This action might not be possible to undo. Are you sure you want to continue?
'" —Jim Rohn
February 11, 2008
In Oct. 2006, CBS's Early Show told the harrowing story of Anndorie Sachs, a 28-year-old mother from Salt Lake City who nearly had her four children taken away from her after her newborn baby tested positive for illegal drugs. The problem was Sachs hadn't delivered a baby in 2 years. It turned out a woman by the name of Dorothy Moran stole Sachs' license, walked into the hospital high on methamphetamine, delivered a baby and then left--the hospital, the baby and Sachs with $10,000 bill. That's just one of the hundred of medical identity theft stories that broke out after Pam Dixon, executive director of the World Privacy Forum, published her ground-breaking 56-page report, "Medical Identity Theft: The Information Crime That Can Kill You," in 2006. The report not only proved medical identity theft existed, it found the number of Americans identifying themselves as victims had tripled in just 4 years, to more than a quarter-million in 2005. So where did this new crime come from? It's likely the crime existed in some capacity for years, Dixon said, but blame the digitization of medical records for allowing the crime to reach new and greater proportions only recently. While it would have been nearly impossible for a criminal to walk out of a hospital with a stack of 1,000 paper files between their arms, criminals can now easily download 1,000 names onto a jump drive and slip it into their pocket. "It's a growing problem. It's taken us almost 2 years to find out the answer to that one question," Dixon said. "We'll go through a period where it looks like its growing simply as people become more aware it's going on, but that's happening in concurrence with the fact that we are getting more cases." How It's Different Medical identity theft, like financial identity theft, occurs when a criminal uses a victim's personal information (name, social security number, driver's license) to go on a shopping spree; only instead of a mall, they'd go to a hospital, racking up thousands of dollars in surgeries, treatment or prescription drugs.
What makes medical identity theft distinctly more harmful than its financial counterpart is that the damages stretch far beyond monetary loss: often, the criminal's blood type, allergies, medication or diseases can become entrenched in the victim's medical record, creating potentially deadly results. Sachs had a blood-clotting disorder, for example, that would prove fatal if the other woman's blood type was used. When victims set out to untangle the mess, the story somehow gets worse. Because HIPAA denies people the legal right to correct medical information in a record that's essentially not theirs, victims get stuck in a Catch-22 that's enough to drive them insane: the patient is denied the right to correct, or even see their own medical record precisely because it contains the private health information of someone else, even though that someone else is the criminal. "We're looking at a new crime set up in an old system not built to look at this crime," Dixon said. "HIPAA doesn't translate well to the digital world. The victim will go to the provider and say: 'This file has information not made by me!' [and] the institution then responds by saying: 'We can't give you a file if it's not about you.'" Without the ability to get the damaging information removed, victims may suffer further damage, such as the inability to pass pre-employment exams, bankruptcy because of bad credit and insurance denials because of diseases on their records that aren't theirs, Dixon's report found. HIM professionals--here's where you come in. Because the crime's core harm is damage done to victim's medical records, experts like Dixon aren't turning to lawyers or government officials, but HIM professionals to find solutions and help victims recover. "You are the professionals trained to handle the complexities of the health care records," Dixon said at the American Health Information Management Association (AHIMA) conference in Philadelphia last October. "You are in the unenviable position of being on the front line when a patient figures out something is wrong with a record." No Help for Victims After Dixon published her report in 2006, the phones rang off the hook, she said, "and there were some really disturbing commonalities between the victims." Victims most strikingly reported being caught in a maze of blame-shifting with no laws, no government agency and truly no one at all to get them out. Take this for comparison: have you ever had your wallet stolen? Ever had to cancel a credit card? Aside from a headache, you probably didn't suffer much damage thanks to a law that limits your liability to fraudulent charges--the Fair Credit Reporting Act (FCRA) and its recent update the Fair and Accurate Credit Transactions Act (FACTA). The problem is, there is absolutely no law that's equivalent to this in the medical world. Victims get bounced from the institution to the bill collector, with no one knowing what course of action to take, who should soak up the monetary responsibility. "Victims want to hire an attorney, but it shouldn't have to go there," Dixon said. "It should be a simple matter to have the provider say, 'OK what problems are you having, how can we help you, and here's what you need to do.' That just doesn't exist." That's exactly why one of Dixon's first responses is to establish a national-level set of procedures to standardize how providers and insurers handle medical identity theft and offer
victims a clear and effective pathway of recourse. "We are where financial identity theft was 15 years ago," she said. "We have some really basic things to get done." Dixon is calling on HIM professionals and AHIMA specifically to gather all of the key stakeholders together, from the health information, financial, insurance, public health and privacy sectors, to come to a consensus agreement on how to respond to the day-to-day issues of the crime. "It's better to do it with the experts than to let it be done to you by legislation, she said. "Even the best legislation is a compromise." Dixon offers many recommendations on what types of rights patients should receive in her report www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf, including that patients have the right to receive one free copy of their medical file to spot changes and the right to be notified of any medical data breaches (stolen laptops, break-ins, etc). Some states have already taken action. On Jan. 1, California's data breach law was amended to encompass medical information, a suggestion made by California Assembly member Dave Jones in direct response to Dixon's report. "I'm really pleased we have that because it's a really fabulous protection," Dixon said. "Especially in the commercial personal health record (PHR) world with Microsoft and companies outside the health care sector who are not covered by HIPAA handling health care files, this is a really good law to protect consumers." Dixon is hopeful that this law will filter across the country. Delaware and Arkansas have added medical information to their data breach law and Florida and Nevada are considering similar laws. "That's always a good sign, but where it will take the longest is the federal level and that's where we need it the fastest," Dixon said. Red Flag Alerts To help with early detection of the crime Dixon suggests adopting red flag alerts, an idea taken from the financial sector where, if a patient tells a provider his or her ID had been stolen, the patient's medical record is flagged to keep employees on alert for fraudulent activity. "Software already allows for flagging of health care files, for example when two people with the same last name are on the same floor," she said, "so there is no reason the health care sector cannot, on its own, create red flag guidelines." This is one example where the digital age can be part of the solution. Dixon urges HIM professionals to join Health and Human Services (HHS) Healthcare Information Technology Standards Panel (HITSP) to make sure technology standards are created to incorporate the reality of medical identity theft. "HITSP is open to everyone," Dixon said. "There should be as many HIM people on that as possible." Jane Doe Extractions That's just about where borrowing from the financial sector ends, primarily because of reasons only HIM professionals truly understand. "In the financial sector you can truncate, you can't truncate someone's health care file and think that's going to be OK," Dixon said. "A lot of people ask, why can't you just delete it if it's bad?" Not having to explain is exactly the reason Dixon has turned to HIM professionals for help.
To allow victims the ability to erase fraudulent information from their file and still satisfy the complex rules of the medical record, Dixon proposes using the Jane Doe file extraction method. With this, a victim's file is purged of all fraudulent information and the Jane Doe file containing the criminal's info is held separately to retrace or cross-reference. "It's an elegant solution," she said. "You satisfy attorneys who want cross-references, you satisfy victims because the fraudulent info isn't in file to harm them, and you satisfy HIM professionals who want a clean audit trail." The act of picking through a patient's file and separating who's who is something only HIM professionals are qualified to do, Dixon said. And, since you'll likely be on the front line when a victim discovers fraud, Dixon is calling on HIM professionals to give victims something they don't have: a voice. Because the crime touches so many things--insurance, accounting, bill collectors, required public reporting, law enforcement and the health care file--Dixon suggests that every hospital assign a "patient advocate" to help victims navigate the complex laws, coordinate all the experts involved, and shuttle information from them to the victim. "This should be a person with really good people skills, not a lawyer who might intimidate them," Dixon said. "HIM professionals either need to do this or coordinate how this is set up." From the Inside Out Hospitals working on their own solutions absolutely have to focus on the right approach, or they may end up making the crime worse, Dixon said. And that means confronting a grim reality. Medical identity theft, it turns out, isn't committed most often by criminals posing as other patients. It is primarily an insider crime deeply entrenched in the health care system. It can be committed by doctors, hospital employees or highly sophisticated crime rings, Dixon 's report found. These "criminals" often start as good-natured health care professionals, who are at some point lured over to the wrong side by outside criminals or organized crime rings, Dixon said. Criminals may pay doctors to prescribe them expensive drugs to sell on the black market or, as in the 2006 Cleveland Clinic case, convince someone as non-threatening as the 22-year old front desk clerk named Isis Machado to sell them the private information of 1,100 patients to fraudulently bill Medicare for $2.5 million. This nuance is crucial because solutions made without the insider threat scenario in mind might actually make the crime easier for the criminals to commit. Hospitals, for example, planning to scan patients' driver's licenses or insurance cards to deter a criminal from posing as someone else are in fact offering "the most fabulous way of stealing a person's ID fully," Dixon said. "The more you collect on a patient, the more you allow an insider to steal it." The scanning, screening and monitoring should instead be turned toward the counter, on hospital employees, using things like browser controls and software audit trails, regulating how much can be downloaded and paying real attention to who's looking at what, Dixon said. Risk assessments should also be expanded to
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.