Identity theft in the medical setting encompasses two issues: fraudulent use of patient information and breaching medical records.
In the first situation, the medical office uses patient information to bill for work that was not done. Your concern here is that someone employed by you, whether in-office, an outside billing service, or a Management Services Organization (MSO), may be a scammer. Even if you have no direct role, as the physician under whose name the services were billed for, you will also bear responsibility.
Your first step in preventing this is due diligence in choosing who you bring into your office. In the second situation, the ostensible patient is the culprit. This embroils you in the fraud because you are collecting a payment you are not entitled to.
This can be effectively cut off by requiring patients to provide identification, though it is not absolute protection.
Theft of Patient Information
The easiest access points are visible in your office or in your garbage. Avoid leaving passwords unattended and shredding all paper records in your office rules.
Phishing is also particularly easy for hackers. You want to have a robust anti-malware system on your office devices. Hold an office training that emphasizes any alert, warning, or request for account updates.
Remote work has opened new access for identity theft. It is critical to include remote staff in any training.
Also take what can admittedly be an uncomfortable step and address the possibility of personal solicitation by a thief with staff . Emphasize that you do not mistrust any of them but that identity thieves can be very deceptive in their presentations. Make sure that they understand how serious a crime it is to take patient information.
HIPPA Guidelines
But what if, despite your efforts, there is identity theft involving your practice? HIPAA includes a process for the patient to request amending of their medical record, but you should do this yourself on the patient’s behalf, indicating that the billed-for care did not pertain to them. Doctors believe that HIPAA requires them to hold the records confidential to the scammer. However, you can provide records to a patient who needs them to contest the charges. HIPAA also allows reporting a crime on the covered entity’s premises to law enforcement.
