How can you prevent medical identity theft

No one wants to be the victim of theft, especially when that theft involves their medical information. The 2017 World Privacy Forum report, The Geography of Medical Identity Theft, noted the following frustrating and potentially costly consequences of medical identity theft:

  • Long-term credit issues and financial difficulties, such as being unable to qualify for mortgages, because of debt resulting from the fraudulent use of personal information
  • Large bills for products or services that victims did not purchase or receive
  • Maximums, restrictions on copays, and other insurance limits due to fraudulent use of medical data
  • Inaccurate information becoming part of the victim’s health records (which can lead to difficulty in getting proper healthcare, being denied jobs, and even losing custody of children)

Steps your organization can take against medical identity theft

Often medical information is stolen because of breaches at the organizations that handle healthcare information. Covered entities and business associates must do everything they can to prevent this.

Enhance verification. Andras Cser of Forrester Research suggests that providers improve how they verify a person’s identity by incorporating knowledge-based authentication and ID verification via one of the credit bureaus. Using additional methods to identify someone reduces “reliance on the Social Security number for authentication and identification,” says Cser.

Train your staff. Organizations handling electronic protected health information (ePHI) should focus on their employees just as much as their technology. Generali Global Assistance President Paige Schaffer recommends training staff on ways to mitigate the risks of medical identity theft, including shredding any paperwork that doesn’t need to be retained, only gathering information on a need-to-know basis, protecting both paper and digital records, using digital instead of paper records as often as possible, and looking out for phishing emails.

Train your patients. Heather Lomax of Blaze Systems recommends that patients be knowledgeable about identity theft as well. While training often focuses on internal threats, patients also need some education because of their ability to access online health portals on potentially unsecured computers. When patients know more about these risks and how to defend against them, there is a greater likelihood they won’t use unsecured computers to access their medical data.

Patients should understand that sharing their medical information puts them at risk. There is a good chance their data will be used fraudulently if someone requests it from them by email or over the phone. Patients have to sign an authorization in order to allow the release of their health records over the phone. Your patients should end a phone call immediately if the caller asks for healthcare information and cannot immediately confirm the organization from which they are calling.

Incorporate snail mail. Insurers can use snail mail as a way to confirm treatment with patients.

Safeguard ePHI. Protecting against identity theft is, in large part, about following the parameters of the HIPAA Security Rule: setting up technical, administrative, and physical safeguards to mitigate risks uncovered through routine risk assessments.

Technical protections are certainly a high priority, according to Lomax. You need to have strong systems integrated with security best practices. The portals used by carriers, as with other ePHI systems, should use strong managed multifactor authentication.

You also should have signed business associate agreements (BAAs) in place.

Know how to respond and recover. You need to have an incident response plan that is thorough and routinely updated. The plan should discuss the steps to be taken if a breach is detected, both in terms of stopping the invasion and properly handling any ePHI that is involved. Notifications should be sent to patients, as well as to the HHS and potentially the media (per the Breach Notification Rule).

Choose strong partners. If you think your organization could use outside help with infrastructure setup and management, tap the expertise of credible healthcare service providers who have experience meeting federal rules for a spectrum of organizational types and sizes. A strong partner will be ready and willing to sign a BAA.

Action against medical identity theft

There were approximately 2.3 million cases of medical identity theft in 2014, and that number is growing. Given all the potential consequences of this form of fraud, it is vital to take steps to prevent it by decreasing the risk of a breach. While training is critical, you should also set up proper protections and seek third-party expertise as necessary.

Keeping patient data secure starts with HIPAA-compliant online forms.

Marty Puranik cofounded Atlantic.Net from his dorm room at the University of Florida in 1994. As CEO and president of Atlantic.Net, one of the first Internet Service Providers in America, Marty grew the company from a small ISP to a large regional player. To keep pace with a changing industry, he has led Atlantic.Net through the acquisition of 16 internet companies, tripling the company’s revenues and establishing customer relationships in more than 100 countries. Providing cutting-edge cloud hosting before the mainstream, Atlantic.Net has expanded to seven data centers in three countries, with a fourth pending.

Send Comment:

Comments:

Be the first to comment.