Medical I.D. theft is a prescription for legal headache

A rising trend of medical identity theft – where a patient’s personal information is used fraudulently to obtain or to bill for medical services – is raising tricky legal issues for medical providers.When misinformation finds its way into the medical file of the identity theft victim, doctors and hospitals must juggle the competing interests of the patient’s demands, federal privacy requirements and their own liability.

Unlike simple identity fraud, medical identity theft carries more than just financial consequences.

“Medically, it could be extremely dangerous both to the person who is an unauthorized user as well as the person whose identity was stolen,” said Dr. Marylou Buyse, a practicing family physician and president of the Massachusetts Association of Health Plans.

Medical identity theft most commonly occurs in the following ways:

•           A patient may use a relative’s insurance card – or steal someone’s wallet and use their insurance information – to obtain medical services.

•           An “insider” in a hospital or doctor’s office may misuse a patient’s insurance information to bill for services the patient never obtained.

•           An experienced identity thief might obtain patients’ insurance information from an “insider” and bill for services, posing as a health care provider.

No matter how it happens, the common denominator is that the patient’s medical record can become contaminated with false information.

How big is the problem?

Up to half a million patients have been victims of medical identity theft, according to the World Privacy Forum, a non-profit research and educational organization in San Diego.

Marie Whalen, assistant vice president of ambulatory services at University of Connecticut Health Care in Farmington, Conn., said most of the cases she has seen involve someone using a relative or friend’s medical card to receive health care.

However, a significant number of cases involve an insider at a hospital or other health care organization who sells or misuses patient information to fraudulently bill for services.

In one notorious Massachusetts case, a psychiatrist obtained the personal data of his patient’s relatives and billed Blue Cross for treatment they never received. The doctor was convicted on 136 counts of fraud, but the patient spent years trying to clear up her family’s medical records.

An increasing number of civil suits against medical providers have been settled “quickly and privately,” said Pam Dixon, executive director of the World Privacy Forum, who has written a report on medical identity theft and is compiling a state-by-state list of medical identity fraud cases.

Most of the cases have been brought by patients who have notified their doctor’s office or hospital that their identity had been stolen but have not succeeded in getting their records corrected, she said.

“There’s real potential for a lawsuit if a patient arrives at a hospital unconscious and receives inappropriate treatment,” based on fraudulent information in the patient’s file, said Dixon. “I think a jury would side with the patient, not the hospital.”

HIPAA complications

The privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA) can often complicate the issue.

There are three provisions under HIPAA that apply to medical identity theft.

First, the patient has a right to request a copy of his or her medical records. The medical provider can charge the patient a fee for copying costs, as well as for other documents such as X-rays.

On the other hand, a provider cannot “hold the records hostage to the payment,” because the patient might need the records for treatment purposes, said Michael Blau, a Boston health care attorney at Foley & Lardner.

However, Dixon said that most medical identity theft victims who call her organization are unable to get their records because the very nature of the crime calls into question the patient’s true identity.

There is a “harm” test under HIPAA, in which the records need not be released if it could harm a patient, so depending on how hospitals interpret this provision, sometimes they will refuse to release a patient’s file, Dixon added.

“It’s kind of a Catch-22 for doctors and health care providers. HIPAA was enacted before medical identity theft became a major problem,” said Jacqueline Klosek, an attorney and founding member of the privacy and data security task force at Goodwin Proctor in New York.

A second provision of HIPAA allows a patient to request a correction to his or her medical record.

However, a provider is not required to make the correction, and there is no obligation for one provider to correct information that another provider put in the file.

“If the information came from a third party, the facility has no obligation to even consider correcting it,” said Robert Gellman, a privacy consultant in Washington, D.C.

“The only obligation is to document in the record that there has been a request for correction and what information was in dispute,” said Blau.

The third right under HIPAA allows a patient to get an accounting of disclosures, such as a list of other entities with whom the provider has shared patient information.

What providers can do

There are policies that hospitals and physician offices can adopt to help prevent medical identity theft and address it if it does occur.

Here’s a look at what experts suggest:

• Require patients to provide a photo I.D.

Many providers are requiring additional identification, such as a photo I.D., at the door.

“Will it [stop] identity theft totally? No, but it has cut down on a lot of our issues,” said Whalen of University of Connecticut Health Care.

She added that her organization will copy the photo and place it in the patient’s chart.

Although long-time patients may grumble about having to show I.D., “most people are happy because they know we’re not doing it to be a pain, but for their own protection,” she said.

• Change the way prescriptions are labeled.

Another policy adopted by University of Connecticut Health Care is to change the way prescriptions are labeled.

“The doctors used to have labels, and some patients were peeling them off and writing their friend’s name on it. We had to tell doctors not to use the labels. Now, they handwrite the patient’s name and the doctor’s name, so it can’t be altered,” said Whalen.

• Restrict inside access based on an employee’s role.

One way to protect against a security breach by someone inside an organization who could misuse patient information is to restrict access to files based on an employee’s role.

“In the past, it was easier to have only one level of access and to give everyone absolute access. It may be time to revisit that,” said Rebecca Williams, an attorney and registered nurse who co-chairs the Health Information Technology and HIPAA practice at Davis Wright Tremaine in Seattle.

Such a policy is also in step with HIPAA’s “minimum necessary rule,” which says that only the minimum amount of information should be used, disclosed or received to accomplish a given purpose, she added.

“For example, the housekeeping staff does not need to see patient records. However, nurses do, and the receptionist might need certain information like name, address and what procedures are scheduled. Even if some people are given access, that doesn’t mean they have the right to go into the records, [except] when it’s part of their job to review it,” said Williams.

• Track who has access to audit logs.

An essential element in limiting access to patient files is periodic tracking of who has had access to records.

“The idea is to monitor that access and then train staff and sanction any employee who oversteps those bounds,” said Williams.

One audit technique is to pick a random patient or a random employee and trace access that way.

Williams also recommends picking a “celebrity” patient, such as a well-known person in the community, an actual celebrity or the victim of a publicized crime.

“You want to see who has been in the records and how many hits are on the record and to investigate if there is unauthorized access,” she added.

• Use electronic records.

As more medical providers move to electronic records systems, it will generally be easier to prevent and detect medical identity theft.

“There will be fewer mistakes than when using handwritten paper records, because electronic records are orders of magnitude harder to gain access to,” said Ray Campbell, executive director and CEO of the Massachusetts Health Data Consortium in Waltham.

For example, electronic records systems can be programmed so data is never cached or stored locally, so every time a patient record is closed, it is completely purged, Campbell said.

New software also allows a hospital or doctor’s office to scan a patient’s photo once, so it will appear each time the electronic record is pulled up.

Massachusetts has the highest concentration of electronic medical records users in the country, with 60 percent of health care providers using electronic records, said Dr. Thomas Sullivan, a cardiologist and co-chair of the Physician’s Electronic Health Records Coalition.

Even smaller physicians’ practices in Massachusetts are changing to electronic records faster than the rest of the country, Sullivan said.

• Work directly with patients.

Experts say medical providers should be willing to sit down and work with patients to disentangle truth from fraud in their medical files.

“When there’s a case of medical identity theft, providers should make sure they are working with the patient and not applying the law mechanically. You need to work together and make sure the patient is being treated appropriately so the information can flow. You may need to pay more attention to that record as new information is added to it and make a decision about where the information should go,” said Gellman.

Some hospitals have responded to requests to correct misinformation by putting the disputed information in a John Doe or Jane Doe file, so that the disputed information is not completely lost but has been segregated from the patient’s record, said Dixon.

Questions or comments should be directed to editor at: reni.gertner@mamedicallaw.com