Business

Safeguarding identity: Tips to stave off a growing problem

With identity theft booming, physicians need to take precautions for themselves and their patients. Here's how.

By Katherine Vogt — Posted June 26, 2006

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

All the necessary information was in her file. Her Social Security number, the number from her driver's license, and other identification numbers were catalogued so Rebecca Patchin, MD, could be credentialed to practice in a multidisciplinary pain treatment program.

The file seemed like a routine business matter -- until Dr. Patchin was informed someone posed as her to open utility accounts and get a credit card, racking up nearly $5,000 in bills. Dr. Patchin was told an employee, since fired, had used the information in the file to steal the Riverside, Calif., anesthesiologist's identity. (Dr. Patchin filed a police report against the ex-employee, but said she did not know how the case was resolved.)

Six years later, Dr. Patchin, an AMA trustee, is still dealing with the fallout. Incorrect information keeps popping up on her credit report.

Still, she feels lucky that more damage was not done, especially because the woman had access to the physician's professional identity. "I was fortunate she was not a more sophisticated criminal."

Identity theft has become a nationwide concern. Because physician offices tend to be harbors of sensitive information, not only about the doctors but about thousands of patients, they are often targeted.

According to the Federal Trade Commission, there were 255,565 reports of identity theft in 2005, up from 246,847 in 2004 and 215,177 in 2003. In 2005, identity theft constituted 37% of all fraud reports, by far the greatest category of such an offense.

Accordingly, experts say physicians need to take extra precautions to safeguard identity information. Following basic privacy and security guidelines for patient records, as outlined under HIPAA, is a start.

Under lock and key

Much of the focus on preventing identity theft is ensuring that your computer systems are not easily accessed by outsiders. Experts recommend using passwords and encryption. It may also be appropriate to use some sort of anti-spyware software to prevent hackers from seeing information, said Norbert Kugele, a privacy and employee benefits attorney at Warner Norcross & Judd in Grand Rapids, Mich.

Also, it might be worth having data-wiping software on any computer that holds patient data, said Patricia Trites, chief executive of the Augusta, Mich.-based consulting firm Healthcare Compliance Resources, which advises clients about health care compliance. Such programs wipe the screen of an idle computer and may require a new login if the computer has been inactive too long.

Trites added that enforced policies and procedures about using, accessing and transporting sensitive information can help prevent inadvertent breaches.

Lately, it's the transporting part of that equation that's caused some of the biggest risks to identify theft. The news has been rife with incidents in which an employee of a hospital, health plan or physician practice took home a laptop or other file containing patient information, only to have someone steal it.

In December 2005, tapes and disks containing confidential information about 365,000 patients of Providence Home Services in Oregon and Washington were stolen. Three months later, Providence Hospice and Home Care of Snohomish County (Wash.) announced that laptops had been stolen containing information about 122 patients.

The biggest scare came in May, when the Dept. of Veterans' Affairs reported data on 26.5 million veterans, active-duty personnel, and spouses, had been stolen from an employee's home. News reports said the data were contained on a stolen laptop, though the VA did not confirm this.

As of yet, no specific reports have emerged of identity theft occurring because of these thefts. But experts say identity thieves know that physician laptops, PDAs and other technology are treasure troves of identity information.

"If it can be lost in a restaurant or an airport or cab, or stolen in a robbery, you should have that encrypted and password-protected. It's just an absolute must at this point," said Pam Dixon, founder and executive director of the 3-year-old World Privacy Forum, which researches technology and privacy. "Horrible things -- unintentional things -- like this do happen."

For paper records, experts recommend limiting how many employees have access to them, storing them in locked cabinets and making sure they are shredded or burned properly before disposal.

"It's basic office security: locking doors; using alarm systems when you're not in the office; not leaving them all over the office; not having strangers or nonemployees roaming around your office; using basic commonsense types of things," Trites said.

Practices making the transition from paper to electronic records may want to consider hiring an outside security expert to do an audit to ensure that any new systems have adequate protections, Dixon said. She said it could cost a couple thousand dollars or more.

To use SSNs, or not to use

One of the most sensitive pieces of patient information is the Social Security number. Experts disagree about whether medical practices should do away with using the numbers. Though many health plans have changed their practices in recent years to use random numbers to identify members, some government programs still require Social Security numbers.

If a Social Security number must be used, Dixon suggests taking a cue from the banking industry and only displaying a portion of it, such as the last four digits, on paper or electronic files. The tactic has been used with some success to prevent the theft of credit card numbers.

At the least, physician practices should make sure the numbers are kept off the easily seen portions of paper records and protected by passwords on electronic records, said Linda Foley, co-executive director of the San Diego-based Identity Theft Resource Center. The center is a research and consumer support organization Foley co-founded with her husband after being a victim of identity theft.

In any case, access to Social Security numbers should be restricted among employees, Foley said.

Her colleague at the center, Sheila Gordon, said most of the information breaches she hears about in medical offices involve temporary or disgruntled workers. For that reason, experts recommend thorough background screening of all employees and temporary workers. Many companies offer services, some for as little as $10 to $20, that will perform criminal background checks.

Another way to protect yourself and patients, experts say, is to ask patients for identification when they are seen. That could prevent identity thieves from posing as someone else to obtain medical care, although this form of identity theft is less common.

Alex Johnson, assistant director of the external audits and investigations department of The Regence Group, an affiliation of Blues plans in the West, said physicians might not get paid for false claims submitted to insurers on behalf of someone posing as a patient.

When information breaches happen, patients, employees and law enforcement need to be told. "Early notification to the affected people is extremely important, because the sooner they can have a proactive impact, the less likely they are going to be harmed," Trites said.

She recommends coordinating the notification with law enforcement authorities and designating someone in the practice as the main contact person for patient inquiries. Patients whose identities were used to obtain other medical services might need ongoing help from the practice in figuring out how to correct their medical records.

In about half of all states, notification of such breaches is required by law, Trites said. A good place to start is with local police, though ultimately involvement by other law enforcement agencies might be warranted, depending on the nature of the crime.

In some extreme cases, physicians can be held liable for information breaches. If a physician's practice was truly negligent in how it handled the information, and that negligence led to identity theft, there could be a basis for liability under state law, said Louis Saccoccio, executive director of the National Health Care Anti-Fraud Assn., a task force of health plans and law enforcement officials.

But Kugele said that in general, if physicians follow the guidelines set forth in federal law, they should be shielded from negligence lawsuits. "If you're complying with HIPAA, you've got a reasonable defense that you were taking reasonable steps. This hasn't really been tested out in the courts ... but it's probably a pretty good defense to a negligence claim," he said.

Dr. Patchin said being a victim of identity theft taught her to put a lot more thought into disclosing sensitive personal information. "I'm very wary or careful of anybody who wants my Social Security number linked with my driver's license number," she said.

Back to top


ADDITIONAL INFORMATION

Stopping identity theft

Highlights from Federal Trade Commission guidelines on how businesses can comply with regulations about the security and confidentiality of customers' personal information:

  • Develop a written information security plan.
  • Train employees about the security plan, conduct background checks on employees who will have access to the information and ask new employees to sign confidentiality agreements.
  • Control access to sensitive information by requiring passwords that must be changed regularly.
  • Develop policies for appropriate use and protection of laptops, PDAs, cell phones and other portable devices.
  • Lock rooms and file cabinets where records are kept.
  • Encrypt sensitive customer information when it is transmitted electronically.
  • When possible, avoid storing sensitive data on computers with Internet connections.
  • Maintain and secure backup records to electronic data.
  • Burn, shred or pulverize paper documents containing sensitive information.
  • Destroy or erase data when disposing of computers, disks, laptops or other electronic devices.
  • Consider using an outside disposal company.
  • Conduct appropriate routine maintenance checks on computer systems and regularly monitor the system to look for vulnerabilities.
  • Report any suspicious attempts to access sensitive information.

Back to top


Identity theft a costly problem

About 27.3 million Americans were victims of identity theft between 1998 and 2003, according to the Federal Trade Commission. Losses to businesses and financial institutions as a result of those crimes totaled about $48 billion, while individuals lost about $5 billion in out-of-pocket expenses.

The Council of Better Business Bureaus and Javelin Research and Strategy found that the number of adult victims of identity theft declined marginally from 2003 to 2006, from 10.1 million to 8.9 million people in the United States. The total one-year cost of the fraud remained relatively flat, increasing from $53.2 billion in 2003 to $56.6 billion in 2006.

Among the subtypes of identity theft, the FTC said that about 1.8% of the anecdotal complaints recorded by its Identity Theft Data Clearinghouse are about medical identity theft. This type of crime is generally defined as using someone else's identity to obtain medical services or goods or to obtain money by filing false medical claims.

Back to top


Insuring against stolen identity

With the attention paid to identity theft, many companies -- including the AMA Insurance Agency -- offer identity theft insurance.

For anywhere from $25 to $100 per year, such policies are designed to, as the National Assn. of Insurance Commissioners says, cover the cost of "reclaiming your financial identity." Such costs taken into account would include making phone calls, making copies, mailing documents, taking time off from work without pay and hiring an attorney.

The policies are not designed to reimburse you for any bills run up in your name. Most credit card companies will cancel the charges once a report of theft has been made, as well as call you if they notice any sudden burst of activity in your account. Also, federal law provides a $50 liability limit on the unauthorized use of credit cards, according to the NAIC.

Most policies will reimburse up to $15,000, while the AMA Insurance Agency's plan goes up to $50,000. The Federal Trade Commission says most identity theft victims probably won't come close to reaching even the $15,000 level.

The NAIC recommends anyone considering purchasing identity theft insurance read policies closely to determine exactly what protection they're getting, as well as the deductible, which in some cases might be about as much as you might be spending to reclaim your name. The NAIC also recommends you check your credit record regularly to check for any unusual activity.

In some cases, such as the AMA Insurance Agency's, insurance plans are coupled with access to your credit report through Experian, Equifax and TransUnion, the major credit-reporting agencies.

Back to top


External links

Centers for Medicare & Medicaid Services educational material on HIPAA security rule (link)

National Institute of Standards and Technology for SP 800-66, a resource guide on HIPAA's security rule (link)

Back to top


ADVERTISEMENT

ADVERTISE HERE


Featured
Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story


Read story

Goodbye

American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story


Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story


Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story


Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story


Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story


Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story


Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn