Make sure your HIT security system meets these 6 criteria to avoid medical identify theft | HIPAA Compliance for Medical Practices |

With the mandate from government across the healthcare industry to start putting all medical records online, more attention is being given to the protection of Personal Health Information (PHI). You can draw obvious conclusions about how personal and sensitive information could be misused if improperly disclosed. Some fear that it might be used to deny insurance coverage, impact employment, or lead to discrimination. The Health Insurance Portability and Accountability Act (HIPAA) establishes a baseline of protection that applies to health care providers and insurers throughout the United States. Its privacy requirements mandate the protection of sensitive personal information. However, there is another “health related” twist on the protection of sensitive information – medical identity theft.

According to the 2013 Survey on Medical Identify Theft, medical fraud has increased nearly 20 percent in the past year, affecting an estimated 1.84 million American adults and costing victims $12.3 billion in out-of-pocket medical expenditures.

Medical fraud can occur in a number of ways—including medical personnel billing a health plan for fake or inflated treatment claims, falsifying information to obtain prescription drugs, and using another individual’s information to obtain free medical care. Often, these crimes are committed through illegal purchase of Personal Identifiable Information (PII) or by unethical actions of healthcare providers. Whether accidental or purposely done, health care fraud leads to loss of trust in providers, hefty fines, and loss of license. For example, Columbia/HCA was required to pay $1.7 billion in fines, penalties, and damages for Medicare fraud.

This is perhaps the most frightening of all forms of identity theft, although not the most widely discussed. Medical identity theft occurs when someone uses a person’s name or other parts of their identity — such as insurance information — without the person’s knowledge to obtain medical services or goods. While the intention is to obtain medications, prescriptions, or to falsely bill insurance providers, the risk to the victim may be quite serious – leading to inappropriate and improper medical treatment. While this is a critically important issue, little data and research about it has been done.

In addition to the cost to each individual victim, medical identify theft creates a huge financial burden on public health systems. In May of 2009, the US Department of Justice (DOJ) and the Department of Health and Human Services (HHS) announced the creation of the Health Care Fraud Prevention and Enforcement Action Team (HEAT). Focusing primarily upon Medicaid and Medicare fraud, this program has sought to recover billions of dollars of tax payer money improperly billed against these systems – affecting not only the long term solvency of the system, but also the vulnerable population it serves. In 2011, HEAT coordinated the largest-ever federal health care fraud takedown, involving an aggregation of $530 million in fraudulent billing.

Health insurance and medical services organizations can help prevent medical identity fraud by implementing technology to counteract attacks and monitor their customer databases for possible data breaches. When selecting the correct technology for your organization, be sure to select a solution that can do the following:

  • Discover data across multiple information gateways in your enterprise in order to shed light on dark data and other potential sources of risk. Sensitive information may not be obvious at first glance but can open up an organization to an array of issues if leaked.
  • Scan content in motion or at rest against out-of-the-box or customized checks for a wide range of privacy, information assurance, operational security, sensitive security information, and accessibility requirements. Organizations require different levels of security based on regulations, subject matter, and size. Be sure to select a technology with a solid framework that can be customized based on your needs.
  • Drive enterprise classification and taxonomy with user-assisted and automated classification for all content.
  • Take corrective action automatically to secure, delete, move, quarantine, encrypt, or redact risk defined content. These automated actions can reduce costs by eliminating the need for increased hiring to continuously monitor information security initiatives.
  • Enhance incident tracking and management with an integrated incident management system in addition to trend reports and historical analysis to measure your organization’s improvements over time.
  • Monitor data and systems on an ongoing basis to demonstrate and report on conformance across your enterprise wide information gateways and systems.

There is much research still to be done on this subject. It’s easy to extrapolate that if there are billions of dollars in Medicare fraud, those false claims may in fact be entered into the medical records of unsuspecting individuals. We don’t yet fully understand those consequences. So while it may seem like one of those cautionary tales that are simply outrageous and could never happen to you, the best advice is to “Never say never” and do what you can to protect your information. Always remember that an ounce of prevention is worth a pound of cure.