Skip to content Skip to navigation

Guidelines to Combat Medical Identity Theft Are Released by California Attorney General

November 20, 2013
by John DeGaspari
| Reprints
Report focuses on best practices in the age of electronic medical records
Click To View Gallery

New guidelines for preventing and remedying medical identity theft have been released by the Office of the Attorney General of California. The American Health Information Management Association (AHIMA) contributed to the development of the guidelines, “Medical Identity Theft: Recommendation for the Age of Electronic Medical Records,” whose primary purpose is to contribute to best practices for healthcare providers and related organizations in managing patient information. It contains recommendations for provider, payers, health information organizations that manage and oversee health information exchange functions, and policymakers.

The report notes that medical identities are misused in two primary ways. One is consensual, in which the individual knowingly shares his or her identity with someone to allow that person to obtain medical goods or services. It cites a 2013 Ponemon Institute study that estimates that nearly half of medical identity theft victims shared their identifying information with someone they knew. Yet the attorney general’s report says that this type of theft should decline as the Affordable Care Act (ACA) extends coverage to many who are now uninsured or underinsured.  Medical identity theft also occurs when the victim does not know the perpetrator, as the result of lost or stolen information or an insider abusing access to records. The report also notes that medical identity theft is underreported and costly—the Ponemon Institute study estimates $1.84 million victims in 2013, with estimated out-of-pocket costs of $12.3 billion.

The attorney general’s report says that by mandating the transfer to electronic medical records, the ACA offers the healthcare industry a way to address medical identity theft. It recommends that healthcare organizations evaluate their current practices for privacy protection and data security, and implementing appropriate counter-measures. Strategic use of technology can help prevent, detect and mitigate  the effects of the crime. It recommends that providers must protect compromised records and thereby eliminate the risk that erroneous medical information poses to the victim’s health and quality of care.

Key Recommendations

For providers:

  • Build awareness of medical identity theft as a quality-of-care issue within the organization.
  • Make patients aware of medical identity theft, which includes using someone else’s medical ID or sharing theirs and its potential consequences.
  • Deploy technical fraud prevention measures such as anomaly detection and data flagging, supported by appropriate policies and processes so that all red flags are appropriately investigated.
  • Implement an identity theft response program with clear written policies and procedures for investigating a flagged record. Train staff in all relevant departments on these policies and procedures.
  • Offer patients who believe they have been victims of medical identity theft a free copy of relevant portions of their records to review for signs of fraud.
  • When an investigation reveals that a record has been corrupted by medical identity theft, promptly correct the record.

For payers:

  • Make Explanation of Benefits statements patient-friendly. Include information on how to report any errors that are discovered.
  • Notify customers who have been identified as victims of medical identity theft by email or text or other agreed upon timely method whenever a claim is submitted to their account.
  • Use automated fraud-detection software to flag suspicious claims that could be the result of identity theft.
  • When medical identity theft is confirmed, the first priority should be correcting the patient’s claims record to eliminate the possibility that benefits could be capped or terminated.

For health information organizations:

  • Build system capabilities that can assist in the prevention, detection, investigation and mitigation of medical identity theft.
  • Adopt policies and standards that recognize the possibility of medical identity theft. Include specific policies relating to medical identity theft as part of privacy and security policies and procedures.  

For policymakers:

  • The U. S. Department of Health and Human Services should include a medical identity theft incident response plan as a certification requirement or as one of the best practices if they are currently developing for health information organizations or exchanges and accountable care organizations.
  • The report also recommended considering its guidelines when collaborating on the development of standards and software for electronic health and suggested that they could also form the foundation of standard policies for industry self-regulation. 




CMS Hospital Compare Website Updated with VA Data

The Centers for Medicare & Medicaid Services (CMS) has announced the inclusion of Veterans Administration (VA) hospital performance data as part of the federal agency’s Hospital Compare website.

CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.

Center of Excellence in Genomic Science to be Established in Chicago

The National Human Genome Research Institute has awarded $10.6 million over five years for the establishment of a new research center in Chicago to advance genomic science.

EHNAC and HITRUST Combine HIPAA Security Criteria, CSF Framework

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) announced plans to streamline their accreditation and certification programs.

Halamka on MACRA Final Rule: “CMS is Listening and I Thank Them”

Health IT notable expert John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston, recently weighed in on the Medicare Access and CHIP Reauthorization Act (MACRA) final rule.

Texas Patient Care Clinic Hit with Ransomware Attack

Grand Prairie, Texas-based Rainbow Children's Clinic was the victim of a ransomware attack on its IT systems in August, affecting more than 33,000 patients, according to multiple news media reports this week.