Hospitals upgrade their defenses as medical identity theft continues to rise
By Nancy Maes
According to the Federal Trade Commission (FTC), about nine million Americans have their identities stolen every year. Medical identity theft, a fast-growing part of that fraud, creates a variety of problems. A clever thief may use a victim’s name and his or her health insurance—sometimes to the maximum—to receive medical treatment. In 2013, the average out-of-pocket cost per victim was $18,660, according to the Ponemon Institute’s independent research on the topic. In addition, victims whose identities have been stolen will have inaccurate information in their medical records that could compromise their health.
In an effort to combat this threat, the FTC led the charge to create the Red Flags Rule in 2007 to require financial institutions and creditors to set up programs that would deter and recognize the signs of potential identity theft. The regulations were supposed to go into effect in 2009 but were delayed in part because the American Medical Association (AMA) objected to having physicians covered by the program. The Rule was clarified in 2010 to more narrowly define the creditors covered by theregulation. It went into effect in 2013.
“Most independent physicians are not covered by the Rule,” says Steven Toporoff, attorney in the FTC’s division of privacy and identity protection in the Bureau of Consumer Protection. “Hospitals may be considered creditors if they defer payment of goods or services, if, for example, [after the fact], they bill people who go in for a procedure. They will be covered by the Rule if, in addition, they also use credit reports or report to credit-reporting agencies if there are delinquencies in the ordinary course of their business, or if they make loans.”
Although hospitals are not required to submit their Red Flags Rule program to the FTC, the commission will look at their policies and procedures if it receives a complaint about medical identity theft at an institution.
The University of Illinois Hospital & Health Science System (UI Health) has had a Red Flags Rule policy since 2009.Marc DeVar, senior revenue cycle director at UI Health, says, “The original FTC Rule established a due date of 2009, although that later changed, but because we had already implemented our process to comply with the original date, we decided to move ahead with our policy and internal procedures.”
He says that only a few cases of identity theft at UI Health have been detected each year since the policy was put in place.A Red Flag problem might be recognized when apatient presents an ID card that looks fraudulent or when a medical professional suspects an inconsistency between a patient’s record and the medical problem of the person who has stolen that person’s identity. Most often, the medical identity theft is detected when patients call to report bills for treatment they have not received.
“We immediately put the bills on hold for that person. If the Red Flag is verified as a fraudulent activity and health insurance has paid us, we refund the money, and oftentimes those bills remain unpaid, [so] we have to write them off,” DeVar says. “All Red Flag cases go to our privacy officer, who goes through the entire health system records to find out more about the fraudulent activity and puts a Red Flag alert in the system so that when someone checks in under that name, the person will be asked to provide further identification. When the privacy officer is notified, the police may be contacted at the same time, depending on the case.”
When patients arrive to see a doctor who works for the NorthShore University HealthSystem, a small camera on a tiny tripod on the counter of the check-in desk is there to greet them. Its purpose is to capture faces and input those faces into a database. The concept may seem Orwellian, but hospital administrators say it’s for the benefit of the patient’s true identity. Although it’s not a requirement of the Red Flags Rule, it adds an extra level of precaution.
Kati Hochstadt, senior director of revenue cycle at NorthShore, says that a patient is asked for an official government-issued ID card with a photo, such as a driver’s license, which is scanned for future reference, and at the same time the patient can also have his or her photo taken at the registration desk. It will be added to the patient’s electronic medical record to verify his or her identity in the future.
“Once you’ve shown your driver’s license and had your photo taken, you don’t ever have to show your driver’s license again,” Hochstadt says. “We want to make sure that people aren’t defrauding the system by using another person’s information and insurance. So in the future, the photo will be a visual reminder for the registrar that the person standing in front of them is indeed the patient. If we suspect a problem, we put a fraud alert onto the account, and we have people who will investigate it in more detail.”
But the purpose of the photo placed in a patient’s file is not just to prevent or detect fraud; it also eliminates the need to ask for an official photo ID for each visit and allows staff and medical professionals to learn to connect a face to a name and better personalize healthcare.
According to Holly Geroulis, the senior project manager of health information technology at the NorthShore, patients don’t have to fear that their photos will be beamed out into the world by someone who has illegally gained access to the hospital’s database.
“These systems have a high level of security,” Geroulis says. “And if the photos were hacked, there is no information about the background of the patient linked to them.”
NorthShore’s cancer centers do not take photos in deference to patients whose appearance may have been affected by chemotherapy. NorthShore is also currently working out issues involved with taking ID photos of children at their pediatricians’ offices. Hospital officials are trying to decide at what age to start taking pictures of children since a baby’s appearance changes so rapidly. In addition, it’s difficult to take photos with cameras positioned on reception desks that are taller than young patients. Independent doctors who are not employed by the hospital but are affiliated with it can currently test taking ID photos of their patients to see whether they want to adopt this procedure permanently as a convenience.
DeVar says they don’t currently take photos of patients as a part of the registration check-in process at UI Health, but are considering adding it in the future to further enhance their Red Flag protocol.
While hospitals are now required to detect and prevent medical identity theft, patients can also be vigilant and be on the lookout for clues that might reveal they have become victims of this fraud. Assistance is available at ftccomplaintassistant.gov.