WIXLIB

IntroductionMedical Identity TheftMedical identity theft is defined as the fraudulent use of an individual’s identifying information in a health care setting to obtain medical services or goods, or for financial gain. Thecrime may be perpetrated by an outsider using the stolen identification of another or by aninsider abusing access to patient information. This type of identity theft first received widespread attention in a report published by the World Privacy Forum in 2006.1There are two primary ways in whichmedical identities are misused. The first isconsensual: An individual may knowinglyprovide his or her identity to someone elsein order to allow that person to obtainmedical goods or services. A 2013 studyby the Ponemon Institute found that nearlyhalf (47 percent) of medical identity theftvictims shared their identifying informationwith someone they knew. The most common reasons cited by survey respondentswere that the family member or friend didnot have insurance or could not affordto pay for the treatments.2 This type ofmedical identity theft should decline as thePatient Protection and Affordable CareAct extends health care coverage to manywho are now uninsured or underinsured.Medical identity theft also occurs whenthe victim does not know the perpetrator,as the result of lost or stolen identification or of an insider abusing access torecords. For example, a Seattle womandiscovered that her newborn son’s SocialSecurity number had been stolen when shereceived a bill addressed to her son froma clinic prescribing him OxyContin for awork-related back injury.3An insider may use access to patientmedical records to perpetrate a fraudulentbilling scheme. In one case, a psychiatristentered false diagnoses of drug addiction,depression and other psychiatric disordersinto the records of individuals who werenot his patients. He did this in order tosubmit false bills to insurers. One of thevictims discovered a false diagnosis of severe depression in his records after he hadapplied for employment.4 Criminal enterprises also perpetrate elaborate billingscams, often with Medicare as the target.The impact on the victim’s medical recordsis, of course, dangerous regardless of themotivation behind the use of the information and regardless of whether the fraudwas perpetrated by a relative or by astranger.Medical identity theft is often underreported, as it is difficult to detect or misreportedsimply as health care fraud without taking1

into account its impact on patients. Nevertheless, it is clearly a significant problem.The World Privacy Forum estimated thenumber of victims in 2003 as between250,000 and 500,000, based on theFederal Trade Commission’s (FTC) Clearinghouse and Identity Theft Survey datafor that year.5 In a 2008 report, the U.S.Department of Health and Human Services cited a figure of 250,000 victims,based on FTC survey data from 2006.6More recently, the Ponemon Institute calculated that there were 1.84 million victimsin 2013. This constitutes a 21 percentincrease over the previous year.7The impact of medical identity theft onpatients can be devastating. The Ponemonstudy extrapolated an average cost of 18,660 for the 36 percent of medicalidentity theft victims who had to pay outof pocket. The total value of out-of-pocketcosts incurred by U.S. victims was estimated at 12.3 billion.8 More importantly, inaddition to leading to loss of benefits andunwarranted financial obligations, medical identity theft can corrupt health recordsand put the health and safety of the patient at risk.While knowledge of the crime has grown,adequate means for preventing, detectingand remedying the problem are not always in place. Potential and actual victimsof medical identity theft lack rights and resources comparable to those available toaddress financial identity theft. Such rightsand resources include free annual accessto records, flags on compromised identities, easy access to records suspectedof containing fraudulent information andprompt correction of information resultingfrom fraud.By mandating a transfer to electronicmedical records, the Affordable Care Actoffers the industry an opportunity to address these problems. The responsibilityfor preventing, detecting and mitigatingmedical identity theft lies primarily with thehealth care industry, although patients canalso help. The industry must evaluate itscurrent practices for privacy protection anddata security and implement appropriatecounter-measures against medical identitytheft. Strategic use of technology can helpprevent, detect and mitigate the harmfuleffects of the crime. Importantly, providersmust correct compromised records andthereby eliminate the persistent risk that erroneous medical information poses to victims’ health and quality of care. Althoughconsumers can take steps to help preventand detect medical identity theft, victimscannot correct compromised records ontheir own.We also note that errors in medical recordsthat are not the result of medical identitytheft can pose the same risk to patient2

safety. Many of the recommendations inthis guide are applicable to the detectionand correction of those errors, as well.istration, health informatics, informationsecurity, health care providers and patientprivacy. Their contributions were significantand we are grateful to them all.9Nature and Scopeof this GuideIn July 2012, the Attorney General createdthe Privacy Enforcement and ProtectionUnit, with the mission of protecting the inalienable right to privacy conferred by theCalifornia Constitution. The Privacy Unitenforces state and federal privacy laws,and develops programs to educate consumers and businesses on privacy rightsand best practices.While personal information stolen frommedical records, such as a name andSocial Security number, may also be usedto commit other forms of identity theft – forexample opening credit accounts – financial identity theft is not the subject of thisguide. The guide focuses on the unauthorized use of personal information in healthcare settings and, in particular, on theimpact on medical records.The recommendations offered here are notregulations, mandates or legal opinions.Rather, they are intended to contribute tothe development of best practices for healthcare providers and related organizations tofollow in managing patient information inways that promote and protect individualprivacy interests.In developing this guide, we were fortunate tobe able to draw on the knowledge of expertsfrom the fields of medical records admin-Key TermsThe following definitions are for key termsas used in this guide.Business associates are entities undercontract to health care providers that handlemedical records on behalf of the providers.10Detection means using manual and technological means to identify past, presentand attempted medical identity theft. Detection includes determining what information was involved and how, when andwhere it was stolen and used.HIO is a health information organizationthat manages and oversees health information exchange (HIE) functions. Such anorganization is considered a business associate of its member health care providers.Medical identity theft is the fraudulent useof an individual’s identifying information3

in a health care setting to obtain medicalservices or goods, or for financial gain.Medical record is a permanent record thatcontains identifiable medical information,and is intended for use in decision-makingrelevant to a patient’s health coverage,diagnosis and treatment. Medical information is identifiable when it includes apatient’s name, Social Security number,address, insurance number or other identifier that links to an individual. A medicalrecord can be in paper or electronic formand can be maintained by payers, providers and/or business associates.Mitigation is the process of assistingvictims of medical identity theft in repairingthe damage once the problem has beendiscovered. Victims can be individuals,providers or payers. Mitigation involvesminimizing the risks and costs to all victimsand doing everything possible to restoremedical and financial records to the statusquo ante.4Payers include insurers, third-party billpayers, government health plans such asMedicare and Medicaid and self-insuredhealth plans.Prevention means ways to stop medicalidentity theft from occurring, with a focuson preventing its impact on patient medical records.Providers include hospitals, clinics, smallpractices, pharmacies and diagnosticfacilities like laboratories and imagingcenters.

Recommendations forHealth Care ProvidersThis section describes problems that health care providers face as the result of medicalidentity theft and recommends measures to assist in the prevention, detection and mitigationof the crime.The overall recommendation for all healthcare providers is to build awareness ofmedical identity theft and implement anidentity theft response plan. The planshould include a team prepared to respond to any evidence of medical identitytheft. In larger provider organizations(such as medical centers, hospitals andmulti-facility clinics or diagnostic centers),the team, which might be headed by theprivacy officer, should include representatives of corporate-level administration, information technology, information security,compliance, finance (billing), security, human resources, clinical departments, labsand imaging and patient registration. Theteam of a smaller provider (small to medium practice group, single facility clinic,lab or imaging operation) should includeindividuals concerned with front-officereception, office management (records,billing, human relations) and informationtechnology, as well as the practitioners.Business associates should be included inyour response plan when appropriate.identity theft. The recommendations hereare offered for inclusion in providers’ medical identity theft response plans.The team should develop and implementpolicies and procedures for the prevention, detection and mitigation of medicalRecommended practice: Include effectiverole-based access controls as a componentof your information security program. SuchPreventionThis section covers suggestions for healthcare providers on how to prevent inaccurate information from entering medicalrecords as the result of medical identitytheft.Know Your StaffPre-employment background screeningand appropriate access controls—including cutting off system access by terminatedemployees—can curb internal misappropriations of medical identities.Recommended practice: Exercise carein hiring individuals who have access topatient information or medical records.Employee background checks can helpin identifying candidates with a criminalhistory and should be a standard part ofthe hiring practice. Screen temporary hiresand volunteers as well.5

controls should be built into electronic healthrecord (EHR) systems. Access limits shouldapply to paper as well as electronic records.Know Your PatientRecommended practice: Require patientsto show a copy of their health insurancecard (if not paying in cash) at registration. Consider requiring a photo ID andtraining employees to check whether thephotograph and descriptive details (suchas race, gender, height, weight and hairand eye color) match the ID. Wheneverpractical, embed a patient photo in the EHRor supplementary database. Do not scana government-issued ID, such as a driver’slicense and incorporate the scanned datainto the medical record. Doing so wouldadd unnecessary personal information to therecord that increases the risks of identity theft.Recommended practice: If a patientrequiring emergency care presents aquestionable ID or no ID, the patient mustgenerally be treated. Make sure there is aplace in the intake record to note this andtake further steps to validate the patient’sidentity. One simple additional step couldbe to ask the patient which doctor shesaw last.Basic Patient EducationRecommended practice: Educate patientsabout their right to review and requestcorrections to their own medical records.11Provide clear instructions to patients onhow they can get a copy of their records.Use the principal languages of your patientpopulation in brochures available at registration counters and on your website.6Recommended practice: Make patientsaware of the crime of medical identity theft.Clarify that using someone else’s medical IDor sharing theirs is a crime and highlight thepotential dangers. This might be done witha poster visible at registration.Recommended practice: Clinical CareSummary documents may have a role inpreventing medical identity theft.12 Thisdocument contains both clinical andindividual identifying information. Includea clear caution at the top of the page,encouraging the patient to protect theconfidentiality of the information. If thedocument includes the patient’s insuranceID number, it should be truncated or betteryet, not shown at all. When handing thepatient a copy at the end of a visit, askthe patient to verify the accuracy of itsinformation. A patient who receives anelectronic document should also be askedto verify the information. This can be away to detect and promptly correct errorsin medical records.DetectionDetecting medical identity theft can bea manual or technological process—orboth—in which providers and patientshave a role to play. Early detection allowsfor action to reduce the risk to quality ofcare and patient safety.Use “Red Flags”Recommended practice: Use “red flags”or other means of tagging discrepanciesin appropriate systems and at differentcontact points with patient and medicalrecords to note a problem that requires

further investigation. Electronic recordssystems should allow for the flagging ofany new issues that come up in the registration process. Unless there is a red flagthat clearly disqualifies a patient (such asrefusal to show any ID, other than in anemergency room), the provider shouldproceed to treatment. Providers may wantto develop their own flags based on theirexperience with record anomalies. Thefollowing checklists highlight some basicissues that should raise a question.13Red flags at patient registration ID appears altered or forged. ID photo does not match the personpresenting the ID. ID information (e.g., surname, physicalcharacteristics, address) does not matchinformation on file. Presentation of a Social Security cardor number that duplicates one that isalready part of another patient’s registration record. Presentation of an insurance or Medi-Calcard that duplicates one that is alreadypart of another patient’s registration. Presentation of an insurance or Medi-Calcard with information in the benefit-eligi- bility checking process that doesn’t matchthat of the person presenting the card.Duplicate demographics, such as anotherpatient with the same name, address ortelephone number already on record.The patient or someone accompanyingthe patient, states or intimates at anytime during the encounter that the patientis using a false identity.The patient, law enforcement or a creditbureau notifies you that the patient is avictim of identity theft.Note any flag in a previously compromised record to ensure that the identitytheft is not reactivated at a later date.Red flags in billing and recordsmanagement Mail sent to known patient returneddespite address verification. Complaint received from a patientabout a bill for services or products thatthe patient never received. Insurer denies payment because charge isimprobable or impossible (for example,appendix removed for a second time). Duplicate files appear to exist for thesame patient. Patient bills are returned as undeliverablebut health care charges continue to accrue.Red flags for professional staff Individual presents medical backgroundor information inconsistent with the existing medical record. Individual is unaware of basic medicalinformation within an existing medicalrecord.7

Patient denies information within anexisting medical record. Lab or other clinical test results are inconsistent with information in an existingmedical record (for example, colonoscopyresults in a record indicate pre-cancerouspolyps, but a subsequent test resulthas no mention of polyps) or with thepatient’s presentation (for example, abiopsy in the record indicates basalcell carcinoma in a discolored patch ofskin on the patient’s right cheek, but thepatient presenting for treatment does nothave discolored skin).Recommended practice: Train employeesto identify discrepancies that need to beflagged. Maintain checklists of issues worthflagging, based on the above lists and yourexperience with record anomalies.Respond to a Flagged RecordRecommended practice: Establish clearwritten policies and procedures for investigating a flagged record and determiningif the problem is the result of a registration8or operational error or actual medicalidentity theft. Require all business associates and your downstream vendors toimplement red flag policies and procedures. Adopt your own practice-specificversions of the suggestions below forfollowing up on flagged records, basedon a risk analysis. Responses to flags mayinclude the following: Require an employee who flags a recordfor error or suspicion of medical identitytheft to alert the medical identity theftteam leader or security incident responseteam leader, either automatically throughthe system with a form that describes theproblem or through another chosen meansof communication. Require the medical identity theft teamleader to notify team members fromsystems and records management, patient registration, patient accounts andcompliance of the matter. Place affected patient accounts on holdpending the outcome of the investigation. Require all departments involved in themedical identity theft or security incidentresponse team to use all manual andtechnological resources to determineif the problem arose from a registration error (for example, a typo), anoperational error (for example, a newfile opened by mistake, because apatient’s surname changed by marriageor divorce; or the electronic recordsystem merged the medical records oftwo different patients) or actual medicalidentity theft. If the team has insufficient information tomake a final determination, require that

it notify and interview the patient whoserecord is in question. Maintain a database of identities thathave been used fraudulently as a toolfor future detection. Create a central location in your system of records (including an electronicbilling or practice management system)to note information captured from amedical identity theft investigation, w

Medical identity theft is thus, above all, a quality-of-care issue. Medical identity theft also imposes financial harm and administrative burdens on victims including hospitals, insurers and particularly patients, for whom it is often stressful, compli-cated, time-consuming and costly just to obtain copies of their medical records let alone