By Robin Bowe, BSN, RN, CHC
Copyright © 2012 by Kern Medical Center, County of Kern, CA. All rights reserved. Printed with permission.
Medical identity theft is a growing concern for healthcare providers and healthcare consumers. Defined under the Fair and Accurate Credit Transaction Act of 2003 as “fraud committed or attempted using the identifying information of another person without authority,” medical identity theft causes financial headaches for patients and providers and can cause safety concerns by mixing individuals’ health records.
The Health Insurance Portability and Accountability Act (HIPAA) and the recent Red Flags Rules have called on healthcare providers to better protect patient information-including protection against medical identity theft.
Some healthcare facilities are now proactively taking on medical identity theft at their facilities, forming response teams and implementing stricter identification processes to both prevent theft when it occurs and help clean up the chaos that takes place in its wake.
Forming a Medical Identity Theft Team
In 2007, Kern Medical Center (KMC), located in Bakersfield, CA, identified a need to provide a more user-friendly and coordinated process for customers and staff filing medical identity theft complaints. This led to the creation of a Medical Identity Theft Team charged with educating staff on theft prevention and detection, simplifying medical identity theft reporting, and routing the facility’s medical identity theft complaint form.
Key members of KMC were brought together on the team and buy-in was sought from various organization leaders. The team consists of two people from the health information services (HIS), billing, admitting/registration, and financial services departments, and one member from the compliance department-all areas commonly impacted by medical identity theft. Their first goal was to create strategies for complying with HIPAA and other identity theft laws, as well as develop strategies for preventing identity theft.
The Medical Identity Theft Team created a streamlined process for the handling of identity theft, and promoted a proactive response with the hope of curbing incidents. The team took a four-point approach, focusing efforts on:
- Training staff to recognize medical identity theft
- Training on how to mitigate medical identity theft
- Increasing/supporting reporting of medical identity theft
- Determining and promoting each department’s role in preventing medical identity theft
HIS’ Large Role in Theft Prevention
The HIS department has a critical role in mitigating identity theft, according to Beverly Langella, KMC health information supervisor. Theft victims typically can have their records hijacked with inaccurate information that belongs to the person who stole their identity. If this information is not removed, it can cause serious health consequences as providers use inaccurate data to treat the victim patient.
“Correction of the medical records of identity theft cases quickly and accurately is the most important aspect for patient safety, first and foremost, but data integrity is also important for research projects, public health reporting, and quality reporting, not to mention other regulatory audits such as the Recovery Audit Contractors (RAC),” Langella says.
When medical identity theft is reported at KMC, the HIS department sends out an identity theft packet to the complainant. The packet instructions request that the patient send back any type of police report filed, a Federal Trade Commission affidavit, or other information that would assist the KMC Identity Theft Team in handling the case. The victim patient is also asked to print and sign their name three times, provide a driver’s license and Social Security card copy or other acceptable form of governmental ID-such as a US Passport, photo identification card, or USCIS Legal Permanent Resident Card (Green Card).
This information is used for identification purposes, comparison of demographic data, and signature comparison on any documents that may have been signed by the thief while acting as the victim. Some of the health documents reviewed by the team include:
- Conditions of admissions
- Acknowledgment of receipt of notice of privacy practices
- Any consent for procedures
Consumer Complaint Investigation Process
Below is a summary of the medical identity theft process followed by KMC’s Medical Identity Theft Team departments when possible fraud is detected:
- The consumer files a written report of complaint regarding the medical identity theft incident
- Each complaint is scanned and sent to each Medical Identify Theft Team department
- The department receiving the complaint obtains photocopies of identification: valid driver’s license, state identification card or passport, and Social Security card for the theft review
- The consumer must sign their name three times and/or (if unable to sign) print their name three times for comparison on potentially fraudulent documents
- A police report or FTC affidavit is filed
- KMC informs the consumer that these documents will be sent to the Medical Identity Theft Team for investigation and a copy maintained by the compliance department
- Team completes investigation and follows up with appropriate departments if mitigation is necessary
Team Leads Theft Investigation Process, Resolution
The Medical Identity Theft Team follows a specific process for investigating and resolving an incident. Nearly all of these investigations directly include the health information services department. The team reviews medical records in the Master Patient Index for other patients with the same name, date of birth, or Social Security number as the victim to find documents created through the fraud. The team also reviews records for signatures, other identifiers such as height and weight, names of parents, and checks records for potential criminal history and photos.
After the investigation, the team reviews the case details to determine whether or not two different individuals have used the same patient information.
If the outcome of the review reveals an incorrect registration has occurred, then KMC will work to correct the incorrect demographic data, if information is available. A medical identity theft flag will be placed on the account if additional information is needed, and the correct patient will be identified and contacted to assist in correcting their account and medical records.
Scrubbing the Record Clean
Actually correcting a medical identity theft victim’s health record falls to the HIS department at KMC. The process varies depending on whether it is print, scanned, or electronic records that need corrections.
For print records, HIS staff first create a new folder with the proper name and an accurate medical record number. A new demographic label is then made with the correct information. Records are moved to the appropriate chart, and a medical identify theft flag is logged in the facility’s information system so staff know to monitor for future identity theft activity.
With scanned records, HIS first print the record. New demographic labels are created and placed on the chart. Documents are then re-scanned into the correct medical record and a medical identify theft flag is placed in KMC’s information system.
With electronic records, first the correct identification of the patient is corrected in the electronic health record. A correct patient file is created using accurate demographic data. Data files are then transferred to the correct medical record, and the record receives a medical identify theft flag in the information system.
If the Medical Identity Theft Team and HIS are unable to completely identify either the individual committing the identity theft or the victim, KMC limits the record to providers and clinical staff with certain view privileges and blocks record editing. HIS then creates a new account and names it “Identify name of patient/person unknown.” The record editing is blocked and privileges limited since the true identity of the patient/person is unknown and KMC does not want healthcare providers erroneously or inadvertently documenting care in the wrong record.
If the team is successful in investigating and mitigating the incident, an e-mail confirming resolution of the case is sent to all Medical Identity Theft Team members and a notification is sent to the person who filed the complaint as well as the victim of identity theft (if they are different people).
Professional fee billing companies are then notified of the incident, and word of the incident is communicated with the patient billing department so any outstanding medical bills can be corrected.
Day-to-Day Functions of the Team
The Medical Identity Theft Team at KMC meets on a monthly basis. All communications are handled electronically and information is shared via a spreadsheet that tracks theft or mis-registration cases. Twenty-four hours a day, seven days a week, any staff member can access the file and see the status of an investigation or receive an update on actions taken.
If one of the KMC departments receives a written complaint of medical identify theft, the complaint is scanned and forwarded to the Medical Identify Theft Team. Each department represented on the team has different responsibilities for mitigating a medical identity theft case.
For example, patient financial services representatives help mitigate the monetary and billing consequences of medical identity theft. They communicate by telephone with any collection agency assigned to the case and put a hold on the victim’s account until the investigation is complete. A note is made in the KMC information system regarding this phone call to track communication. Patient financial services staff also update the collection agency throughout the investigation and notify them of the complaint investigation outcome.
When a possible identity theft is reported, representatives from the patient billing department place a hold on all account bills until a determination has been made on the theft claim.
The compliance department coordinates with HIS to file a report with law enforcement for all claims over $7,500 and coordinates with billing department theft team members to complete corrections on any patient bills related to the incident.
Sample Medical Identity Theft Patient Flags for EHR
KMC uses the “H series” of flags to identify identity theft accounts or accounts with incorrect demographic information in their information systems. If demographic data is incorrect, the patient can present to any registration area and the registration staff can verify the data.
- H1 – Identity (ID) Theft
- H2 – Social Security Number (SSN) invalid
- H3 – ID Theft, address not valid
- H4 – ID Theft, phone not valid
- H5 – ID Theft, address or phone not valid
- H6 – SSN, address invalid
- H7 – SSN, phone invalid
- H8 – SSN, address, phone invalid
- H9 – Copy and check ID
Training on Medical Identity Theft
All employees at KMC receive basic medical identity theft training based on the Red Flags Rule requirement that healthcare providers develop identity theft tracking and mitigation plans. The training defines the Red Flags Rule, lists common medical identity theft scenarios, reviews the forms of identification that staff should accept, and teaches employees other methods to detect identity theft. Medical identity theft training includes:
1. Pay attention to alerts
- Notifications or other warnings from consumer reporting agencies or service providers should be noted and followed, not ignored
2. Be alert for suspicious documents
- Social Security cards, driver’s licenses, or other governmental identification that do not match each other or do not match the person seeking service in the Master Patient Index can be a red flag for fraud
- Watch for forged or altered documents (i.e., initials or numbers that do not match information on file)
- Staple or hole-punch marks in the original document may reflect that the document has been reproduced or reflect that there has been tampering of an official document
- Documents that have been ripped and then and put back together
3. Pay attention to suspicious conduct; unusual use or suspicious use of a patient account should be reported, such as:
- Payers calling and alerting the provider about an identity theft in progress
- Unauthorized access to the electronic or paper medical record or financial or billing information
- A family member calling a patient by a different name than they registered
- Notice from customers, victims of identity theft, or law enforcement authorities regarding specific individuals or specific conduct
- Presenting a Social Security number, birth date, address, family contact information, or diagnosis that does not match what is in the facility’s computer records (i.e., patient needing a gallbladder surgery when the medical record states the patient has already had one)
4. Keep current on the changing methods and practices of criminal fraud
- Ensure that policies and procedures are updated periodically to reflect changes in the law and changes in the risks to the facility from medical identity theft
5. Watch for other signs of possible identity theft, including:
- HIS reports showing duplicate Social Security numbers
- Clinical provider reports of extreme variations in height, weight
- Case management reports of wrong demographic information in post-patient interviews
- Individual calls or reports notifying of possible medical identity theft
Reporting Actual or Suspected Fraud
Investigations don’t always reveal that errors in a record are due to fraud. But when they do, KMC follows specific processes to report and resolve the matter. If a possible theft is detected while the suspect is still in the facility, the unit supervisor, privacy officer, risk manger, or hospital shift manager is notified of the issue and then conducts interviews with the possible identity theft suspect. During the interview, a request for essential identification is made, like a driver’s license, Social Security card, or military identification.
If the identification does not match the information stored in KMS’s computer system, or no identification is provided, the supervisor informs the identity theft suspect that appropriate identification (Social Security card, driver’s license, and passport) will be needed for treatment-unless the patient is in the emergency department. The inpatient area then completes an identity theft form and sends it to the compliance coordinator.
All submitted documents are then reviewed by the Medical Identity Theft Team as part of their investigation. They review the written complaint, police report, FTC affidavit, individual signatures, and review copies of the submitted Social Security card, driver’s license, or other accepted governmental identification. These documents are compared with the electronic or paper medical record.
This review helps the team decide if the case is either medical identify theft or just a registration error.
Team Benefits and Challenges
By implementing the Medical Identity Theft Team, KMC has been able to cast a more secure safety net around actual or suspected medical identity theft. The team has also been able to facilitate better correction of the medical record, and more accurately correct facility and professional fee billing in an organized and timely manner.
The measurable benefits for the multidisciplinary team far outweigh any negative aspect of time involvement, according to KMC officials. Customer service has improved when it comes to medical identity theft-evidenced by a decrease in customer complaints on this issue since the team was implemented. There has also been improved communication among team members, improved identity theft response time, more timely correction of the medical record, and faster processing of medical identity theft cases.
Notification and correction of the professional and facility fee billing has also sped up, and medical identity theft identification flags have been placed into KMC’s information system in a more timely manner.
Medical identity theft complaints require the involvement of numerous departments and staff. The goal is to resolve these complaints within 30 days, but meeting the deadline has been a challenge at KMC. Meeting this deadline is dependent on consumer cooperation and the work demands of KMC staff. Sometimes this is too slow for the person filing the complaint.
And although a report is made by the compliance coordinator to local law enforcement agencies, these overburdened officials typically have higher profile and priority crimes to attend to. Medical identity theft cases may be filed without further investigation by authorities, which is frustrating for both victims and facilities.
Facilities Encouraged to Adopt Theft Programs
Medical identity theft continues to be an issue for healthcare providers, patients, and caregivers. If credit damage also is involved in the crime, it may take years to correct the damage. Sadly, there is no guarantee that once corrected, identity theft will not occur again.
The approach taken at KMC to address medical identity theft complaints is one example of how an organization may take on a more proactive role to combat and resolve medical identity theft. All healthcare organizations should have in place procedures and processes to assist customers in dealing with medical identity theft issues.
Dixon, Pam. “Medical Identity Theft: The Information Crime that Can Kill You.” World Privacy Forum. May 3, 2006. http://www.worldprivacyforum.org/pdf/wpf_exsum_medidtheft2006.pdf.
Dixon, Pam and Robert Gellman. “Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers.” World Privacy Forum. September 25, 2009. http://www.worldprivacyforum.org/pdf/WPF_Red FlagReport_09242008fs.pdf.
Fair and Accurate Credit Transaction Act of 2003. http://www.gpo.gov/fdsys/pkg/PLAW-108publ159/pdf/PLAW-108publ159.pdf.
Federal Trade Commission. “Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule.” Federal Register. 16 CFR parts 681. November 9, 2007. http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf.
Kern Medical Center. “Identity Theft Prevention and Response, COM-IM-430.” 2009.
Kern Medical Center. “Patient Misidentification Prevention and Response, COM-IM-450.” 2009.
World Privacy Forum. “Responses to Medical Identity Theft: Eight best practices for helping victims of medical identity theft.” October 16, 2007. http://www.worldprivacyforum.org/medicalidtheftresponses.html.
World Privacy Forum. The Medical Identity Theft Information Page. https://www.worldprivacyforum.org/category/med-id-theft/
Robin Bowe (firstname.lastname@example.org) is compliance coordinator and privacy officer at Kern Medical Center, based in Bakersfield, CA.
"Identity Crisis: Organizations are Implementing Medical Identity Theft Teams to Combat Rising Incidents "
Journal of AHIMA