around is a great concern to physicians because they will be reportedly billing for these services they never provided. It could impact their credit, and it’s needlessly adding cost to the system itself. There’s ample opportunity for nefarious individuals to get their hands on NPIs and do fraudulent billing.”
This raises the question: Is there a type of technology or use of technology that a physician can implement to help prevent medical identity theft? In short, the answer is yes.
“There are a number of various ways to prevent these exposures,” said Goodman. “We recommend taking a layered approach to these issues — proper training and education of all staff on best practices and treatment of private information, as well as implementing proper security measures like use of encryption, anti-virus, and access controls.”
Tennant advises practices to routinely check their Medicare remittances.
“If you see something and you don’t know the patient and you don’t recall that procedure, there’s a chance someone is using your NPI,” he said. “Make sure you’re not being remitted for services you didn’t provide. Have your billing staff reconcile all the claims you submitted.”
Practices should encourage patients to look over every explanation of benefits. So if, for example, a patient is billed on a cast for a broken leg and never had a broken leg, that patient knows to contact the practice immediately.
“Certainly you want to get on record very quickly disavowing this particular procedure or charge,” said Tennant.
This is Part One of a weekly series of blog postings on medical identity theft.