Medical Identity Theft Assessment Urges Government Leadership, Health IT Integration

February 9, 2009

The House and Senate versions of the proposed federal economic stimulus package include approximately $20 billion to encourage adoption of electronic health records and other health information technology (health IT) through Medicare and Medicaid funding. If passed, medical providers that implement health IT measures will receive incentive payments over a five year period beginning in 2010. After 2015, however, CMS will penalize providers who do not meet the health IT benchmarks by reducing reimbursement rates. Despite what it promises to deliver in terms of efficiency, health IT is inherently susceptible to considerable risk.

Providing insight to privacy and security concerns associated with the movement towards electronic health record and information exchange, The Office of the National Coordinator for Health Information Technology (ONC) recently released its third and final phase of a nationwide medical identity theft assessment. ONC contracted with Booz Allen Hamilton to examine the ways in which health IT can be a valuable tool for prevention, detection, and remediation efforts associated with increasing medical identity theft.

The first phase of the assessment consisted of an Environmental Scan Report, which sought to determine the current scope of medical identity theft in the United States, including affected stakeholders in the health care industry, associated costs, and available resources. In the second phase, ONC hosted an interactive Town Hall meeting led by panels of experts in various health care fields to discuss their understanding of and experiences with medical identity theft. The assessment concluded with a Medical Identity Theft Final Report recommending a series of 34 “potential actions” for the federal government and other interested stakeholders relating to future prevention, detection, and remediation of medical identity theft.

For purposes of the assessment, medical identity theft occurs when medical goods or services are obtained through the misuse of an individual’s personally identifiable information (PII), such as name, date of birth, Social Security number, or insurance policy number. The assessment acknowledged that consumer patients are the primary victim of medical identity theft, with the potential for financial or even medical harm if inaccurate medical records are relied upon in subsequent treatment. However, costs associated with medical identity theft affect stakeholders across the health care industry, including payers, providers, health information organizations, federal and state agencies, and commercial vendors.

Highlights of the recommended “potential actions” to control medical identity theft include:

1. Coordinate Government Leadership. Currently, various government agencies address medical identity theft, but no specific agency is recognized as the leading source for information or response efforts. The assessment urges the federal government to lead coordination efforts as part of the overall health IT movement.

2. Integration With Health IT Initiatives. Health IT initiatives, such as auditing, monitoring, and restricting employee access to electronic health information, are useful mechanisms to respond to and mitigate medical identity theft. However, the expanding health IT system also greatly increases the amount of PII stored and transmitted electronically, potentially creating more vulnerability to health data breaches. Preventative medical identity theft measures must be implemented as part of current and future health IT initiatives to maintain the confidence of all stakeholders regarding electronic privacy and security concerns.

3. Improve and Enforce HIPAA Privacy and Security Standards. Rather than creating an entirely new system to address medical identity theft, improve upon existing regulations to reflect new concerns and utilize available enforcement mechanisms to ensure compliance.

4. Explanation of Benefits (EOB) Transparency. While EOBs provide a summary of billed medical services, technical insurance language and codes often confuse patients. Increased transparency in EOBs and more user-friendly terminology provide patients with a better opportunity to detect discrepancies between medical services billed and received.

5. Right of Access Education. The HIPAA Privacy Rule’s right of access generally allows individuals to review and obtain copies of their protected health information (PHI) in designated record sets of HIPAA covered entities (i.e., health care providers that conduct covered financial and administrative transactions, health care clearinghouses, and health plans). Patients are often the first line of defense in spotting medical identity theft in their records; however, the right of access option is rarely utilized and not well understood. Especially with the shift of PHI from paper-based to electronic form, increased efforts to educate and encourage patients to view their records electronically can mitigate the time it takes to detect medical identity theft.

Full texts of the Medical Identity Theft Assessment can be found on the HHS Health Information Technology site.

If you have any questions regarding medical identity theft, health IT initiatives, or HIPAA Privacy and Security compliance, please contact any member of the McGuireWoods Health Care industry group.