New guidelines for preventing and remedying medical identity theft have been released by the Office of the Attorney General of California. The American Health Information Management Association (AHIMA) contributed to the development of the guidelines, “Medical Identity Theft: Recommendation for the Age of Electronic Medical Records,” whose primary purpose is to contribute to best practices for healthcare providers and related organizations in managing patient information. It contains recommendations for provider, payers, health information organizations that manage and oversee health information exchange functions, and policymakers.
The report notes that medical identities are misused in two primary ways. One is consensual, in which the individual knowingly shares his or her identity with someone to allow that person to obtain medical goods or services. It cites a 2013 Ponemon Institute study that estimates that nearly half of medical identity theft victims shared their identifying information with someone they knew. Yet the attorney general’s report says that this type of theft should decline as the Affordable Care Act (ACA) extends coverage to many who are now uninsured or underinsured. Medical identity theft also occurs when the victim does not know the perpetrator, as the result of lost or stolen information or an insider abusing access to records. The report also notes that medical identity theft is underreported and costly—the Ponemon Institute study estimates $1.84 million victims in 2013, with estimated out-of-pocket costs of $12.3 billion.
The attorney general’s report says that by mandating the transfer to electronic medical records, the ACA offers the healthcare industry a way to address medical identity theft. It recommends that healthcare organizations evaluate their current practices for privacy protection and data security, and implementing appropriate counter-measures. Strategic use of technology can help prevent, detect and mitigate the effects of the crime. It recommends that providers must protect compromised records and thereby eliminate the risk that erroneous medical information poses to the victim’s health and quality of care.
Key Recommendations
For providers:
- Build awareness of medical identity theft as a quality-of-care issue within the organization.
- Make patients aware of medical identity theft, which includes using someone else’s medical ID or sharing theirs and its potential consequences.
- Deploy technical fraud prevention measures such as anomaly detection and data flagging, supported by appropriate policies and processes so that all red flags are appropriately investigated.
- Implement an identity theft response program with clear written policies and procedures for investigating a flagged record. Train staff in all relevant departments on these policies and procedures.
- Offer patients who believe they have been victims of medical identity theft a free copy of relevant portions of their records to review for signs of fraud.
- When an investigation reveals that a record has been corrupted by medical identity theft, promptly correct the record.
For payers:
- Make Explanation of Benefits statements patient-friendly. Include information on how to report any errors that are discovered.
- Notify customers who have been identified as victims of medical identity theft by email or text or other agreed upon timely method whenever a claim is submitted to their account.
- Use automated fraud-detection software to flag suspicious claims that could be the result of identity theft.
- When medical identity theft is confirmed, the first priority should be correcting the patient’s claims record to eliminate the possibility that benefits could be capped or terminated.
For health information organizations:
- Build system capabilities that can assist in the prevention, detection, investigation and mitigation of medical identity theft.
- Adopt policies and standards that recognize the possibility of medical identity theft. Include specific policies relating to medical identity theft as part of privacy and security policies and procedures.
For policymakers:
- The U. S. Department of Health and Human Services should include a medical identity theft incident response plan as a certification requirement or as one of the best practices if they are currently developing for health information organizations or exchanges and accountable care organizations.
- The report also recommended considering its guidelines when collaborating on the development of standards and software for electronic health and suggested that they could also form the foundation of standard policies for industry self-regulation.