Health record identity theft a growing concern among medical providers

Medical identity theft can cause a victim’s medical record to get corrupted with the thief’s, potentially compromise their medical care and lead to false billing.

In this era when health insurance is gold, the fortunate need to be aware.

Taking the theft one step further, corrupted medical records can lead to denied coverage down the road.

The potential harm can be as far-reaching as the more common identity theft for monetary purposes, but attention to medical identity theft has been scant in comparison, according to a January report done for the U.S. Department of Health & Human Services.

That could change May 1 when new rules kick in, requiring hospitals, doctor’s offices and clinics to have policies in place to detect and deal with medical identity theft.

The healthcare industry isn’t the sole target of the upcoming Red Flags Rule; , the intent is to cover all industries that provide “credit” to consumers and guard against all forms of identity theft.

The new rule is a consequence of the 2003 Fair and Accurate Credit Transaction Act signed by President Bush to protect consumers. Folding in protection against medical identity theft signified a commitment to broad consumer protections by the federal government.

The new rule was intended to take effect Nov. 1, 2008, but the federal government agreed to a delay after the American Medical Association (AMA) said doctors weren’t sufficiently informed the rule would apply to them.

In the end, the AMA didn’t prevail. The federal government set the May 1 deadline and is offering a six-month grace period before enforcing.

Moreover, the AMA contended healthcare organizations were not “creditors” in the true sense. The AMA also said healthcare providers already were in compliance because of privacy protections under the Health Insurance Portability and Accountability Act.

Compliance involves extra training of patient registration personnel in spotting fake IDs from real identification cards and verifying information against existing internal records.

Southwest Florida hospitals say they don’t take issue with the new rule.

At the same time, hospital officials say thieves can always find a way to get what they want. The emergency rooms are the most vulnerable when treatment first, identify yourself later, is often the case because of life-threatening injuries.

Most of the hospitals have purchased extra computer application that can do additional patient verification checks, but that measure wasn’t necessarily prompted by the Red Flags rule.

“People come in and know how to use the process,” said Todd Lupton, chief financial officer of the Physicians Regional Health Care technique in Collier County.

“A lot of people on Medicaid are passing around their Medicaid card,” said Stanley Padfield, director of health information management and the privacy officer for the Lee Memorial Health technique in Lee County. “They keep it in the relatives. Things like that happen. The Red Flags Rule is not prepared to deal with it.”

One agency’s survey nationwide found that 4.5 percent of the 8.3 million victims of identity theft also experienced some degree of medical identity theft.

From a numbers standpoint, agencies grasp at how often medical identity theft occurs.

“That is the risk in any organization,” said Kelly Daly, director of internal audits/compliance and the privacy officer for the NCH Healthcare technique in Collier County.

Theft of patient information by employees is another scope of the problem, though hospital officials say that's a tough one to deal with.

A safeguard technique at NCH is audit application that tracks employees who have opened a patient’s medical record.

The problem of internal theft hit home in Southwest Florida in September 2006, when a front table clerk of Cleveland Clinic in Weston was indicted and accused of stealing personal information, including Medicare and Social Security numbers, of over 1,100 patients of the then- Cleveland Clinic in North Naples off Pine Ridge Road. The employee, a 22-year-old woman, sold the information to her cousin for false Medicare billing.

The theft occurred sometime between May 2005 when the woman was hired and before her indictment in September 2006. seven months before her indictment, the Naples hospital was sold to Naples-based Health Management Associates, which later changed the hospital’s name to Physicians Regional.

The Red Flags rule is prompting additional training to patient registration personnel for spotting suspicious identification or fake cards, said Lupton, of Physicians Regional. At the same time, the hospitals at Pine Ridge and Collier Boulevard have yet to see fake passports or driver’s licenses, they said.

A breakdown in the technique is possible when the application technique is down or when there isn’t patient history in the process, they said.

If employees are presented with suspicious identification or given questionable information, a supervisor is called and the patient will be questioned. The hospitals have ways to verify data from previously obtained information and to check out insurance cards, said Shari Boyer, executive director of patient financial services for Physicians Regional.

At the Lee Memorial System’s one hospitals, the patient database has 1.2 million names and identifying information. When information a patient has given doesn’t match up with what is on file, a new patient record will be created until there is a resolution, Padfield said. The purpose is to avoid corrupting an existing patient’s medical record.

“You cannot stop the care no matter what. You treat them but they are not put in the database as they say who they are,” they said.

In general, the suspicious person’s care turns into bad debt because they didn’t actually steal services, they said.

What people are seeking with medical identity theft is free health care but theft doesn’t occur when a suspicious patient’s information is kept out of a legitimate patient’s file, they said.

At the NCH process, which operates Downtown Naples and North Naples hospitals, patient registration staff are undergoing more training for the Red Flags rule, said Sandy Wood, operations director of revenue cycle.

In addition, NCH is working with a vendor to potentially subscribe to a database technique that's used by the federal government to determine phone records and addresses, Daly said.

“It can tell us if a number is a phone booth or if an address is a vacant lot,” they said, adding that the decision hasn’t been made yet whether to buy the program, which goes beyond the requirements of the Red Flags rule.