- Many healthcare IT security professionals have adopted patient privacy philosophies that revolve around clinical staff and those who handle protected health information (PHI) treating the data as though it were their own. The growing need for this type of thinking was highlighted in a recent Journal of AHIMA article that takes a look at medical identity theft and highlights best practices.
The American Health Information Management Association (AHIMA) said in the article, titled “Combating Medical Identity Theft,” that health information management (HIM) professionals and patients can take certain steps to help stop medical identity theft prior to major damage being done to patients’ lives. Here are AHIMA’s recommendations for providers:
- Build awareness of medical identity theft as a quality-of-care issue within your organization.
- Make patients aware of medical identity theft, which includes using someone else’s medical ID or sharing theirs, and the potential consequences.
- Implement an identity theft response program with clear written policies and procedures for investigating a flagged record. Train staff in all relevant departments on these policies and procedures.
- Deploy technical fraud prevention measures such as anomaly detection and data flagging, supported by appropriate policies and processes so that all flags are appropriately investigated.
- Offer patients who believe they may be victims of identity theft a free copy of the relevant portions of their records to review for signs of fraud.
- When an investigation reveals that a record has been corrupted by medical identity theft, promptly correct the record. Use a procedure appropriate for the circumstances, such as removing the thief’s information from the victim’s record and placing it in a separate “medical identity theft file,” or leaving the thief’s information in the victim’s record but flagging it as not belonging to the victim.
The patient component of the advice is important as well because they, along with providers and payers, must be proactive and aware of potential medical identity theft. AHIMA listed five items for patients to watch for, including: receipt of a privacy breach notice from a healthcare organization; an unknown item in an Explanation of Benefits statement; false notice of reaching a health insurance benefit limit; a call or letter from a debt collector about an unfamiliar medical bill; and questions about identity or health conditions during an intake at a doctor’s office or hospital.
“This is another opportunity for HIM professionals to demonstrate leadership by proactively building awareness of medical identity theft threats and developing and implementing a defined identity theft response plan,” said AHIMA CEO Lynne Thomas Gordon, MBA, RHIA, CAE, FACHE, FAHIMA. “HIM professionals can also provide consumer education on the importance of monitoring statements from the insurance company and healthcare providers for erroneous information.”
The article also referenced some tips from the “Recommendations for the Age of Electronic Medical Records” report by Kamala D. Harris, Attorney General of the California Department of Justice, which was published in October and includes medical identity fraud avoidance tips for healthcare organizations.
AHIMA also included recommendations for health information exchange (HIE) organizations:
- Build system capabilities that can assist with of medical identity theft mitigation.
- Write policies and standards that recognize the possibility of medical identity theft.
All of these tips viewed in totality should serve as a reminder that medical identity fraud prevention requires cumulative efforts among providers, patients, payers and HIEs.