Guidelines to Combat Medical Identity Theft Are Released by California Attorney General | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Guidelines to Combat Medical Identity Theft Are Released by California Attorney General

November 20, 2013
by John DeGaspari
| Reprints
Report focuses on best practices in the age of electronic medical records
Click To View Gallery

New guidelines for preventing and remedying medical identity theft have been released by the Office of the Attorney General of California. The American Health Information Management Association (AHIMA) contributed to the development of the guidelines, “Medical Identity Theft: Recommendation for the Age of Electronic Medical Records,” whose primary purpose is to contribute to best practices for healthcare providers and related organizations in managing patient information. It contains recommendations for provider, payers, health information organizations that manage and oversee health information exchange functions, and policymakers.

The report notes that medical identities are misused in two primary ways. One is consensual, in which the individual knowingly shares his or her identity with someone to allow that person to obtain medical goods or services. It cites a 2013 Ponemon Institute study that estimates that nearly half of medical identity theft victims shared their identifying information with someone they knew. Yet the attorney general’s report says that this type of theft should decline as the Affordable Care Act (ACA) extends coverage to many who are now uninsured or underinsured.  Medical identity theft also occurs when the victim does not know the perpetrator, as the result of lost or stolen information or an insider abusing access to records. The report also notes that medical identity theft is underreported and costly—the Ponemon Institute study estimates $1.84 million victims in 2013, with estimated out-of-pocket costs of $12.3 billion.

The attorney general’s report says that by mandating the transfer to electronic medical records, the ACA offers the healthcare industry a way to address medical identity theft. It recommends that healthcare organizations evaluate their current practices for privacy protection and data security, and implementing appropriate counter-measures. Strategic use of technology can help prevent, detect and mitigate  the effects of the crime. It recommends that providers must protect compromised records and thereby eliminate the risk that erroneous medical information poses to the victim’s health and quality of care.

Key Recommendations

For providers:

  • Build awareness of medical identity theft as a quality-of-care issue within the organization.
  • Make patients aware of medical identity theft, which includes using someone else’s medical ID or sharing theirs and its potential consequences.
  • Deploy technical fraud prevention measures such as anomaly detection and data flagging, supported by appropriate policies and processes so that all red flags are appropriately investigated.
  • Implement an identity theft response program with clear written policies and procedures for investigating a flagged record. Train staff in all relevant departments on these policies and procedures.
  • Offer patients who believe they have been victims of medical identity theft a free copy of relevant portions of their records to review for signs of fraud.
  • When an investigation reveals that a record has been corrupted by medical identity theft, promptly correct the record.

For payers:

  • Make Explanation of Benefits statements patient-friendly. Include information on how to report any errors that are discovered.
  • Notify customers who have been identified as victims of medical identity theft by email or text or other agreed upon timely method whenever a claim is submitted to their account.
  • Use automated fraud-detection software to flag suspicious claims that could be the result of identity theft.
  • When medical identity theft is confirmed, the first priority should be correcting the patient’s claims record to eliminate the possibility that benefits could be capped or terminated.

For health information organizations:

  • Build system capabilities that can assist in the prevention, detection, investigation and mitigation of medical identity theft.
  • Adopt policies and standards that recognize the possibility of medical identity theft. Include specific policies relating to medical identity theft as part of privacy and security policies and procedures.  

For policymakers:

  • The U. S. Department of Health and Human Services should include a medical identity theft incident response plan as a certification requirement or as one of the best practices if they are currently developing for health information organizations or exchanges and accountable care organizations.
  • The report also recommended considering its guidelines when collaborating on the development of standards and software for electronic health and suggested that they could also form the foundation of standard policies for industry self-regulation. 




Appalachia Project to Study Relationship Between Increased Broadband Access, Improved Cancer Care

The Federal Communications Commission and the National Cancer Institute have joined forces to focus on how increasing broadband access and adoption in rural areas can improve the lives of rural cancer patients.

Survey: By 2019, 60% of Medicare Revenues will be Tied to Risk

Medical groups and health systems that are members of AMGA (the American Medical Group Association) expect that nearly 60 percent of their revenues from Medicare will be from risk-based products by 2019, according to the results from a recent survey.

83% of Physicians Have Experienced a Cyber Attack, Survey Finds

Eighty-three percent of physicians in a recent survey said that they have experienced some sort of cyber attack, such as phishing and viruses.

Community Data Sharing: Eight Recommendations From San Diego

A learning guide focuses on San Diego’s experience in building a community health information exchange and the realities of embarking on a broad community collaboration to achieve better data sharing.

HealthlinkNY’s Galanis to Step Down as CEO

Christina Galanis, who has served as president and CEO of HealthlinkNY for the past 13 years, will leave her position at the end of the year.

Email-Related Cyber Attacks a Top Concern for Providers

U.S. healthcare providers overwhelmingly rank email as the top source of a potential data breach, according to new research from email and data security company Mimecast and conducted by HIMSS Analytics.