Providers: Guard against medical identity theft

It's disconcerting, to say the least, to read that 91 percent of small healthcare organizations have suffered at least one data breach, according to a recent study.

But it's particularly onerous that fully one fourth of them (24 percent) were not harmless, but likely resulted in medical identity theft. In addition, 43 percent of all respondents had experienced at least one incident of medical identity theft, although 51 percent of them didn't know how it occurred. So the data could have breached by a hacker, a laptop theft, an insider or some other type of incident.

What's worse: almost half of the providers surveyed (49 percent) weren't even familiar with medical identity theft. That's positively galling.

Medical identity theft occurs when a person uses someone else's personal health information to obtain services or drugs or to submit false claims. Medical identity theft is the fastest growing form of identity theft, in large part due to the increase of electronic medical records and the use and storage of patient health information on electronic devices, according to the Coalition Against Insurance Fraud.

The increase is also due to the fact that criminals have figured out that medical identity theft is more lucrative than garden-variety identity theft for financial gain. While a stolen credit card number is worth $1 on the black market, a medical record is worth $10 to $15, according to Randy Trzeciak with Carnegie Mellon's Software Engineering Institutes Insider Threat Team, speaking at a recent National Institute of Standards and Technology conference.

It's also the most insidious form of identity theft. Most instances of non-medical identity theft can hurt the victim financially. But with medical identity theft, if the provider treats both the imposter and the victim their medical records will be comingled, compromising the integrity of the data, putting patient safety at risk when doctors make the wrong diagnosis or administrating the wrong blood type base don the bad data. Of course, it could also open up providers to malpractice claims.

What's more, if the theft was due to a security breach, the provider could be violating HIPAA. And if the provider submits claims for services provided to the imposter, the provider can be accused of fraudulent billing.

So providers, please come up to speed on medical identity theft.

The Federal Trade Commission (FTC) has created several tools to help providers and plans deal with medical identity theft and suggests guidance to offer a patient if he or she thinks he may be a victim of medical identity theft. Several of the tips to providers include investigating to determine if and how their electronic medical records were compromised, reviewing their data security practices and warning patients to keep an eye out for signs of other misuses of their personal information.

The FTC also has a "business center" on its website, with Frequently Asked Questions about medical identity theft specifically to help providers and plans.

Interestingly (or perhaps sadly) the center was hacked on Feb. 17, according to a notice on the website. The FTC is working to restore it.

Providers should also watch for and separate comingled medical information, watching for inconsistencies and flagging the file. Also remember that HIPAA gives patients certain rights, such as accounting for disclosures and the right to amend their records, which they may invoke in these situations. Let's increase awareness--and decrease incidents--of this particular crime. - Marla