ONCHIT takes aim at medical identity theft
The Office of the National Coordinator for Health Information Technology (ONCHIT) stated that medical identity theft is quickly becoming one of the biggest security threats a healthcare IT administrator needs to consider, given the rich trove of personal data medical records typically include. However, the industry hasn't yet reached a consensus on how to address this exploding problem.
Medical identity theft is a specific type of identity theft in which a person uses someone else's personal health information, such as insurance information, Social Security Number, healthcare file, or medical records, without the individual’s knowledge or consent to obtain medical goods or services, or to submit false claims for medical services.
“The prevention and detection of medical identify theft, along with actions to address problems that may occur as a result of medical identity theft, are necessary steps to build consumer trust in electronic health information exchange,” said Robert M. Kolodner, MD, department of Health and Human Services national coordinator for health IT. “In order to build that trust, all aspects of the problem must be understood, including how health[care] IT provides opportunities for prevention, detection and remediation.”
In 2001, William Winkenwerder, assistant secretary of defense for health affairs, stated that “privacy and security are the Chernobyl that is waiting to happen for the healthcare industry.” By 2006, the World Privacy Forum, a San Diego-based non-profit privacy research group, was calling medical identity theft “the least studied and most poorly documented of the cluster of identity theft crimes.” In addition, it noted that the “medical identity theft typically leaves a trail of falsified information in medical records that can plague victims’ medical and financial lives for years.”
In an effort to assess and evaluate the scope of the medical identity theft problem in the United States, ONCHIT awarded approximately $450,000 in 2008 to the McLean, Va.-based management, healthcare, defense and national intelligence services consultant Booz Allen Hamilton, to examine healthcare IT and medical identity theft. Their report, released late last week, sets forth potential actions the federal government and other stakeholders can undertake in working toward prevention, detection and remediation of medical identify theft.
Three overarching elements were considered throughout those processes. Prevention activities that may assist in stopping medical identity theft from occurring; detection activities that assist in accurately identifying instances of medical identity theft once they have occurred; and remediation activities that assist individuals who are victims of medical identity theft after a theft has occurred.
The patient, according to the report, is the party with the most to lose in a medical identity theft. “Some potential effects on the consumer include compromise of patient care as a result of inaccurate health information entering his or her health record; inability to receive health insurance or other benefits; or financial obligations for services that were never received,” the authors wrote.
Preliminary data compiled by the Federal Trade Commission in 2006 suggested that there were approximately 250,000 victims of medical identity theft; although this estimate is generally agreed as no longer a reasonable measure of the scope of the problem.
“Although the true magnitude of the problem remains to be quantified, the information that is available on current cases is serious enough to demand a look at what can be done now and what can be done in the future to better understand the problem,” the authors noted.
Healthcare IT plays an increasingly important role in the prevention and detection of medical identity theft. “The ability to track, monitor and audit health data electronically has the potential of helping to address the issue of medical identity theft,” the authors wrote. “For example, using role-based access that allows individual access to health data on a need-to-know basis, combined with ‘red-flag’ type auditing practices focused on identifying anomalies, may be helpful in preventing and detecting medical identity theft.”
These types of systems for prevention and detection must be built into healthcare IT deployments now and in the future, according to the report, which offered six potential actions for business processes and technology:
1. Develop communication tools for use among departments within stakeholder organizations to allow for cross-communication, and update business processes to incorporate this communication;
2. Develop a model for data integrity management using current examples of hospital industry best practices;
3. Identify best practices for auditing and monitoring that are applicable to medical identity theft;
4. Explore opportunities to tailor auditing and monitoring for identifying medical identity theft in the Medicare and Medicaid populations using existing contract vehicles;
5. Develop metrics and studies to assess the effectiveness of various types of new patient authentication practices combined with cost-benefit analyses to determine the appropriate threshold for investment and implementation; and
6. Develop model incident response plans for medical identity theft based on current best practices.
“The development and adoption of health[care] IT relies significantly on the trust of the security, validity and accuracy of the system by consumers and those involved in health information exchange,” the authors wrote. “Consumers want to be assured that their health information will be handled with privacy and security in mind. Providers want to know that the information they are using for the purpose of diagnosis and treatment is accurate and secure. These factors are directly linked to adoption because neither consumers nor providers will totally embrace health[care] IT without confidence that these concerns are being addressed.”