Medical Identity Theft: Everything Patient's and Practice's Need to Know

In 2022, 707 healthcare breaches affected 52 million patients. When you think of a data breach, your mind might go to credit card fraud or identity theft in general. These are both huge risks when it comes to the security of personal information. But, unfortunately, the risks don’t end there.

Medical identity theft, although not as common, proves to be a dangerous reality when it comes to healthcare data breaches. This is a concern for not only patients but healthcare providers and insurers as well.

Medical professionals and patients must understand this kind of fraud can happen in several ways. Whether it’s from a large-scale breach or the theft of an individual’s data. Let’s go over what medical identity theft is, its consequences, and how to prevent it.

What is Medical Identity Theft?

The Federal Trade Commission (FTC) states that medical identity theft occurs when someone uses someone else’s medical information to receive treatment. Medical identity theft can also happen if a medical professional uses a patient’s information to submit false claims to payers.

Personal information that can compromise a patient’s identity can include:

• Name.
• Social Security Number.
• Birthdate.
• Insurance account number or Medicare number.
• Address.

Medical identity theft poses different challenges than other forms of identity fraud. Not only does the perpetrator steal their victim’s data, but they put the patient at risk by messing with their medical data and history.

Imagine having a stranger’s medical information mixed with your own. You might be at risk of having your prescriptions changed or what health benefits you’re able to use.

When dealing with medical identity theft, patients may:

• Receive a bill for a medical service they did not undergo.
• See medical collection notices they don’t recognize.
• Find out they now meet their health plan limit on benefits.
• Find conditions they don’t have on their medical records.

When it comes to medical identity fraud, these are only a few of the consequences a patient might deal with. Let’s dive deeper into what this crime does to both the victims and the medical professionals involved.

Professional Consequences of Medical Identity Theft

One of the scariest things about medical identity fraud is that it can take a long time to recognize it. Sometimes months go by without any indication, other times it might take years. The amount of damage done in that amount of time is often devastating to both the patient and the healthcare professional.

When it comes to the provider, their first red flag might be the notice of overpayment from an insurance program. This ends in the payer demanding immediate repayment. Providers might also receive a notification straight from the Internal Revenue Service (IRS). Healthcare professionals earning income for services never reported on tax documents will most certainly end with your friendly neighborhood IRS employee knocking on your door.

Overpayment letters and correcting credit issues are a few of the consequences of medical identity theft. Sorting out these problems alone requires time, effort, and money. On top of running a business? Well, this can put someone out of business. You might be able to take care of the financial aspect of something like this, but the impact of these consequences on a professional’s reputation can be difficult to fix.

Even if a provider hasn’t done anything wrong, for example with a security breach, consequences can be severe. Luckily most healthcare professionals do the right thing when it comes to reporting medical fraud. However, for those few who do not or worse, actively take part in it - the consequences are even more devastating.

Providers voluntarily permitting the misuse of patient’s identities can lead to consequences such as:

• Civil monetary penalties.
• Criminal fines and restitution.
• Prison time.
• Exclusion from Medicare and Medicaid.

Some common examples of healthcare professionals misusing protected health information (PHI)  include:

• Signing referrals for patients they haven’t seen.
• Approving Certificates of Medical Necessity (CMNs) for patients who do not need the service or supplies.
• Signing CMNs even though it contradicts their documentation of the patient’s needs.
• Signing blank referral forms.
• Signing CMNs for more services than what is medically necessary.

Providers must be wary of people who want to abuse the system. Those people may try to make a case out of convenience or sympathy that their provider should accommodate one of these requests. Your signature as a healthcare provider holds you liable for fraudulent claims.

How You Can Prevent Medical Theft

When it comes to preventing medical identity theft, healthcare providers play an important part in safeguarding PHI. Here are some steps you can take as a healthcare professional to reduce the likelihood of this crime affecting you or your patients.

Education and Training

One of the best ways to protect yourself from medical identity fraud is to understand the signs and causes. Train your staff in the Health Insurance Portability and Accountability Act (HIPAA) to understand the importance of patient confidentiality.

A HIPAA violation can easily (and quickly) turn into a data breach, thus opening your practice up to medical identity theft. Be sure to keep up with regular training and make sure your employees continue to renew their HIPAA certifications yearly to avoid legal ramifications if a breach occurs.

Secure Electronic Health Records (EHR) and Physical Security

HIPAA compliance is only one part of the puzzle when we think about healthcare organization security. Cybersecurity goes hand in hand with HIPAA, as most of our medical records are now online. A breach in your cybersecurity means access to PHI.

Similar to HIPAA training, make sure your employees are current with the latest cybersecurity guidelines.

Cyber and physical security looks like:

• Encrypting data in both transit and at rest.
• Implement strict access controls. This ensures that only authorized personnel can access patient records.
• Perform regular audits of EHR systems. By doing this you can monitor access and usage patterns.
• Limit the physical access that employees have to patient records.
• Implement secure disposal procedures. For example, shredding documents after you no longer need them.

Implement policies and procedures to minimize the risk of a cybersecurity breach. This alone will strengthen your compliance program and organization’s integrity.

Authentication and Verification

Do you want to hear more tips on how to protect your electronic protected health information (ePHI)? Not sure where to start on your HIPAA compliant-audit checklist? No worries! We’ve got your back.

Utilizing a Multi-Factor Authentication (MFA) will help protect against wandering eyes. Having a second layer of defense when logging into software that holds patient records helps to ensure that the person logging in is who they say they are.

Implementing patient verification on top of this is also recommended to help keep ePHI safe. This can look like asking for multiple forms of identification during registration.

Data Backups and Disaster Recovery

Incorporating regular data backups, which include patient data, ensures the security of information in an offsite location. So, in the event of a data breach or a system failure, PHI is not lost forever.

Similarly, make sure your organization has a disaster recovery plan. This is so you can quickly restore that saved information in case of a breach or data loss.

Regular Security Assessments

Even if you back up your information safely on an offsite storage system, it’s a good idea to periodically review your data security practices. Performing regular security assessments is also a great way to strengthen your HIPAA compliance.

Consider the following when performing your security assessment:

• Conduct regular vulnerability assessments to address security weaknesses.
• Conduct penetration testing to address weak points.
• Update software, including patches, to protect against vulnerabilities.
• Have a system so your organization can promptly apply security patches and updates.

Collaboration with Patients

Finally, don’t be afraid to communicate with your patients. Transparency between a provider and their patient builds a foundation of trust. Be sure your patient understands their rights and the importance of protecting their personal information through a Notice of Privacy Practices. This not only ensures your patient knows how to keep themselves safe, but can save you from any future liabilities.

This notice should include the contact information of someone in your organization. This person is in charge of responding to any questions or concerns someone might have about the status of their PHI.

As a provider, make sure you encourage your patients to request and review their medical records. Who better to spot fishy activity, such as past services they never received, than the patients themselves?

How to Handle Medical Identity Theft

Immediately launch an investigation at the first sign of medical identity theft. If your billing department receives a call about an inconsistency in their medical records, review them along with any supporting documents. Be sure this documentation verifies the identity of the person receiving the services.

If you determine there was medical identity theft, notify everyone involved. This includes anyone who previously accessed the patient’s medical and billing records.

Your patients should then file a complaint with the FTC. They should also file a report with their local police department, as well as update their health plan’s fraud department.

Conclusion

Medical identity theft has the potential to seriously affect both patients and providers.

Luckily, being aware is half of the battle, so by reading this blog you’re closer to better securing your PHI.

Remember that HIPAA and cybersecurity regulations offer a solid set of guidelines to protect against this crime. Focus on your HIPAA and cybersecurity compliance practices to better protect sensitive information, as well as your organization’s reputation.