Photo Credit: Tanawit Sabprasan
Identity theft in medical offices involves two major issues: fraudulent use of patient insurance information and unauthorized access to medical records.
Identity theft in the medical office setting encompasses two serious issues: fraudulent use of a patient’s coverage information and breaching medical records.
Two Fraudulent Medical Uses of the Patient’s Identity
In the first situation, the medical office itself is the culprit, using patient information to bill for work that was not done. Since you are not a scammer, your concern is that someone employed by you may be one, and the liability will extend to you. The principle will be that even if you have no direct role in the identity theft and subsequent fraud, as the physician under whose name and number the services were billed for and as the practice owner who was able to monitor information access and billing, you will bear responsibility along with the actual wrongdoer.
Your first step in preventing this is due diligence in choosing whom you bring into the transactional flow of your office. Any billing service or MSO should be vetted for a negative history. Another step many doctors feel uncomfortable about but can have practical value is background checks on employees with access to practice billing and finances. This is not foolproof because a dishonest person may have simply not yet been caught, but it is still something that you would want to be able to show that you did if your patients’ medical identities were later compromised in fraudulent billing.
You then want to stay aware of your billings to look for pattern changes. A sudden jump in positive results may result from greater efficiency and acumen by the biller or MSO, but you need to verify that it does not result from fraud. You also want to see that deposits and withdrawals into and from the practice account make sense because a scammer may divert the fraudulent payments to themselves, using your practice’s account to launder them before embezzling them. In this regard, if you use a contracted service, make sure that you do not cede unfettered control of your accounts to it.
In the second situation, the ostensible patient is the culprit, presenting themselves as the individual covered by a payor. This embroils you in fraud because you are collecting a payment you are not entitled to. If the matter is then questioned, you would have to disgorge the payment but may also be subjected to investigation and extensive auditing on the presumption that you may have made other such improper payments in the past.
This can be effectively cut off by requiring patients to provide identification that you copy and keep in their files. If you are working remotely, have the patient scan the identification or send a photo. Of course, a scammer may have false IDs, so this is not absolute protection, but it is a step you want to show that you took if the patient or payor makes a later complaint about you accepting the use of the information.
Theft of Medical Records for Patient Identity Information
Unless yours is that rarest of practices that only accepts cash and keeps all its records on paper, you become part of a cyber world with no borders as soon as you turn on your office computers in the morning. That medical office records contain extensive personal and financial details makes you a rich target for identity theft…and this is even more critical for you than it is for the proprietor of an ordinary business because you are a fiduciary custodian of your patients’ records.
Your first essential step is practical prevention.
Start with the simplest methods because while identity thieves may employ sophisticated hacking and viral attacks, they are more likely to exploit poor office procedures.
The easiest access points are what they can see in your office or find in your garbage. You should include not leaving passwords unattended and shredding all paper records in your office rules to prove the practice if there is a later investigation or lawsuit over identity theft.
Phishing is also particularly easy for hackers, usually by pirating a legitimate message. For example, in a very famous phishing scam, hackers were able to get John Podesta’s e-mails by sending him an altered version of a legitimate e-mail telling him to change his password for security reasons, but now providing a false link so that he sent the hackers the new key to his account. This hack can also introduce malware that scoops up data or keystroke copies new entries in real-time. You want to have a robust anti-malware system on your office devices to pay attention to notices about new phishing scams, whether they are medical office-related or not. Hold office training on phishing that emphasizes any alert, warning, or request for account update messages.
Remote work has opened new access points for identity thieves because working alone at home is simply a more casual environment—the person’s guard will be down as to phishing e-mails and may not dispose of records properly, just tossing them in with household trash. It is critical to include remote staff in any training, updates, and rules, and if they do not have a crosscut shredder or a non-shared computer or phone that can be separately password-protected, the office should provide such. Not being negligent means being reasonable under the circumstances, and here, it is reasonable to replicate the safeguards that exist at the office.
In a related issue, if a device is leaving the office, its medical information must be encrypted because it may be stolen or mislaid. The problem is not the loss event itself – being a theft victim is not an offense, and things get lost. The issue, as in the case of the office heavily fined under HIPAA when a laptop containing patient information was stolen from a car, is whether the information was protected. The penalty, in that case, was for the information being accessible by being non-encrypted, while encryption that renders the information on the device unavailable to an identity thief prevents the incident from being a reportable breach.
Also, take what can be an uncomfortable step and address the possibility of personal solicitation by a thief with your staff. Emphasize that you do not mistrust any of them but that identity thieves can be very deceptive in their presentations. Make sure that they understand how serious a crime it is to take patient information. Supervisory staff should also be alert for anyone repeatedly accessing data that exceeds their specific tasks.
It is also essential to stay up to date on applying vendor patches geared to newly discovered vulnerabilities to malware penetration. This is considered a minimum required hedge against a negligence claim after a data breach, so you want to keep a record that you did so.
But what if, despite your efforts, there is an identity theft involving your practice?
When There Is Identity Theft
A patient whose personal information has been stolen and used for non-medical purposes will not connect that to your office. If your records have been the subject of that type of theft, you will find out about it from the payor or law enforcement.
Your issue in that setting will be notification under HIPAA regulations. A breach of unsecured data must be reported to the affected patients and to HHS and, in the case of very extensive breaches, via a media announcement. Since identity theft is, by definition, the use of information that the thief could read, it falls under this category. It is subject to all the reporting requirements of the Breach Notification Rule.
The rule allows up to 60 days after the breach is identified to provide individual notifications but specifically says there must be no unreasonable delay. As an ethical matter, practices should inform affected patients as soon as possible so they can take steps to minimize the damage that identity theft may cause them.
You will most likely find out directly from your patient about identity theft that was used to bill falsely for treatment in your patient’s name—they will call you when they see a bill for care or a device that they never received.
This will then trigger your obligation to investigate in-house, looking at the patterns of everyone who accessed that patient’s files. Treat the reported case as the canary in your practice’s security coal mine.
It is also important not to become a barrier.
HIPAA includes a process for the patient to request amending of their medical record to correct incorrect information, but you should do this yourself on the patient’s behalf, indicating that the billed-for care did not pertain to them and cooperating with all efforts the patient makes to refute the charge.
This is also often a point of confusion for doctors because the scammer’s medical information is now in the breached patient’s records. Doctors believe that HIPAA requires them to hold the records confidential to the scammer. However, you can provide records, including the false entries, to the patient who needs them to contest the charges. HIPAA also allows reporting a crime on the covered entity’s premises to law enforcement.
