Medical identity theft a difficult problem to diagnose and treat
CHAMPAIGN – Have you been turned down for a job or denied health insurance recently, and can't figure out why?
The reason might be tucked away in your private medical records.
And, thanks to an identity thief, the reason might be 100 percent false.
A dangerous twist on an old scam, medical identity theft happens when someone steals your identity to receive medical care or buy drugs in your name.
The victim winds up with a medical record full of false information, a bad credit rap when the bills go unpaid and sometimes all insurance benefits exhausted.
It can take years to detect medical identity theft and many more years to straighten out the mess, according to Pam Dixon, executive director of the World Privacy Forum, the organization that first brought this crime to the public's attention in 2006.
"If it happens to you, it takes two to 10 years to unravel," she said.
In a 2006 report, the World Privacy Forum found medical identity theft deeply entrenched in the health care system, with about 250,000 cases discovered.
But that was just the beginning. Dixon said an updated study her organization will release in a few months will show medical identity theft has grown, boosted by the dire economy and the growing use of electronic medical records.
Wondering if any of your medical records are stored electronically?
Virtually all the large medical providers in The News-Gazette area, including Carle Foundation Hospital, Carle Clinic and Christie Clinic, have made the switch to electronic records.
Provena Covenant Medical Center and Provena United Samaritans Medical Center have converted about half their records from paper to electronic and are in the process of converting the rest.
An inside job
Not that long ago, doctors checked a patient's medical history by flipping through a thick paper chart.
And when a patient needed medicine, the doctor pulled out a paper prescription pad and scribbled away.
Electronic medical records have done away with the paperwork, giving doctors the ability to access a patient's records on the nearest computer.
Prescriptions are zipped off electronically, arriving at the pharmacy before the patient even leaves the doctor's office.
But the convenience can come at a price: Electronic medical records are easier to access on a large scale than paper charts stored in a filing cabinet, and they're often accessed for fraudulent purposes from inside a medical organization, Dixon said.
What's more, the thefts are hard to detect because they're hidden in large electronic payment systems and widely dispersed databases, the 2006 study found.
Local hospitals and clinics contend their patient records are secure, and the cases of medical identity theft they have dealt with have been confined to a handful of patients a year posing as someone else in a hospital emergency room.
Carle Foundation Hospital catches some posers in the act, but those coming in with genuine emergencies get their medical care first and a visit from the police later, according to Allen Rinehart, director of Carle hospital's emergency room.
Often, the identity thief is someone who took a family member's medical card or other form of ID to try to get free care, said John Becker, a patient privacy law security official for Carle hospital and clinic.
Patients coming in with false IDs get caught largely because something about the person seeking treatment doesn't match something in the records of the person whose name is being used, Becker said.
Or sometimes staff members recognize the patient from a previous visit.
When medical identity theft goes undetected, the victims are left in a dangerous situation the next time they need medical care themselves, because the imposter's medical conditions, drug allergies, lab tests and treatments have become part of their records, Rinehart said.
"You have two people's medical history merged," said Julie Houska, a patient privacy security official at Carle hospital.
The federal Health Insurance Portability and Accountability Act (commonly known as HIPAA) also works against a victim trying to untangle a medical identity theft mess, Dixon said.
HIPAA gives patients the right to see their medical records. But if false information has been inserted into those records, an institution may deny patients the right to their own records in order to protect the privacy of the identity thief's medical conditions and care.
"The No. 1 complaint we get from victims is they're not shown their records," Dixon said. "They say they were impersonated. The hospital says, 'Because it's not you, we can't give you the record.' It's this horrible Catch-22."
Becker said a recent analysis conducted by IBM to see how secure Carle's patient records are from outside penetration left him confident hackers would have a very hard time breaking in.
Bill Lane, Christie Clinic's information systems director, is equally comfortable the clinic's records are secure from outside penetration, he said.
But how about from the inside?
Employees of Provena, Christie Clinic and Carle hospital and clinic all know looking at any patient records without a legitimate reason is forbidden – and grounds for immediate termination – officials of those institutions say.
"We consider a person's medical record very private, and we're very stringent on our compliance to HIPAA," Lane said.
But curiosity about a neighbor or ex-spouse sometimes gets the better of some employees, Becker and Lane said. Excuses aren't tolerated.
"What we tell them," Becker said, "is if Aunt Tilly wanted me to know, she'd tell me."
How do organizations catch employee snooping? Those electronic medical records show who looked, when they looked, and what they looked at.
And for Lane, that makes electronic records even more secure from unauthorized employee access than paper files, because who would know who looked at a paper record, he points out.
Local hospitals and clinics are in the process of tightening up patient record security even more to meet the Federal Trade Commission's new Red Flag rules, the enforcement of which is set to begin in May. Those rules require certain creditors, including doctors and hospitals, to develop and put into place identity theft prevention policies and practices.
Gretchen Wesner, a spokeswoman for the Provena hospitals in Urbana and Danville, said Provena is all for enforcement of the Red Flag rules because the ailing economy can only promote more medical identity theft.
"I think it's going to happen more and more as people are having trouble paying their bills," she said. "They're going to get more and more creative in how they get their health care."
A few steps to avoid medical identify theft:
1. Don't share your personal data. Guard the privacy of your medical information – including explanations of benefits from insurers, insurance identification numbers, prescriptions and medical bills – just as carefully as you would guard your bank and credit card statements.
2. Read all medical bills and explanations of benefits carefully, and ask questions about what you don't understand. Look carefully for dates of services and charges for services that look unfamiliar.
3. Some cases of medical identity theft go undetected until the victim is turned down for a job or insurance. If you have been rejected, ask for the reason.
4. Ask your medical providers for a copy of your records if you suspect discrepancies. It is your legal right to obtain a copy of your records from insurers and most health providers, and the charge per page must be reasonable, according to the World Privacy Forum.
If you are a Christie Clinic patient, you can register at the clinic to access most of your medical record online. Be prepared to show a photo ID when you register – a practice clinic officials say helps protect against fraud – and keep your records access password to yourself.
5. If you have been the victim of medical identity theft, the World Privacy Forum advises:
– File a police report.
– Get a copy of the notice of privacy practices each medical provider covered by the HIPAA health privacy law are required to provide patients upon request. It will describe your right to inspect and get a copy of your record and the steps to follow.
– Ask each of your medical providers for your records, and if you are ultimately refused, file an appeal.
– Know that information in your record may have been shared with others. Under the HIPAA law, you have the right to ask your medical providers and insurers to provide for free an accounting of disclosure showing what personal information of yours has been disclosed and who received it. But be aware there are permitted gaps in the information you will receive.
– For more detailed information, see www.worldprivacyforum.org/medicalidentitytheft.html.