Originally Posted on the Hospital Association of Southern California (HASC) Website
Medical identity theft. While not as common nor as financially damaging as other forms of identity theft, medical identity theft can harm far more than a victim's wallet – it can be life threatening.
Now on the rise due to the increasing numbers of uninsured people, medical identity theft occurs when someone falsely uses another person's name, Social Security number, health insurance identification, and/or benefits information in order to obtain medical services or products, or reimbursement from insurers for bogus claims. Even worse, it can create a false medical record – potentially jeopardizing future care for the victim.
How does medical identity theft happen? A 2006 report by the World Privacy Forum found that most medical identity theft begins in hospitals, where identity thieves pay insiders – usually employees – to obtain medical identification information in bulk. Research shows there is a thriving black market for medical records, with many being sold to individuals without insurance who need surgeries or treatments.
How common is medical identity theft? Data collected for a federal report in 2007 revealed that more than 250,000 Americans were victimized by the crime each year. With the bad economy causing millions of workers to lose their jobs – and their medical benefits – health care providers can expect to see an increasing number of incidents where people go to a hospital with stolen insurance information seeking treatment in the names of their victims.
Medical identity theft also presents financial, operational, and administrative difficulties for health care providers, who face enormous expenses because they are forced to write-off charges incurred by the identity thieves. However, the potential medical consequences are much tougher to correct, especially with paper-based medical record-keeping evolving toward electronically-based interconnected systems.
While identity theft is a concern for all consumer-based industries, health care companies are particularly vulnerable due to the sensitive nature of the patient information they house, such as:
-
Personally Identifying Information (PII), such as addresses, birth dates, Social Security numbers;
-
Financial information, such as account numbers and credit card numbers; and
-
Medical records, including medications, HIV status, and mental health.
To protect the health – both financial and personal – of patients, hospitals need to be familiar with new Federal Trade Commission (FTC) requirements to prevent identity theft. Along with banks and other financial institutions, hospitals will be subject to the FTC's "Red Flags" Rule requiring "creditors" to adopt written prevention programs designed to prevent, detect, and mitigate medical identity theft.
The Red Flags Rule can apply to hospitals – whether the health care provider is a for-profit or not-for-profit entity or in the government or private sector – because, like financial institutions, they act as "creditors" by maintaining covered accounts and, as a regular business practice, they do not require all patients to pay for medical goods or services at the time such goods or services are provided.
The FTC Red Flags Rule for “creditors” and “financial institutions” with covered accounts was originally supposed to take effect November 1, 2008, but the deadline was extended to May 1, 2009 due to confusion over which industries and entities were subject to the rules. The deadline was then extended again to August 1, 2009, by which time hospitals would have needed to implement a written identity theft prevention program.
To help businesses – including hospitals and health care providers – gain a better understanding of the Red Flags Rule and any obligations that they may have in developing and implementing written identity theft prevention programs, the FTC has further delayed enforcement of the “Red Flags” Rule until November 1, 2009.
The written identity theft program must contain policies that identify, detect, and respond to "red flags" – patterns, practices, activities, or incidents that potentially implicate identity theft – while ensuring the program is reviewed and updated in order to adjust to changing and developing identity theft risks. The patterns, practices, activities, and/or incidents that constitute "red flags" of identity theft can include:
-
Alerts, notifications, or warnings received from a consumer credit reporting agency;
-
The submission of suspicious documentation that appears to be altered or inconsistent with other documents on file;
-
The submission of suspicious Personally Identifying Information (PII), such as multiple addresses;
-
Unusual or suspicious use of, or access to, a patient's covered account; and/or
-
Notification from patients or law enforcement authorities indicating suspected or actual identity theft.
While each written identity theft prevention program must contain the four fundamental elements – identify, detect, respond, and ensure – hospitals and health care providers should incorporate the "red flags" of medical identity theft into their program along with traditional financial identity theft. Hospitals should also modify programs to be appropriate for patients, operations, and technological capabilities.
In addition, health care providers should implement an effective pre-employment background screening program to check the criminal pasts of prospective employees to lessen the chance of hiring a candidate that would commit medical identity theft. Leading background screening provider Pre-Employ.com has partnered with the Hospital Association of Southern California (HASC) to assist in the hiring of the best and most honest health care employees.
For more information on how background screening can help prevent medical identity theft, contact Teri Hollingsworth, vice president of HR services for HASC, at 1-213-538-0763 or thollingsworth@hasc.org, or visit Pre-Employ.com at www.pre-employ.com, e-mail info@pre-employ.com, or call 1-800-300-1821.
Follow Pre-Employ.com on Twitter at www.twitter.com/PreEmploy
tahearn@pre-employ.com