March 2016

Keep Watch for Medical Identity Theft
By Edie Hamilton, CPC, CPC-I
For The Record
Vol. 28 No. 3 P. 8

Identity theft continues to be one of the most discussed topics in the health care industry. Ponemon Institute's "Fifth Annual Study on Medical Identity Theft" estimates that as of February 2015, more than 2.3 million people were victims of medical identity fraud, a 22% increase over the previous year's estimate. In basic terms, there were approximately 500,000 new cases of medical identity fraud last year.

Defining Medical Identity Theft
According to "Common Types of Health Care Fraud," a 2015 Medicaid fact sheet, "medical identity theft involves the misuse of a person's medical identity to wrongfully obtain health care goods, services, or funds." The findings of the Ponemon study back up this notion. It identifies obtaining medical treatments, services, medication, equipment, and government benefits, such as Medicare or Medicaid, as the top uses of stolen medical data.

The most common type of medical identity theft is the misuse of a patient's identity information to obtain medical goods and services without or, in some cases, even with the individual's knowledge. This can impact patients as well as health care providers and facilities.

Keep in mind that the misuse of medical credentials can be consensual. For example, allowing a relative to present insurance to obtain services that they might not otherwise be able to obtain due to cost or coverage restrictions is illegal. In instances in which the victims are not cooperating partners, an average of three months will pass before the victims learn that an incident has occurred. Often, the victims are unaware of the theft until they receive collection letters for outstanding copays or notice of exhausted benefits when they submit legitimate claims.

The Price to Pay
The high costs associated with medical identity theft can be measured in financial terms and by the crime's impact on patient-provider relationships.

According to the Ponemon study, victims paid an average of $13,500 to resolve an incident—that's when they were able to resolve it. In addition, many of the survey respondents were victimized more than once. Sadly, in some cases, resolution continues to be elusive.

The damages caused by medical identity theft go beyond monetary. For example, a staggering 89% of survey respondents report being embarrassed due to the release of sensitive personal health conditions. Also, 19% of respondents believe the incident caused the loss of career opportunities, while 3% say it led to job loss. Further, 53% of the respondents believe negligence on the part of their health care provider or facility either caused or contributed to the incident. Alarmingly, 50% of the respondents indicated that it lowered their trust in their providers, and many agreed that the lack of security related to medical records would lead them to change providers.

A frequent complaint among respondents was that their providers or insurers never informed them of the theft. Instead, victims learned about it on their own from a billing error or a collection letter. Patients expect their health care providers and facilities to take precautions to protect their identity, including receiving prompt notification when incidents occur. To maintain patient trust, it's important that providers and facilities form all-encompassing data protection measures, including implementing cogent practices for handling and communicating incidents to patients.

Besides causing harm to patients, medical identity theft can deal a significant blow to health care organizations, ranging from lost revenue to a costly and litigious review of all entries in a medical record. As for the latter, consider how time consuming and complicated it is to unravel a single medical record blended with encounters from two or more patients.

Prevention Measures
Although it's unlikely that fraud risk can ever be totally eliminated, every step must be taken to ensure security measures are in place. Fraud prevention begins with the first patient interaction at the front desk, continuing throughout the encounter. Organizations also can investigate potential cases of medical identity theft before illegal claims are submitted. Many practices and institutions have developed or are in the process of developing policies and procedures that address this issue.

Coders can play a significant role in reducing incidences of medical identity theft. To do so, they first must be aware of the crime's prevalence. Coder awareness may not seem like much of a defense, but consider what occurs with computer viruses. One of the most effective defenses against organizations being victimized by a computer bug is to educate users about the magnitude of the problem. In addition to installing protection software and developing IT policies and procedures, smart organizations raise issue awareness.

Essential policies and procedures also must be in place for reporting and investigating potential identity theft, as well as notifying victims and/or payers. Encourage staff to use their amateur sleuthing skills to spot possible nefarious behavior. Such detective work may include the following:

• Ask patients for a photo ID as well as their insurance ID and verify the photo and information are a match.

• Ensure the insurance ID does not appear altered and doesn't contain errors such as an incorrect date of birth.

• Verify names and addresses. Determine whether there are duplicate names at the same address.

• Determine whether the patient traveled an unusual distance for services that could have been provided closer to home.

• Compare the patient's basic appearance to previous encounters. Does the patient who previously presented as frail, per the medical record, now appear hearty or muscular?

• Investigate whether the patient's family, social, and medical histories deviate from previous reports.

• Question any significant changes in vital signs since the last encounter. Are there unexplained differences in height, weight, blood pressure, etc?

• Examine details of the current episode to spot inconsistencies with diagnoses. For example, a patient with a history that includes menopause asking for birth control should sound an alarm.

• Check the insurance demographic information to ensure it is consistent with the services provided. For example, something's amiss if the insurance information on file indicates a 32-year-old patient is seeking treatment for age-related macular degeneration.

With medical identity theft on the rise, all stakeholders must be vigilant. Recovery is costly and time consuming with no guarantee for complete resolution. Exercising vigilance, following antitheft strategies, and maintaining open communication between patients, providers, and payers are essential components of any fraud prevention strategy.

— Edie Hamilton, CPC, CPC-I, has more than 20 years of practical experience in clinical and surgical coding, professional and outpatient facility billing, physician education, compliance, reimbursement, edits, and denials management at large academic institutions. She is currently on the payment integrity content team at Verisk Health, and an adjunct instructor in medical office administration.