HIPAA Compliance Strategies

Featured Health Business Daily Story May 12, 2008

New Privacy Risk: Patients Who Assume Someone Else's Identity to Obtain Treatment

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

A new gray cloud has arrived on the privacy officer's skyline and it promises to be as vexing as figuring out the privacy rule was back in 2002: patients who assume the identity of another person in order to receive medical care.

Nationally, estimates are that close to a quarter million people are victims of medical identity fraud each year. From figuring out who the victim is, to ensuring you don't violate the privacy rule in the process, to correcting the medical record when all the information didn't originate with you, to referring the case to authorities, to making good on money you might have not been entitled to, medical identify theft can be a privacy officer's nightmare.

This problem has come to light in the last couple of years, and so far there are no standard "best practices" for dealing with it. But some may be on the horizon, since the issue has grabbed a lot of attention lately. There is a new national project on the issue, and there was a recent press conference sponsored by insurers working on this as well.

To learn strategies you can put in place now, RPP interviewed the compliance leader of one Tennessee system that has already tackled this problem. Her approach will be discussed later in this article.

In May, the HHS Office of the National Coordinator for Health Information Technology, awarded approximately $450,000 to the consulting firm of Booz Allen Hamilton to conduct the first two parts of a project to "assess and evaluate the scope of the medical identity theft problem in the U.S," according to HHS. As part of its work, Booz Allen will hold at least one, if not two or three, town hall meetings in October. The final part of the project, which has not yet been contracted out, involves "a final report and roadmap, summarizing key issues and possible next steps."

"One of the things that people are going to be grappling with is how to negotiate HIPAA when they discover inaccurate information in their medical records, and there is a great need to educate people [about] how they can weave their way through the HIPAA swamp in order to have information changed, or at least have a notice of inaccuracies added to their medical record," said Jim Quiggle, spokesman for the Coalition Against Insurance Fraud. "This is one of the most critical issues right now in terms of getting consumers to have their medical records changed and at least made accurate."

The Blue Cross and Blue Shield Association held a press conference in Washington, D.C., on June 19, with several speakers, to call attention to medical identity theft and demonstrate the extent of the problem, although the association does not collect fraud statistics in this specific category.

Michael Brandt, senior manager for special investigations for Blue Shield of California, noted at the press conference that sometimes the patient is a friend or relative of the person whose identity is compromised. In California, where 25% of the population is uninsured, family members are sharing insurance cards and obtaining care to which they are not entitled, he said.

An 'Inside' Job?

The speakers said sometimes the schemes are quite elaborate. Individuals have recruited homeless people and paid them for their Social Security numbers and birth dates, which were later used to fraudulently bill for services under their names. In other cases, criminals have gone into nursing homes and, on the guise of offering to send birthday cards to the residents, have been given their birth dates. One fraud ring even had software to print fake insurance cards and driver's licenses, they said. Hospitals and other health care providers give services to these fraudsters, never knowing they are not the real person.

"We have had cases where people have checked into hospitals, had services, medical services for either child delivery or even heart surgery, and then the patient left three days afterwards and we had no idea who that person was, but they had assumed somebody else's identity and had fled," Brandt said.

"In California, we are not seeing a large medical identity theft issue at this time, but we know that organized crime has taken over identities and has worked in certain fields such as diagnostic centers and DME [i.e., durable medical equipment] in taking numbers and just falsely billing us," he added.

If hospitals can be on alert, they may be able to thwart much of this kind of the theft, the officials said.

"About 90% of the cases, according to some estimates, are insider jobs at medical facilities," Quiggle said at the press conference.

"Much of the patient information is stolen by rogue employees at hospitals, clinics, pharmacies and other medical offices. In some cases, fraud rings place their own operatives inside the medical facilities in order to gain access to the records. Typically these are anonymous and usually low-paid workers, such as clerks, nurses, billing specialists and lab technicians. They often have easy access through their employers' patient databases and can easily sell patient lists to fraud rings for up to $50 per name on the streets," said Quiggle.

The health industry is only beginning to grasp how large and damaging medical identity theft really is," he said. But many organizations in the industry are not yet ready to work with patients on this issue.

Some Are Getting Ready Now

However, at least one privacy official is more ready than most. Patricia Breeding is the integrity compliance officer for Covenant Health, headquartered in Knoxville, Tenn., who helped implement a medical identity policy for her system two years ago. Covenant is a system that includes six acute-care hospitals, a rehabilitation center, a psychiatric hospital, a nursing home, multiple outpatient centers, physician practices, an insurance company and more than 9,000 employees,

"Most hospitals are finding they have to have specific policies on how to handle identity theft," Breeding tells RPP. "Everything from how to investigate it to how to correct the medical record."

Her health system is ahead of most. Breeding makes a point to stay on top of emerging issues and says she has been "concerned" about medical identity theft for some time. She says her system has documented several dozen cases of medical identity fraud in the last several years.

While there is not a pattern to the cases, Breeding says they commonly have involved a friend or relative who has stolen or borrowed a person's insurance information and has enough other identifying documents to pass for that person and receive care. In most cases, the victim was not an accomplice, in contrast to the California experiences mentioned above.

Breeding says hospitals must be aware of the ramifications of medical identity theft. "When a hospital becomes aware of a case of identity theft, the hospital should work closely with the victim to remove erroneous and potentially harmful information that might have gotten into his or her medical record by providers who furnished care to the perpetrator," she says. "Then, the hospital will refer to authorities the actual fraud that has occurred and deal with the financial ramifications.

If a patient receives care by using another person's identity and the victim's insurance company pays the hospital, the hospital will have to reimburse the payer, Breeding says, and the hospital will be uncompensated for that care unless it can be recovered from the perpetrator.

Stay on Top of the Issue

You should also be prepared to make changes to better ensure your patients' privacy and guard against medical identity theft. For example, many hospitals and insurers are altering all policies and procedures that require the use of Social Security numbers, because they are considered too vulnerable to misappropriation.

Also, when a patient presents for an office appointment or admission, you could require two forms of identification — one being a picture ID, Breeding says.

Recognizing that not all individuals have a driver's license — the most typical form of a picture ID — some hospitals are offering to take pictures of those patients, Breeding says. Covenant has not yet gone this route, although Breeding believes it is "a possibility."

She adds that it is essential to train staff not only to spot medical identity theft, but also to suggest ways to prevent it. Employees have been told, for example, to call security if an individual seems wary or unwilling to provide information about his or her identity.

When a person reports identity theft, his or her medical record will be flagged, Breeding says, and with the patient's involvement, special care will be taken to ensure the record is accurate. Similarly, if a hospital suspects identity theft, those records will be flagged as well so the patient's identity can be verified if she or he appears for another visit.

"This is a hot topic nationally," Breeding says. U.S. attorneys nationwide have formed a task force in each state to deal with health care fraud, and are including medical identity theft as an important part of that, she says. Breeding has attended meetings put on by the attorney general in her state about this topic.

Privacy officers who want to learn more about this should contact their local U.S. attorneys' office and network regionally with privacy officers to swap stories, she suggests. Often crime rings will hit several hospitals or facilities in the same region, experts say — so forewarned is forearmed.

Identity theft experts at the news conference also said patients should request a copy of their medical records at least yearly to review them for errors. While this would cause a burden on hospitals, they should cooperate because it could save them money and headaches in the long run.

Advertise With AIS

Privacy

Site Map