We continue with our series of general educational articles penned by one attorney, an MD, JD, giving you a view of the world through the eyes of a malpractice plaintiff’s attorney. This attorney is a seasoned veteran. The series includes a number of pearls on how to stay out of harm’s way. While I do not necessarily agree with 100% of the details of every article, I think the messages are salient, on target, and fully relevant. Please give us your feedback – and let us know if you find the series helpful. Finally, these articles are not intended as specific legal advice. For that, please consult with attorney licensed to practice in your state.
In the interconnected cyber-world, the threat of identity theft is ever-present. Doctors and their patients are at particular risk. And with an increasing shift to telemedicine, this risk is growing.
Let’s take a look at how you can deal with medical identity theft.
What is medical identity theft?
Medical identity theft can involve falsely using a patient’s medical identity for billing or for obtaining a patient’s medical records. These records are then mined for personal and financial data.
In the first scenario, a provider uses a patient’s information falsely to pay for services that were never given. Or a scammer uses it to pay for the care of someone who is not that patient.
In the second instance, the trove of information in the medical record is used by the thief to establish a false identity as the patient. That false identity is then used for non-medical reasons.
Since you, as upstanding citizens, will never be involved in the fraudulent billing side of this issue, this column will focus on the aspect in which your practice or your patients are the victims.
If my practice is a victim of an identity thief, why would I be in trouble?
Medical identity theft comes under the same paradigm as theft of physical records or records on devices that are stolen (for example, laptop or thumb drive) after being removed from the office. Physicians are the fiduciary custodians of their patients’ records. It is not a basis for liability to be a crime victim, but you are liable if you failed to take reasonable steps to prevent the theft from occurring.
A practice that fails to take preventative steps can be liable for substantial fines under HIPAA. It can also be liable for damages to patients under state law, damages that can go beyond financial losses. Such losses can relate to serious medical harm if false information enters the medical record through the theft and is then propagated and relied on by subsequent treaters.
How can I prevent medical identity theft in my office?
This is a two-fold issue: preventing a theft from your office and preventing scamming at your office.
Identity thieves may employ sophisticated methods of hacking and viral attacks. They are more likely to phish, pay off office staff, or exploit poor office procedures. Staying up-to-date on protective and corrective measures in your EMR system and doing required HIPAA training are therefore absolute requirements, but are not sufficient by themselves. Specific risks such as responding to unexpected e-mails, not closing unattended workstations or not shredding paper records before disposing of them must be covered in your office policies. These lessons must also be repeatedly taught. Also address the possibility of personal solicitation by a thief with your staff and make sure they understand the severity of the crime. Supervisory staff must also be alert for anyone accessing data that exceeds their specific tasks.
If you have staff working from home, distribute a written policy and set of instructions covering the fact that no patient information is to be accessible to anyone else, including through use of a shared device. Remind staff of it at regular intervals. Make certain they know all paper records must be discarded securely. Identity thieves may troll their garbage just as they might do at the office. If your staff does not have a cross-cut shredder to make sure paper is adequately destroyed prior to disposal, provide one.
In-office scamming can be neutralized by requiring patients to provide identification that you copy and keep in their file. If working remotely, have the patient scan it or send a photo. An advanced scammer may have multiple false ID’s, so this is not foolproof. But it is a step that you want to document.
Here’s a step that makes many practices uncomfortable: Background checks. The security this step provides makes the uncomfortable conversations worth it. More on this in a separate post.
You should also vet your business associates. If an off-site service will have access to your patients’ Protected Health Information (PHI), it is up to you to make sure they have adequate security measures in place to maintain it safely.
What do I do if I find out there has been medical identity theft involving my practice?
A practice will most likely find out that a medical identity theft has occurred when a patient contacts the practice about a bill for a treatment or device they never received. This triggers an obligation to investigate and scrutinize the patterns of everyone who accessed that patient’s files.
It is also important to not be a barrier to the affected patient. Correct the situation and be an active cooperator. Start by correcting your own records without the patient having to go through the hurdle of a formal application under HIPAA. There is no single government office that deals with identity theft. Patients who have been victimized will already be facing many procedural barriers and their doctor’s office should not be another obstruction.
Does HIPAA prevent me from giving their records to the patient whose identity was stolen?
Many physicians and practice administrators erroneously believe that because the record now contains a scammer’s PHI, it cannot be released to the patient whose identity was stolen. They mistakenly conclude that providing the records will violate HIPAA by revealing the co-mingled PHI of the identity thief. This is incorrect: a patient cannot be blocked from accessing their records and doing so would actually itself be a HIPAA violation.
What are my HIPAA obligations for reporting?
A breach of unsecured data, meaning data that has not been rendered indecipherable, must be reported to the patients who were affected, to HHS, and in the case of very extensive breaches, to the media. Since medical identity theft is, by definition, the use of information that could be read by the thief, it falls under this category and thus is subject to all the reporting requirements of the Breach Notification Rule (45 CFR §§ 164.400-414).
The Rule allows up to 60 days after the breach is identified to do individual notifications, but specifically says that there must be no unreasonable delay. Practices should, as an ethical matter, inform affected patients as soon as possible before their records are further altered or they are hit with bills that they do not owe and then have to spend effort and money to rebut.
Does HIPAA allow me to report a medical identity theft to law enforcement?
Obviously, if a practice catches a staff member downloading records onto a personal flashdrive or carrying home bags of billing information there is no issue about turning them in. But as we discussed above with regard to records, many doctors and administrators also erroneously believe that HIPAA prevents them from revealing an identity scam by a patient. HIPAA specifically allows a covered entity to provide PHI to law enforcement regarding a crime that has occurred on the covered entity’s premises. Of course, as in all cases, only the minimum PHI necessary should be released. But in this setting, that is not a problem because only identifiers of the culprit and the facts of the crime are needed for the purpose of apprehending them – what matters is that a scammer used stolen insurance information to pay for an ultrasound, not that they had gallstones.
Request a consultation.
Medical Justice notes: Ask for photo-ID for all new patient encounters. We had a member who performed surgery on his patient. Surgery was financed by a third-party funder. This patient had poor credit. So she used her daughter’s name, and credit history. The practice was paid but spent hours having to deal with this problem. This practice now routinely asks for photo-ID. Here’s another good reason to ask for proof of identity and age. A 17 year-old patient had an aesthetic injection performed. She looked older than 18. She told the practice she was 18. Dad later found out. Dad asked the practice for money “to make this right.” Enough said. What are your thoughts? Comment below.
Learn how Medical Justice can protect you from medico-legal mayhem…
Take Advantage of Our Review Monitoring Service
With eMerit, we help you automate review collection and posting to improve your online reputation.
Consult with a Medico-Legal Expert
Medical Justice Founder and CEO, Jeff Segal, MD, JD and our expert team provide consultations to doctors in need of guidance.
Meet the Experts Driving Medical Justice
Our Executive Team walks with our member doctors until their medico-legal obstacles are resolved.
When I retired from medical practice I set up a consulting franchise dealing with cost reduction issues for telecom, among other areas. Today’s telecom world involves VOIP (voice over internet telephony) which incorporates IT aspects and security. For those who are employed by a hospital the hospital should be providing network security and hopefully that is up to snuff. But for all practitioners reading this, they must upgrade their routers, switches, and especially their firewalls to actively monitored firewalls. These firewalls run typically $1000-$2000 for the box and another $1000-$1500 per year for the license and monitoring and constant upgrading. If you do not know what I am talking about, we can trade comments here. As a consultant my job is to prevent the IT people from putting in more equipment than is necessary. Given the severe penalties for a data breech up to and including potential loss of licensure from a medical board, the cost becomes yet one other cost of doing business. I had good firewalls when I was in practice but not what I would put in today, for protection. Physicians are usually not well versed in this area, and would do well to involve a knowledgeable consultant, and their IT person. Also if the physician is doing work from home with patient files, he may very well have to set up a VPN back to his office and also have an appropriate firewall and router there also.