GEORGIA INTERESTING ARTICLE ON ID THEFT AND THE IMPACT IN THE MEDICAL REALM ID theft reaches medical realm - gainesvilletimes.com

ID theft reaches medical realm
Stolen health care creates headaches, incorrect medical charts, empty wallets

Identity theft can be a nightmare. If somebody steals your credit card and makes purchases in your name, you may spend hours on the phone with banks and credit agencies trying to restore your financial reputation. But medical identity theft can be even worse. Victims lose more than just money; their very lives may be at stake.

Consumers are justifiably worried about their credit cards, but they seldom think about something else in their wallet: the insurance card that their health plan requires them to carry.

Armed with the victim's name, Social Security number or insurance plan number, a thief may try to use that information to get free health care.

You may not find out about it until you get a bill for a surgery you never had, or your insurance company sends an "explanation of benefits" listing doctor's visits you never made.

More ominously, any procedures, tests or medications administered to the thief may become part of your permanent medical record. Next time you're admitted to a hospital, you may find that your chart lists the wrong blood type or says you are on medications that you've never taken. This can lead to medical errors, with potentially tragic consequences.

No one knows exactly how common medical identity theft is because the government doesn't compile data specifically on the crime. But the World Privacy Forum, a nonprofit consumer education group, estimates that at least 250,000 Americans have been victimized.

Some law enforcement officials believe the high cost of health insurance may be making this form of theft more attractive to criminals.

The electronic age also has made patient information more accessible to thieves. Last week, Emory University announced that more than 38,000 cancer patients treated at Atlanta hospitals were included in a database contained on a stolen computer.

The computer was taken from the Cincinnati office of Electronic Registry Systems, a vendor that collects cancer data from hospitals to be entered into the federal registry.

Though it's not clear whether the person who swiped the computer even knew about the database, the Emory patients were sent a letter advising them to put a fraud alert on their credit reports.

How to stop a thief

Health care providers in the Gainesville area say they're not aware of any recent cases of medical identity theft. But all are trying to make patient information more secure.

In 2001, the Longstreet Clinic, Gainesville's largest multi-specialty physicians' group, became the first in the city to switch to a "paperless chart" system.

"There are many advantages to electronic medical records," said Loren Funk, chief operating officer at Longstreet. "But it does provide opportunities to people who might use (patient) information in a bad way."

Longstreet's system is firewall-protected and undergoes security checks to make sure hackers can't break in. The clinic also physically restricts who can use the computers.

"Access to charts is based on need to know," Funk said. "Not every employee can see a patient's record, only those directly involved with that patient's care. If an employee walks away from the computer, they must log out. And we don't allow visitors to roam the building unescorted."

Insurance companies are taking the same steps.

"Our computers are encrypted, and public access to our buildings is restricted," said Cindy Sanders, spokeswoman for Blue Cross Blue Shield of Georgia, which covers 3.1 million people.

"We've recently introduced personal health records for our members, which they can access online. The Web site has the same password protection and encryption as our in-house operations."

Still, Sanders admits, "Computers and technology are only as good as the people who program them. We're all human and we make mistakes."

One of the most important measures Blue Cross has taken is to omit members' Social Security numbers from health insurance cards.

"We assign each person a member number, which by itself is not that useful to thieves, as long as doctors and hospitals are asking for photo ID to verify the card," Sanders said.

Some insurance companies do still use a person's Social Security number as their member identification. Funk wants to see that practice abolished.

"If your insurance company is still using your Social Security number on your card, you should call them and see if that can be changed," he said.

Requiring a photo ID such as a driver's license is probably the most effective way to thwart identity thieves, although sophisticated criminals have been known to forge driver's licenses so they match the medical information.

Longstreet takes it a step further.

"We make sure patients are who they say they are. Usually we take a photograph of them and include that in the electronic record," Funk said.

He suggested that identity thieves may find it easier to get away with the crime at a walk-in clinic or emergency room, where patients and staff have usually never met each other.

"We tend to have long-term relationships with our patients," Funk said. "So if somebody comes in and says, 'I'm John Smith,' a nurse may say, 'No, I know John Smith, and you're not him.'"

Northeast Georgia Health System, which includes two hospital campuses and many outpatient facilities, requires a photo ID whenever a patient is admitted to the hospital or registers for any test or procedure.

So far, said hospital spokeswoman Cathy Bowers, "We haven't had an instance where someone presented as a patient under a false identity."

Setting the record straight

But what if identity theft happens, despite all the precautions? What recourse does the patient have?

"People should contact their provider," said Sanders. "It's up to the physicians to call us (at the insurance company) if there are mistakes or wrong information in a patient's chart. If there's fraud involved, we would go to the appropriate local authorities. We also have internal investigators who look out for things like this."

As with any form of identity theft, patients should check their credit reports. In addition, they should scrutinize every medical bill and every "explanation of benefits" they receive. They also need to peruse their medical charts.

"HIPAA (the federal Health Insurance Portability and Accountability Act of 1996) guarantees you the right to inspect your records and get a copy," said Jan Jameson, director of compliance at Northeast Georgia Medical Center.

However, the law does not prohibit providers from charging a fee for the records, and if the patient has a thick medical file, there may be hefty photocopying costs.

Jameson said if a patient believes information in their file is incorrect, they can go through a formal amendment process to get it changed. A doctor can refuse to make changes, though, if he believes they are unwarranted.

But Bowers said it's easier to prove identity theft in a medical setting than it is for, say, credit card fraud.

"Physically, no two patients are alike," she said. "If the doctor examines you, it becomes pretty obvious that you are not the same person described in your chart."

But clearing things up with the doctor or hospital is only the beginning. False information in the patient's record may have been shared with other entities, so all of those parties have to be tracked down and notified.

"As part of our privacy policy, each patient signs a form authorizing where their information can be released, and we keep logs of where their information has been sent (such as to insurance companies)," said Jameson.

"But there are some sources, such as public health agencies and law enforcement, that we are mandated to disclose information to, even without direct authorization from the patient."

Even after the patient thinks the thief's information has been expunged from their record, that data may still exist on a computer somewhere and can resurface years later.

Bowers said identity theft may be the price we pay for the convenience that computers bring to our lives.

"There's no question that electronic medical records have helped expedite patient care," she said. "So you have to balance that out against the risks of having information misused."

Contact: dgilbert@gainesvilletimes.com; (770) 718-3407

Originally published Sunday, January 7, 2007