June 22, 2009
Medical Identity Theft: Will the Real John Doe Please Stand Up?
By Annie Macios
For The Record
Vol. 21 No. 13 P. 10
A crime that has grown more prevalent in recent years can prove quite costly in terms of dollars and reputation.
In today’s healthcare environment, medical identity theft has come to the forefront as an issue hitting providers from every angle—inside, outside, and everywhere in between. More than ever, facilities must be vigilant about recognizing and preventing identity breaches and, further, know how to respond if a breach occurs.
The AHIMA’s director of practice leadership, Harry B. Rhodes, MBA, RHIA, CHPS, CPHIMS, FAHIMA, participated in a town hall meeting hosted by the Office of the National Coordinator (ONC) of Health Information Technology and the Federal Trade Commission (FTC) that discussed medical identity theft, its prevalence, and solutions for detection and prevention.
Rhodes notes that previously, regulatory organizations hadn’t put much effort into tracking the incidence of medical identity theft. Information from the town hall meeting, however, suggests that one in 23 identity theft victims is a victim of medical identity theft. Nevertheless, the FTC reports that it received only 19,482 medical identity theft complaints between 1992 and 2006.
“Most people don’t think to call the FTC to file a complaint,” says Rhodes. In 2005, it is estimated that 3% of the 83 million reported identity theft victims were for medical identity theft. “It’s the fastest growing crime out there. A good deal of the drug-related crime is switching to medical identity theft,” says Rhodes.
Barry Johnson, president of HealthCare Insight, a surveillance services company, cites statistics that indicate the number of cases rose from 250,000 in 2005 to 363,000 in 2007. “There is no question it is an increasing problem because more information is accessible to more people than ever before,” he says.
Types of Offenders
Rhodes identifies four types of medical identity theft: one off, insider, organized crime, and drug-seeking behavior.
One-off theft usually involves a person who allows a relative or friend to use their insurance card. It can also entail an out-and-out theft of the card or the selling or renting of the card. Rhodes cites an incident in which a Mexican man who spoke little English presented to a facility as John O’Malley, a strong indicator that the ID card was borrowed. “Often, people don’t report the one-off theft because of sympathy they have for the patient forced to go to extremes to obtain healthcare. But there is starting to be a change of attitude about this,” he says.
Insider theft occurs when a hospital employee is approached by outsiders to steal health insurance information. Criminals frequently target staff who may be in a situation where they need money quickly, such as to pay off a gambling debt. If desperate enough, employees will provide the medical identities in return for cash.
According to the FTC, a Social Security card is worth $1 on the street, while stolen medical ID cards will fetch between $25 and $50 per identity. “They are worth more because it is so much easier to steal your medical identity information and submit a false claim against your insurance coverage,” Rhodes says. “The average insurance card is usually very plain with only your name on it—no photo, no computer chip like credit cards have—so it is much easier to steal and submit a false claim compared to credit card theft.”
The economic benefits are more lucrative as well. “Credit card limits are usually $20,000 or much less nowadays. But the lifetime benefits on insurance are in the millions of dollars. Victims of medical identity theft often realize that their medical identity has been stolen when they are denied benefits because they’ve reached their limit,” Rhodes says.
Organized crime has become more prominent in medical identity theft scams. In one case, a crime ring trained young girls as receptionists and taught them how to look for the right patients to target. Those who are senile, with dementia, and without guardianship make ideal pawns. Once a victim’s identity is taken, the criminals submit insurance claims—usually for less than $10,000, an amount that stays under the Internal Revenue Services’ radar. “These individuals are constantly on the move and stay at a clinic for only about 90 days to avoid getting caught,” says Rhodes.
The Justice Department and Health and Human Services recently broke up a medical identity theft ring in Miami that set up false providers or paid individuals a fee to set up a false business from which the criminals would submit fake claims.
Thieves are also motivated to steal insurance cards by the prospect of procuring narcotics that can be turned into cash on the street. One side effect of such operations is that many of the victims are falsely arrested when they later use their insurance card for legitimate purposes. “Once criminals get the information, they keep selling it again and again and again,” says Rhodes.
The Damage Done
The cost of medical identity theft to healthcare organizations exists on many levels. Financially, healthcare fraud costs between $70 billion and $255 billion per year, which is between 3% and 10% of total U.S. healthcare spending. Even so, Johnson believes those figures understate the problem.
Rhodes says medical identity theft also creates new overhead to fight false claims. “Financially and in terms of time, the FTC says that it takes five to 20 hours to clean up records after every incident, at a cost of $182 per record,” he says.
In addition, healthcare facilities have begun to hire medical identity theft experts. Many are creating positions known as data integrity specialists, who not only work to ensure data integrity by correcting errant information in the electronic health record but also monitor for signs of medical identity theft.
Negative customer relations are also a by-product of medical identity theft. Consumers set a high standard for healthcare providers and do not expect that their information and identities will be compromised.
Clues to Misuse
To prevent and detect medical identity theft, it is important for healthcare entities to conduct risk assessments. “This is an important preliminary step that came up consistently in the medical identify theft research and town hall facilitated by ONC,” says Jodi Daniel, director of the Office of Policy and Research within the ONC. “Each entity may have a different approach to successfully mitigate this risk, but it would likely include administrative policies, technical capabilities, and physical safeguards and techniques.”
Rhodes says there are many precautions providers can take, including having an organized plan for addressing medical identity theft. Plus, they must stay alert for clues from other sources. “They have to be open to the consumer who has a question about a bill and [have] a process to make it easy for the consumer to come to you with a possible breach,” he says.
Rhodes also recommends that providers be on the lookout for records, known as overlays, that are inconsistent with patient history. Also be wary of the patient who knows his insurance number without a card.
Rhodes notes the example of one facility, in trying to be diligent with protecting identifications, that used a digital scanner to scan drivers’ licenses and ID cards. However, it didn’t place the proper security controls on the scanner, and a thief was able to abscond its contents.
Unusual billing patterns are another indication of medical identity theft. “Coders keep good track of DRGs [diagnosis-related groups], but if they start to see an unusually huge amount of cases, they should question it,” says Rhodes. The key is to move quickly to investigate because thieves don’t often linger for more than 90 days.
Medical identity theft is a privacy and security issue and, in responding to breaches, Rhodes speaks of “closing the loop” to help stem the problem. This process involves encrypting files, performing file audits, and even employing measures such as fingerprint scanning for properly identifying patients.
“Start by doing a risk assessment to ensure that you know what you have in your system,” says Rhodes, echoing Daniel’s advice. In case of a breach, he recommends having triggers in place, including a security response team.
Implementing fingerprint scanning, which has become more popular as the price of the technology has decreased, and palm vein scanning are other identity theft deterrents. Rhodes points out, however, that facilities must still be vigilant to protect those databases, or the technology is useless.
Access management—who has access to what information—is another key component to thwarting would-be thieves. When an employee is fired, authorizations are typically immediately cancelled. However, Rhodes cautions facilities to be certain to also discontinue passwords and authorizations when employees voluntarily quit. In these situations, IT is not always informed on a timely basis.
Separation of duties for the personnel who submit and receive claims and deposit the checks is also a useful safeguard. In addition, background checks on employees should be done at regular intervals throughout their career with a facility because personal situations often change during the course of employment.
As part of being dedicated to helping healthcare payers (eg, insurance companies, third-party administrators, health plans) identify false claims, Johnson says organizations should be vigilant of claims that make no sense for the age and medical history of a patient. “There is far more identity sharing than we care to believe,” he says, especially among Medicaid recipients.
Johnson recommends that providers follow several commonsense principles to help alleviate the incidence of medical identity theft. First and foremost, when providing care, be certain to always ask for the patient’s ID card and compare it with a photo ID. He also advises payers to take more aggressive steps, such as performing background checks on data handlers, storing the identification of the patient as part of an electronic health record, not using healthcare information that identifies a patient in any way that is unnecessary, and destroying paper and electronic medical records properly.
From a technology standpoint, Johnson says there are multiple safeguards that healthcare organizations must use, as mandated by HIPAA. “Be sure to change passwords every 30 days and limit employees’ rights and access to a patient’s personal health information,” he says. “All payers are required to have these safeguards in place, which should limit the exposure of personal health information.”
Technology plays an important role in maintaining security. “We believe that increased use of information technology in the healthcare sector can increase the ability to prevent medical identity theft through stronger security and to detect medical identity theft by helping the entity to recognize unusual activity, such as inconsistencies in healthcare services requested and delivered,” Daniel says. She adds that it is also important to realize that breaches may occur from “insiders” who have access to the information. Policies and technologies that limit access based on role can lessen this type of risk.
Reporting a Breach
If a breach occurs, how should a facility respond? First, identify and stop the source, says Rhodes. At this point, it’s imperative to shut down the offender’s use of the identity.
Next, gather evidence regarding the breach. Forty-four states have breach reporting laws; however, there is often anxiety about reporting a breach. “If you don’t know what you’re protecting—because you haven’t done a proper risk assessment—then you won’t know what’s been stolen,” Rhodes explains. “You could lose credibility if you don’t have a good process in place, didn’t do a proper inventory, and can’t be certain that a breach occurred.”
Wording in the American Recovery and Reinvestment Act states that you must “respond to a breach in 60 days.” “The clock starts ticking the minute you discover there is a breach,” Rhodes says. “Without a clear process in place and a clear way to do an investigation, it’s difficult to accomplish in 60 days. Also, if more than 500 individuals’ identities are compromised, you must send a notice to HHS, so you better not be wrong.”
After every breach, facilities must perform a security response evaluation and take steps to improve security practices. “So many will say, ‘What are the odds of this happening to our facility?’ and I tell them, ‘When it’s happening to you, it’s 100% happening to you,’” says Rhodes.
If HealthCare Insight discovers personal health information has been compromised or a breach has occurred, the payer must be notified and, in turn, the payer must notify the federal government. “Now, there is also a requirement that the patient whose information was stolen be notified. Previously, the patient had to ask, but the law has recently changed,” says Johnson.
At the town hall meeting, Rhodes was surprised to learn how hard criminals work to steal information and submit false claims. “They are looking for a weakness in an organization. If criminals identify a weakness, they will come back and try again,” he warns.
While criminals are steadfast in their pursuits, Daniel says healthcare organizations must meet the challenge with the same enthusiasm. “The best way to manage this risk is to prevent a breach from occurring and to have policies in place in advance, such as an incident response plan, so as to quickly be able to respond in the event of a breach,” she says.