The patient’s Insurance identifier is then used by an uninsured person to obtain medical services or by a fraudulent lath care provider to bill for medical services that were never rendered. Data security breaches and medical identity theft are growing concerns, with thousands of cases reported each year. The Centers for Medicare and Medicaid Services (SMS) tracks nearly 300,000 compromised Medicare-beneficiary numbers. The Office for Civil Rights has received more than 77,000 complaints regarding breaches of health information privacy and completed more than 27,000 investigations, which have resulted In more than 18,000 corrective actions. 3 Beyond privacy concerns, breaches f health Information security exact a weighty financial toll and endanger patients. Abuse of insurance identifiers drains money that would be better spent funding legitimate health care services. When Medicare and Medicaid overpay for services, taxpayers bear those costs.
When private insurers overpay, policyholders face higher premiums and escapements. The most obvious toll on the Individual beneficiary Is financial liability for services that are fraudulently obtained in the beneficiary’s name. The beneficiary may also run up against service limits when he or she later seeks unbearable medical services. And identity breaches can deleteriously affect the quality of care. Incorrect Information can Infiltrate the beneficiary’s medical record and corrupt later medical decision making.
Beneficiaries have been wrongly labeled as diabetic or HIVE-positive when people with those conditions obtained services using a beneficiary’s medical identity. Pharmacists have rejected beneficiaries’ legitimate prescriptions and suppliers have refused to furnish needed wheelchairs when records have Incorrectly shown that the beneficiary recently received the Items In question. Health care providers should better protect patients’ privacy and medical data (see table Selected Privacy and Security Safeguards. ).
Traditionally, hospitals posted notices in elevators and cafeterias warning staff members not to discuss patients In public areas. The risk of electronic eavesdropping further complicates health care providers’ responsibility to protect patient privacy. In a series of compliance audits undertaken by the Office of Inspector General (016) of the Department of Health and Human Services, government auditors sitting in capital parking lots with simple laptop computers could obtain patient Information from unsecured hospital wireless networks. Health care providers should follow best practices to ensure that computer networks are more secure. As progress continues toward the development of a national infrastructure for electronic health Information, security of electronic data becomes Increasingly important. Firewalls, strong security protocols, antivirus programming, and password protections are essential. Too often, health care professionals undermine password protection, 1 OFF re out of their immediate control. The minor convenience this practice affords comes at the cost of greatly endangered data security.
Automatic, timed logout and employee training can address this problem. Similarly, attention to data security must not stop at the clinic doors; health care professionals should follow secure procedures when using portable electronic devices and home computers (see Steps to Protect and Secure Information When Using Mobile Devices). Some patient data are stolen, whereas other data are volunteered by or elicited from helpful staff embers or even the patients themselves. The 016 has warned Medicare and Medicaid beneficiaries about common scams perpetrated to obtain their insurance information.
Health care providers should also educate staff members about protecting patient information. At times, people call physicians’ offices or hospitals posing as referring physicians, specialists, pharmacies, vendors, friends, relatives, or insurance representatives. Providers must teach their staff to authenticate such calls and release only information to which the caller is entitled. Patients can be important ratters in protecting privacy and combating identity theft. Providers and insurers can help educate patients to protect themselves.
The 016 encourages health care providers to print multiple copies of the brochure it developed advising patients on Nays to avoid falling prey to medical identity theft. 5 Insurers can also do a better Job of protecting patient information. Ideally, all insurers would adopt best practices that experience has proven effective. For example, Medicare and many private insurers send beneficiaries explanation-of-benefits statements or other notices whenever a revive has been charged to their insurance policies.
Beneficiaries are encouraged to review these statements, even if no out-of-pocket payment is owed, since review affords an early opportunity to identify misuse of insurance benefits, such as claims submitted by a provider the beneficiary never used or for a service the beneficiary never received. Unfortunately, most state Medicaid programs do not routinely send such statements to beneficiaries, forgoing one effective tool for identifying security breaches early. Federal law affords American patients strong privacy protections. The
Health Insurance Portability and Accountability Act of 1996 (HAIFA) and the Health Information Technology for Economic and Clinical Health (HITCH) Act established legal mechanisms to ensure privacy and security of medical identity and protected health information. HAIFA created transactional security requirements for the exchange of certain health information and regulated its disclosure. HITCH expanded HAIFA in a number of ways, including by requiring notification of victims of breaches of protected health information held by HAIFA-covered entities and vendors of personal health records.
Unfortunately, however, practice often falls short of intended statutory protections. SMS and the 016 have collaborated to create instructive educational materials offering best practices for promoting privacy and data security. It is crucial that patients and health care professionals work together to safeguard patient information and prevent security breaches. Patients and providers deserve greater assurance that the next time a health care professional answers the phone and it’s “London calling,” the inquiry will be handled properly and patient privacy and health data will be adequately protected.