Posts Tagged ‘EHR’
Beware of Racketeers Making Big Money on Patient Records – by Art Gross, President of HIPAA Secure Now
Armed robbery and drug trafficking are no longer the only crimes of choice for gangs. Instead of a gun, their newest weapon of choice is a mobile phone with Internet access. Now more sophisticated gang members are targeting medical practices and using their smart phones to steal patient records.
This is part of an organized crime ring that’s netting offenders up to $50,000 a night in stolen identities and false tax return filings.
It’s not uncommon for the friend of a gang member to infiltrate a medical practice, gain access to EHRs, download patient information and hand it over to the offender. That person will book a hotel room, set up a “team” and a cell phone bank, submit false tax returns online and generate huge profits in one night.
Florida is hotbed for this activity and it’s spreading across the country. In California, narcotics investigators took down a methamphetamine ring and confiscated 4,500 patient records. Investigators believe the stolen information was being used to obtain prescription drugs to make the illicit drug.
Stolen patient information will not only bring big Health Insurance Portability and Accountability Act (HIPAA) fines for data breaches; the additional direct and indirect expense of a breach can be financially catastrophic. But now there is a strong financial incentive to steal patient information – one lost or stolen patient record is valued at $50 on the black market.
Protect your practice. Medical practices need to realize they are vulnerable to security break-ins and should take steps to reduce their risk of stolen electronic protected health information by performing a risk assessment and identifying potential “leaks.” Here are the steps that organizations should take to protect this information
- Inventory patient information: Capture an inventory of where patient information is stored, accessed or transmitted. Most people think of an EHR as their only source of patient records but patient information can be in a Microsoft Word document in the form of patient letters, or Excel spreadsheets as billing reports or scanned images of Insurance Explanation of Benefits. These documents could be on desktops or laptops. Patient information could also be in emails or text messages in smartphones or tablets.
- Assess current security measures: A security risk assessment looks at how patient information is currently protected. How often does the practice perform data backups? Is there a termination procedure? Do employees have the minimum level of access to patient information? Are all portable devices secured and protected?
- Evaluate common threats to patient information: Physical risks, the likelihood of a threat and the impact of the threat if it occurs must also assessed. In addition to employees pilfering patient records, how are practices protecting information in the case of fire or flood, lost or stolen laptops containing patient information, sending emails to the wrong patient, to name a few. If the practice has patient information stored on laptops and physicians frequently take them out of the office and that information is not properly protected it may result in a large HIPAA fine – high risk with a high impact.
- Recommend additional security: A security risk assessment will identify additional security measures to prevent the likelihood of a threat and its impact. For example, limit who can take laptops out of the office, or ensure that they’re safely locked in a secured cabinet.
A thorough security risk assessment can help a medical practice identify the additional security or procedures needed to help lower the risk of common threats.
Art Gross is president and CEO of HIPAA Secure Now!
Medical Identity Fraud Alliance: A Call to Action by ITRC
The Medical Identity Fraud Alliance has recently published its first whitepaper titled, The Growing Threat of Medical Identity Fraud: A Call to Action, focusing much needed attention on the urgent issue of medical identity theft and fraud.
MIFA is the first public/private sector-coordinated effort with a focused agenda that unites all the stakeholders to jointly develop solutions and best practices for fighting medical identity fraud. The whitepaper defines medical identity fraud as the fraudulent use of an individual’s protected health information (PHI) and personally identifiable information (e.g., name, Social Security number) to obtain medical goods and service or to gain financial benefit. Medical identity theft is defined as the stealing of an individual’s protected health information.
The number of medical identity theft victims in the United States has increased from 1.42 million in 2010 to 1.85 million in 2012 and healthcare fraud, which almost always requires medical identity theft to commit the fraud, costs the United States at least $80 billion a year. Medical identity theft and fraud is much more complex and difficult to mitigate than the much more publicly known financial identity theft and fraud. Because criminals can monetize medical identities 20 to 50 times better than a financial identity, the value of a medical identity can be up to 50 times greater than a Social Security number alone. The high value of medical identities motivates criminals to put more effort in illegally attaining medical identities resulting in more and more cases of medical identity theft. As more and more PHI is being converted from paper health records to electronic health records (EHR) to improve information sharing and accessibility, the PHI becomes increasingly vulnerable to data breaches.
In the paper, MIFA stresses that the individual must be the first line of defense to medical identity theft and fraud. Lessons can be learned from the credit card industry and how they handled financial identity theft and fraud. They started off by sharing fraud data and developing sophisticated analytics to identify potentially fraudulent credit card transactions, but also began verifying the flagged transactions with the consumers themselves. This process inducted the consumer into the fight against fraud and helped the credit card industry crack down on fraud. The equivalent cooperation between the healthcare industry and the consumer is to send an Explanations of Benefits (EOB) about 30 days after a medical service is provided, but people rarely actually read them and when they do, they rarely understand them. Therefore, EOBs are for the most part ignored and the communication between the consumer and the healthcare industry is broken making it difficult for insurance plans to identify a fraudulent claim quickly.
MIFA believes that in order to correctly mitigate the medical identity issues facing the healthcare industry today, there needs to be a coordinated approach between key stakeholders from the healthcare industry, security, compliance and privacy companies, government, law enforcement, nonprofit organizations, and academe. MIFA was formed to bring together stakeholders from each industry and provide leadership to:
- Develop an awareness, education, and training campaign for the public and the healthcare industry.
- Inform public policy decision makers about medical identity theft and fraud and its current and evolving impact through awareness, education, and research programs.
- Establish a comprehensive applied research agenda.
- Promote and encourage innovative best practices, processes, and technology to prevent and detect medical identity theft and fraud.
Several key stakeholders, including the ITRC, founded MIFA and have already begun this process, but more stakeholders, cooperation and information sharing are needed. Visit the Medical Identity Fraud Alliance website and see how you can help!
“Medical Identity Fraud Alliance: A Call to Action” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and click here for linking back to the original posting.
Electronic Health Records – Reducing Mistakes – or added fear of Medical Identity Theft
Keeping your own personal health records is critical when it comes preventing Medical Identity Theft. This record can be paper or electronic. Also there are a number of online solutions. The American Health Information Management Association can help you in creating your own records. Their web site is www.myphr.com. Portable storage devices, CD’s or flash drives even a smart phone can be used to create your electronic record. The disadvantage is it may be lost or damaged and physician offices may not be able to read your records.
The following components should be included: Personal identification; emergency contacts (including phone numbers); health care providers (including specialists, dentists, pharmacists and their phone numbers); health insurance information; living will, advanced directives or power of attorney; organ donor authorization; current medications and dosages; allergies; immunizations; significant surgeries or illnesses; results from recent exams; and family history.
There are a number of resources and advocacy groups that help patients navigate the health care systems, an example being Guardian Nurses Healthcare Advocates.
If you have your own information always available to you, if someone tries to steal your medical identity you have your own records that are up to date and safe in your hands, thus preventing the HIPAA nightmare of trying to change what never really belonged to you. Be proactive in your health and all records involved with your care.
