Identity Theft Steals More than Healthcare Dollars
It can rob a patient’s health and
jeopardize a provider’s good-standing, too.
By Edie Hamilton, MA, CPC, CPC-I
Identity theft is a hot topic in the field of medical fraud. According to research on privacy, data protection, and information security policy conducted by Ponemon Institute, more than 2.3 million people have been victims of medical identity fraud. This trend is on the rise, with nearly a 22 percent increase in 2015 over the previous year’s estimate. That’s approximately 500,000 new cases of fraud in one year. This year, the Ponemon Institute estimates that data breaches will cost the healthcare industry $6.2 billion.
Defining Medical Identity Theft
Medical coders and other healthcare business professionals can help stop identity theft through awareness.
The most common type of medical identity theft is the misuse of a patient’s identity information to obtain medical goods or services without (or sometimes with) the victim’s knowledge. This kind of fraud can affect the individual, as well as the healthcare providers and facility. In addition to financial repercussions, medical identity theft can cause tremendous damage to the patient-provider relationship.
According to the Centers for Medicare & Medicaid Services (CMS) 2016 Fact Sheet, Common Types of Health Care Fraud, “Medical identity theft involves the misuse of a person’s medical identity to wrongfully obtain healthcare goods, services, or funds.”
The Ponemon study identified the three most common misuses of stolen medical identity are to illegally obtain:
- Medical treatments or services;
- Medication or equipment; or
- Government benefits, such as Medicare or Medicaid.
It’s important to realize that the misuse of medical credentials might be consensual, such as when a covered individual allows a relative to present their insurance to obtain services the relative cannot otherwise afford or qualify for. When victims are not cooperating partners, however, they usually aren’t aware of the theft until approximately three months following the incident, after they receive collection letters for outstanding co-pays or a notice of exhausted benefits when they submit legitimate claims.
The Cost of Medical Identity Theft
The cost of medical identity theft can be measured in financial terms and in terms of its impact on the patient-provider relationship. On average, the Ponemon study found that it cost the victim approximately $13,500 to resolve an incident (when they were able to resolve it). Often, the respondents were victims of more than one type or instance of fraud. In addition to monetary costs:
- 89 percent of survey respondents reported embarrassment due to the release of sensitive personal health conditions.
- 19 percent believe it caused the loss of career opportunities.
- 3 percent said that it led to the termination of their employment.
- Approximately 53 percent of the respondents believed that negligence on the part of their healthcare provider or facility either caused or contributed to the incident.
- Alarmingly, 50 percent of the respondents indicated it lowered their trust in their providers, and many agreed that the lack of security around medical records would cause them to change providers.
There is also the potential for serious health impacts. For example, the consequences of having the wrong blood type in the patients’ medical record could be devastating.
Identity Theft Isn’t Just a Patient Concern
One of the most common complaints reported in the Ponemon study was that providers or insurers did not inform victims about the theft. The victims learned about it on their own, from an error in their bill or a collection letter. Patients expect their healthcare providers and facilities to take precautions to protect their identity, and expect prompt notification when incidents are identified. It’s important for providers and facilities to prevent medical identity theft with clear processes for handling and communicating incidents to patients to maintain their trust.
It’s not just a patient issue. The costs to providers and facilities can range from lost revenue to a costly and litigious review of all entries in a medical record. (Think about how time-consuming and complicated it would be to unravel a medical record blended with encounters from two, or more, different patients.)
Misunderstanding HIPAA rules contributes to the patient’s frustration when trying to resolve the issue. When identity theft is discovered, some practices and facilities refuse to release the medical records to the patient out of fear of violating the privacy of the thief and incurring a HIPAA violation. According to an article by Adam H. Green (Privacy & Security Law Blog, “Confusion Continues Over Medical Identity Theft Victim Rights under HIPAA”), there is still a lot of confusion regarding how HIPAA applies in identity cases. Would it be a HIPAA violation to share a patient’s medical records with the patient once it is known that at least some of that information pertains to an identity thief? The Federal Trade Commission and U.S. Department of Health & Human Services have clarified that this is not a HIPAA violation because the patient has the right to get a copy of all medical records in his or her own name, and has the right to have that data corrected.
Preventing Medical Identity Theft
While fraud can never be totally eliminated, prevention begins with the first interaction with the patient at the front desk, and continues through the entire encounter. Potential cases of medical identity theft can also be investigated before fraudulent claims are submitted. Many practices and institutions have already developed, or are in the process of developing, policies and procedures that address this issue.
Coder awareness is an important piece to mitigate this problem. As an analogy, when computer viruses became a serious problem to modern offices, one of the most effective defenses (besides installing software virus protection software and developing IT policies and procedures) was to educate computer users about the magnitude of the problem. In addition to raising awareness of medical identity fraud, electronic health records can help reduce the risks associated with mislaid charge sheets or medical records.
Your healthcare organization should have policies and procedures in place for reporting and investigating potential identity theft, as well as notifying patient victims and/or payers:
- Ask patients for photo identification (ID) along with their insurance ID, and verify that the photo and information match the patient.
- Make sure the insurance ID doesn’t look altered and doesn’t contain errors, like an incorrect date of birth.
- Carefully verify names and addresses. For example, check to see if there are duplicate names at the same address.
- Determine if the patient traveled an unusual distance for services that could have been provided closer to home.
- Compare basic appearance to previous encounters. For example, does the patient who previously presented as frail, per the medical record, now appear hearty or muscular?
- Check to see if the past family, social, or medical history deviates from previous reports.
- Question significant changes in vital signs since the last encounter. For example, are there unexplained differences in height, weight, blood pressure, etc.?
- Look to see if details of the current episode are inconsistent with diagnoses (e.g., a patient with a diagnosis history of menopause who is asking for birth control).
- Check the insurance demographic information to be sure it is consistent with services provided (e.g., The insurance information on file indicates that the patient is 32 years old, but is being treated for age-related macular degeneration).
With medical identity theft on the rise, all stakeholders need to be vigilant. Recovery is costly and time consuming, with no guarantee of resolution. By exercising vigilance, following anti-theft strategies, and maintaining open communication between patients, providers, and payers, you can help protect patients and providers combat identity theft.
Ponemon Institute, Fifth Annual Study on Medical Identity Theft: http://medidfraud.org/wp-content/uploads/2015/02/2014_Medical_ID_Theft_Study1.pdf
Ponemon Institute, The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data: http://media.scmagazine.com/documents/232/sixth_annual_benchmark_study_o_57783.pdf
CMS Fact Sheet, Common Types of Health Care Fraud: www.cms.gov/Medicare-Medicaid-Coordination/Fraud-Prevention/Medicaid-Integrity-Education/Downloads/fwa-factsheet.pdf
Adam H. Green, “Confusion Continues Over Medical Identity Theft Victim Rights under HIPAA,” Privacy & Security Law Blog: www.privsecblog.com/2015/12/articles/healthcare/confusion-continues-over-medical-identity-theft-victim-rights-under-hipaa/
Edie Hamilton, MA, CPC, CPC-I, has more than 20 years of practical experience in clinical and surgical coding, professional and outpatient facility billing, physician education, compliance, reimbursement, edits, and denials management at large academic institutions. She is on the Payment Integrity Content Team at Verscend, and is an adjunct instructor in medical office administration. Hamilton is a member of the Chapel Hill, N.C., local chapter.