Guidelines to Combat Medical Identity Theft Are Released by California Attorney General

Nov. 20, 2013
New guidelines for preventing and remedying medical identity theft have been released by the Office of the Attorney General of California

New guidelines for preventing and remedying medical identity theft have been released by the Office of the Attorney General of California. The American Health Information Management Association (AHIMA) contributed to the development of the guidelines, “Medical Identity Theft: Recommendation for the Age of Electronic Medical Records,” whose primary purpose is to contribute to best practices for healthcare providers and related organizations in managing patient information. It contains recommendations for provider, payers, health information organizations that manage and oversee health information exchange functions, and policymakers.

The report notes that medical identities are misused in two primary ways. One is consensual, in which the individual knowingly shares his or her identity with someone to allow that person to obtain medical goods or services. It cites a 2013 Ponemon Institute study that estimates that nearly half of medical identity theft victims shared their identifying information with someone they knew. Yet the attorney general’s report says that this type of theft should decline as the Affordable Care Act (ACA) extends coverage to many who are now uninsured or underinsured.  Medical identity theft also occurs when the victim does not know the perpetrator, as the result of lost or stolen information or an insider abusing access to records. The report also notes that medical identity theft is underreported and costly—the Ponemon Institute study estimates $1.84 million victims in 2013, with estimated out-of-pocket costs of $12.3 billion.

The attorney general’s report says that by mandating the transfer to electronic medical records, the ACA offers the healthcare industry a way to address medical identity theft. It recommends that healthcare organizations evaluate their current practices for privacy protection and data security, and implementing appropriate counter-measures. Strategic use of technology can help prevent, detect and mitigate  the effects of the crime. It recommends that providers must protect compromised records and thereby eliminate the risk that erroneous medical information poses to the victim’s health and quality of care.

Key Recommendations

For providers:

  • Build awareness of medical identity theft as a quality-of-care issue within the organization.
  • Make patients aware of medical identity theft, which includes using someone else’s medical ID or sharing theirs and its potential consequences.
  • Deploy technical fraud prevention measures such as anomaly detection and data flagging, supported by appropriate policies and processes so that all red flags are appropriately investigated.
  • Implement an identity theft response program with clear written policies and procedures for investigating a flagged record. Train staff in all relevant departments on these policies and procedures.
  • Offer patients who believe they have been victims of medical identity theft a free copy of relevant portions of their records to review for signs of fraud.
  • When an investigation reveals that a record has been corrupted by medical identity theft, promptly correct the record.

For payers:

  • Make Explanation of Benefits statements patient-friendly. Include information on how to report any errors that are discovered.
  • Notify customers who have been identified as victims of medical identity theft by email or text or other agreed upon timely method whenever a claim is submitted to their account.
  • Use automated fraud-detection software to flag suspicious claims that could be the result of identity theft.
  • When medical identity theft is confirmed, the first priority should be correcting the patient’s claims record to eliminate the possibility that benefits could be capped or terminated.

For health information organizations:

  • Build system capabilities that can assist in the prevention, detection, investigation and mitigation of medical identity theft.
  • Adopt policies and standards that recognize the possibility of medical identity theft. Include specific policies relating to medical identity theft as part of privacy and security policies and procedures.  

For policymakers:

  • The U. S. Department of Health and Human Services should include a medical identity theft incident response plan as a certification requirement or as one of the best practices if they are currently developing for health information organizations or exchanges and accountable care organizations.
  • The report also recommended considering its guidelines when collaborating on the development of standards and software for electronic health and suggested that they could also form the foundation of standard policies for industry self-regulation. 

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?