RX for Fraud

Hacking medical identities

Please sign in to save this to your favorites.

Written by: Rebecca S. Busch, RN, MBA, CFE

Date: July 1, 2013

Read Time: 9 mins

Fraud Schemes Health Care Fraud

Imagine you’re about to be married, and you’re trying to buy your first home to start your family. When you request your credit history to apply for a mortgage, you discover that supposedly you’ve received collection notices for high emergency room bills; however, you’ve never been treated in the ER.¹

Or consider that you’ve been waiting anxiously to see the results of a medical test. You receive in the mail not only your results but those of two others with their names, addresses and insurance numbers.

Or maybe you received a letter informing you that an employee at a company that provides technology-based services to medical industries had leaked 500 patients’ sensitive information and you were one of them.²

And you definitely don’t want to have Anndorie Sachs’ troubles. The local authorities mistakenly reported her as an unfit mother and threatened to take her four children away. A pregnant woman — a meth user — had stolen Sachs’ medical identity, delivered a baby in Sachs’ name, abandoned her child at the hospital and left Sachs with a $10,000 hospital bill.³

This woman’s crimes could hurt Sachs throughout her life. The perpetrator had a different blood type than Sachs, and uncorrected co-mingled medical records could result in Sachs’ death if she ever needed a blood transfusion. A future health care provider might even prohibit her from reviewing her medical records because they might not be in her name. Once Sachs disclosed that those records weren’t hers, her health care provider denied her access to them because the provider had to now protect the records of the woman who stole Sachs’ identity. Sachs was unable to verify that all the removed records were just those of the thief. The health care industry is addressing this market conflict.

COMPLEX QUAGMIRE

These scenarios happen every day as medical identity theft increases.⁴ Nearly 1.5 million Americans fell victim to these frauds in 2010, which are creating a complex quagmire in the health care market.⁵

According to the World Privacy Forum, medical identity theft (MIT) “occurs when someone uses a person’s name and sometimes other parts of their identity — such as insurance information — without the person’s knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods.”⁶

Another professional organization, the American Health Information Management Association (AHIMA), in a practice brief, “Mitigating Medical Identity Theft,” defines MIT as “the inappropriate or unauthorized misrepresentation of individually identifiable health information for the purpose of obtaining access to property or services, which may result in long-lasting harm to an individual interacting with the healthcare continuum.”⁷

According to the World Privacy Forum, MIT “frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name. … Medical identity theft typically leaves a trail of falsified information in medical records that can plague victims’ medical and financial lives for years.”⁸

WHO GETS HIT AND WHY

MIT victims usually are individuals, not organizations. According to an AHIMA report, “Identity Theft and Fraud—the Impact on HIM Operation,” those with developmental or intellectual disabilities, minors, newborns, the elderly, the deceased and persons whose information may be included on public registries (such as cancer registries) are particularly vulnerable.⁹ It’s easy for a perpetrator or group of perpetrators to simply “borrow” victims’ medical identities by stealing wallets containing insurance cards or copying insurance information from community blood pressure screenings.

The perpetrators rack up insurance claims or high charges through treatment in emergency rooms where physicians are required to treat patients regardless of insurance coverage.

Insurance companies that pay the claims along with providers (hospitals, doctors and clinicians treating patients) might be secondary victims because they often have to write off expenses incurred by the thief. They might also spend time and money in working with victims to correct medical histories and records. The most significant consequence for the providers of care is compromised medical decision making because of incorrect patient information.

Perpetrators commit medical identity fraud for many reasons: to simply obtain free services, steal benefits or services for which they’re ineligible or to perpetrate other frauds or illegal activities such as pilfering drugs for personal use or illegal distribution.

MITIGATING MIT

The AHIMA practice brief, “Mitigating Medical Identity Theft,” includes an 18-step consumer checklist guide to begin the process of mitigating MIT:

Read “Taking Charge: What To Do if Your Identity is Stolen” [See “How to Correct Errors in Your Medical Records” on p. 31 of "Taking Charge." — ed.] provided by the Federal Trade Commission (FTC). Consider completing the universal affidavit to submit to creditors on page H-1 of the publication.
Review credit reports, correct them and place a “fraud alert” on them.
If you suspect someone is inappropriately using a Social Security number, contact the Social Security Administration’s fraud hotline at (800) 269-0721.
If mail has been stolen or misdirected, contact the U.S. Postal Service at (800) 275-8777 to obtain the number of the local U.S. postal inspector.
For stolen passports, contact the U.S. Department of State at (877) 487-2778.
If a thief has stolen checks, contact your financial institution and both check verification companies: Telecheck [(800) 366-2425] and the international Check Services Company [(800) 526-5380] to place a fraud alert on the account to ensure that counterfeit checks will be refused.
Contact the health information manager or the privacy officer at the provider organization or the anti-fraud hotline at the health plan at which the medical identity theft appears to have occurred.
Request an accounting of disclosures. If the provider or plan refuses access to medical records, file a complaint with the Office for Civil Rights at Health and Human Services at (866) 627-7748.
Take detailed notes of all conversations related to the medical identity theft. Write down dates, names and contact information of everyone contacted, as well as the contents of conversations.
Make copies of any letters, reports, documents and emails sent or received about the identity theft.
Work with the organization at which the medical identity theft occurred to stop the flow of the incorrect information, correct the existing inaccurate health record entries and determine where incorrect information was sent.
File a police report and send copies with correct information to insurers, providers, and credit bureaus once the identity theft has been confirmed.
File a complaint with the attorney general in the state where the identity theft occurred. The National Association of Attorneys General provides state-by-state information.
Check with the National Association of Insurance Commissioners to determine if your state has a state insurance department for online complaints.
File a complaint with the Identity Theft Data Clearinghouse, operated by the FTC and the Internet Crime Complaint Center.
Contact the Department of Health and Human Services at (800) 368-1019 for suspected Medicare or Medicaid fraud.
Prior to seeking health care, review health records to make sure they’ve been corrected.
Change all personally identifiable information and passwords for protected accounts, sites, access points, etc. Choose unique personal identification numbers and complex passwords rather than common ones, such as mother’s maiden name, birth date or pet name.¹⁰ [Note: We’ve updated web links and information in these 18 steps. — ed.]

MIT victims have to thoroughly inspect medical bills and records to decide if their charges and medical information is correct. Victims must fight imposters’ charges and correct any altered medical information — a difficult task, at best. The ultimate insult is when a victim’s benefit plan places services on hold because the perpetrator depleted dollars in the account. (Unfortunately, the health care industry has been slow to provide ways to repair medical identities. However, it has become an emerging cottage industry because of the millions lost annually.)

The U.S. Health Insurance Portability and Accountability Act — more commonly known as HIPAA — guarantees all Americans copies of their medical records. However, unlike the laws that guarantee each person a copy of his or her credit report, HIPAA doesn’t guarantee free medical records. Some medical providers charge, and they can be quite expensive. Also, HIPAA protects the privacy of thieves’ medical information, which can further impede victims’ search for medical histories’ changes.¹¹

AUTOMATED PROCESSES TO DETECT ANOMALIES

We have to stop medical identity thieves in their tracks. With a mere click of the mouse, those who easily navigate through the electronic world can access payers’ and providers’ data, steal access sensitive information, assume individuals’ identities as patients and mix health data with victims, which causes medical and financial problems. Therefore, internal controls should be focused on authenticity and protection of patients’ identities.

Fraud examiners use automated processes to detect anomalies and flag curious patient behavior within information systems.¹² Automated auditing and monitoring works especially well in detecting unusually high numbers of records accessed in one day, which could indicate mass theft of information by an insider — “wholesale” medical identity theft.

Auditing is especially effective when used with other methods, such as role-based access, which limits individuals’ access to information based on their roles and responsibilities.¹³ For example, doctors shouldn’t be reviewing records of those who aren’t their patients, and laboratory technicians shouldn’t have access to radiology information on patients. Providers should only have the minimum necessary information to perform their roles.

IMPLICATIONS FOR FRAUD EXAMINERS

First, CFEs should develop an awareness of the problem and magnitude of vulnerabilities for individuals and organizations so they can help their communities. Second, they can conduct fraud risk assessments for potential vulnerabilities. Third, they can investigate breaches by identifying mechanisms of theft, evidence and resulting damages.

Remember — a victim of an old-fashioned identity theft can begin to measure damages by obtaining a copy of his or her credit report. However, the equivalent of a health care credit report, such as a “centralized patient record,” doesn’t exist. Therefore, while the market determines the future of centralized patient medical records (that’s another column) the ultimate advice for both CFEs and consumers is simply to be alert.

Rebecca S. Busch, RN, CFE, CRMA, is CEO of Medical Business Associates in Westmont, Ill., a health care fraud examiner and professor at Florida Atlantic University.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to FraudMagazine@ACFE.com.

Begin Your Free 30-Day Trial

Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.

Learn More Already a member? Sign In