Business
Safeguarding identity: Tips to stave off a growing problem
■ With identity theft booming, physicians need to take precautions for themselves and their patients. Here's how.
By Katherine Vogt — Posted June 26, 2006
- WITH THIS STORY:
- » Stopping identity theft
- » Identity theft a costly problem
- » Insuring against stolen identity
- » External links
- » Related content
All the necessary information was in her file. Her Social Security number, the number from her driver's license, and other identification numbers were catalogued so Rebecca Patchin, MD, could be credentialed to practice in a multidisciplinary pain treatment program.
The file seemed like a routine business matter -- until Dr. Patchin was informed someone posed as her to open utility accounts and get a credit card, racking up nearly $5,000 in bills. Dr. Patchin was told an employee, since fired, had used the information in the file to steal the Riverside, Calif., anesthesiologist's identity. (Dr. Patchin filed a police report against the ex-employee, but said she did not know how the case was resolved.)
Six years later, Dr. Patchin, an AMA trustee, is still dealing with the fallout. Incorrect information keeps popping up on her credit report.
Still, she feels lucky that more damage was not done, especially because the woman had access to the physician's professional identity. "I was fortunate she was not a more sophisticated criminal."
Identity theft has become a nationwide concern. Because physician offices tend to be harbors of sensitive information, not only about the doctors but about thousands of patients, they are often targeted.
According to the Federal Trade Commission, there were 255,565 reports of identity theft in 2005, up from 246,847 in 2004 and 215,177 in 2003. In 2005, identity theft constituted 37% of all fraud reports, by far the greatest category of such an offense.
Accordingly, experts say physicians need to take extra precautions to safeguard identity information. Following basic privacy and security guidelines for patient records, as outlined under HIPAA, is a start.
Under lock and key
Much of the focus on preventing identity theft is ensuring that your computer systems are not easily accessed by outsiders. Experts recommend using passwords and encryption. It may also be appropriate to use some sort of anti-spyware software to prevent hackers from seeing information, said Norbert Kugele, a privacy and employee benefits attorney at Warner Norcross & Judd in Grand Rapids, Mich.
Also, it might be worth having data-wiping software on any computer that holds patient data, said Patricia Trites, chief executive of the Augusta, Mich.-based consulting firm Healthcare Compliance Resources, which advises clients about health care compliance. Such programs wipe the screen of an idle computer and may require a new login if the computer has been inactive too long.
Trites added that enforced policies and procedures about using, accessing and transporting sensitive information can help prevent inadvertent breaches.
Lately, it's the transporting part of that equation that's caused some of the biggest risks to identify theft. The news has been rife with incidents in which an employee of a hospital, health plan or physician practice took home a laptop or other file containing patient information, only to have someone steal it.
In December 2005, tapes and disks containing confidential information about 365,000 patients of Providence Home Services in Oregon and Washington were stolen. Three months later, Providence Hospice and Home Care of Snohomish County (Wash.) announced that laptops had been stolen containing information about 122 patients.
The biggest scare came in May, when the Dept. of Veterans' Affairs reported data on 26.5 million veterans, active-duty personnel, and spouses, had been stolen from an employee's home. News reports said the data were contained on a stolen laptop, though the VA did not confirm this.
As of yet, no specific reports have emerged of identity theft occurring because of these thefts. But experts say identity thieves know that physician laptops, PDAs and other technology are treasure troves of identity information.
"If it can be lost in a restaurant or an airport or cab, or stolen in a robbery, you should have that encrypted and password-protected. It's just an absolute must at this point," said Pam Dixon, founder and executive director of the 3-year-old World Privacy Forum, which researches technology and privacy. "Horrible things -- unintentional things -- like this do happen."
For paper records, experts recommend limiting how many employees have access to them, storing them in locked cabinets and making sure they are shredded or burned properly before disposal.
"It's basic office security: locking doors; using alarm systems when you're not in the office; not leaving them all over the office; not having strangers or nonemployees roaming around your office; using basic commonsense types of things," Trites said.
Practices making the transition from paper to electronic records may want to consider hiring an outside security expert to do an audit to ensure that any new systems have adequate protections, Dixon said. She said it could cost a couple thousand dollars or more.
To use SSNs, or not to use
One of the most sensitive pieces of patient information is the Social Security number. Experts disagree about whether medical practices should do away with using the numbers. Though many health plans have changed their practices in recent years to use random numbers to identify members, some government programs still require Social Security numbers.
If a Social Security number must be used, Dixon suggests taking a cue from the banking industry and only displaying a portion of it, such as the last four digits, on paper or electronic files. The tactic has been used with some success to prevent the theft of credit card numbers.
At the least, physician practices should make sure the numbers are kept off the easily seen portions of paper records and protected by passwords on electronic records, said Linda Foley, co-executive director of the San Diego-based Identity Theft Resource Center. The center is a research and consumer support organization Foley co-founded with her husband after being a victim of identity theft.
In any case, access to Social Security numbers should be restricted among employees, Foley said.
Her colleague at the center, Sheila Gordon, said most of the information breaches she hears about in medical offices involve temporary or disgruntled workers. For that reason, experts recommend thorough background screening of all employees and temporary workers. Many companies offer services, some for as little as $10 to $20, that will perform criminal background checks.
Another way to protect yourself and patients, experts say, is to ask patients for identification when they are seen. That could prevent identity thieves from posing as someone else to obtain medical care, although this form of identity theft is less common.
Alex Johnson, assistant director of the external audits and investigations department of The Regence Group, an affiliation of Blues plans in the West, said physicians might not get paid for false claims submitted to insurers on behalf of someone posing as a patient.
When information breaches happen, patients, employees and law enforcement need to be told. "Early notification to the affected people is extremely important, because the sooner they can have a proactive impact, the less likely they are going to be harmed," Trites said.
She recommends coordinating the notification with law enforcement authorities and designating someone in the practice as the main contact person for patient inquiries. Patients whose identities were used to obtain other medical services might need ongoing help from the practice in figuring out how to correct their medical records.
In about half of all states, notification of such breaches is required by law, Trites said. A good place to start is with local police, though ultimately involvement by other law enforcement agencies might be warranted, depending on the nature of the crime.
In some extreme cases, physicians can be held liable for information breaches. If a physician's practice was truly negligent in how it handled the information, and that negligence led to identity theft, there could be a basis for liability under state law, said Louis Saccoccio, executive director of the National Health Care Anti-Fraud Assn., a task force of health plans and law enforcement officials.
But Kugele said that in general, if physicians follow the guidelines set forth in federal law, they should be shielded from negligence lawsuits. "If you're complying with HIPAA, you've got a reasonable defense that you were taking reasonable steps. This hasn't really been tested out in the courts ... but it's probably a pretty good defense to a negligence claim," he said.
Dr. Patchin said being a victim of identity theft taught her to put a lot more thought into disclosing sensitive personal information. "I'm very wary or careful of anybody who wants my Social Security number linked with my driver's license number," she said.