Editor's note: This is part one of a series about medical identity theft. Look for part two in an upcoming issue of BOH.
Privacy and security officers are sitting on a hoard of valuable data: medical identity information. Social Security numbers. Medicare, Medicaid, and other insurer numbers. Credit card and bank account information. This data can fetch a high price on the black market, and medical identity theft costs patients, providers, and insurers millions of dollars a year. The lure of medical identity information makes healthcare organizations an appealing target for criminals, from large operations launching sophisticated hacking schemes to smaller groups running tried and true fraud scams.
A 2015 study conducted by the Ponemon Institute and sponsored by the Medical Identity Fraud Alliance (MIFA), the Fifth Annual Study on Medical Identity Theft, found that medical identity fraud nearly doubled between 2010 and 2014. More than 2.3 million adults were victims of medical identity theft and fraud in 2014 alone. The average cost per victim was $13,500 and the combined out-of-pocket cost was approximately $20 billion. But the financial impact is only the tip of the iceberg. Medical identity theft can result in physical harm to a patient if the medical record is altered to include another person's information such as allergies, disease status, or blood type.
Healthcare organizations often absorb some of the costs, and if the stolen PHI was used to commit Medicare or Medicaid fraud, they could be investigated by the OIG.
The stakes are high but by raising awareness and championing education and robust security programs, privacy and security officers can help their organizations stay one step ahead of criminals.
Information systems activity review is a fancy way of saying you need to monitor your network and your applications including who is looking at and manipulating your patient information. That can be an expensive, or even almost impossible, proposition when it comes to regular monitoring of access to patient information stored in electronic health records (EHR). Two of the well-known automated audit logging tools on the market, FairWarning and Iatric, are well outside the budget for small- to medium-sized covered entities (CE). The manual option, checking audit logs by hand, is slow and ineffective.
Q: Is it permissible to take pictures of patients for identification purposes as a part of the registration process? Do the patients need to sign a consent form before their picture can be taken?
A: It is permissible to take pictures of patients for identification purposes if the patient agrees to it. Since the Privacy Rule considers full-face photographs to be a patient identifier, it is a good practice to get the patient's written consent to take a photograph and file it with the patient's electronic record. The patient should be allowed to opt out of the photograph if he or she chooses.
Editor's note
Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
Discharge planning has become more important in recent years. Not only is the government putting new focus on ensuring hospitals are helping patients to move to the next level of care more efficiently, but research shows that patients are safer and less likely to return to the hospital if these transitions are well managed.
Discharge planning has long been a challenge for organizations, but proposed revisions to Medicare'sConditions of Participation announced in November 2015 may make the process even more difficult.
