"Medical identity theft occurs when someone uses a person's name and sometimes other parts of his or her identity, such as insurance information, without the person's knowledge or consent to obtain medical services or goods, or uses the person's identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in a victim's name."-World Privacy Forum of the Federal Trade Commission (FTC) Healthcare Innovations Workshop, April 24, 2008
In December, 2003, the Fair and Accurate Credit Transactions Act (FACTA) was instituted to provide consumers with increased protection against identity theft. Regulations were published on November 9, 2007 and became effective on January 1, 2008 with a mandatory compliance date of November 1, 2008.
Although these regulations apply to many healthcare providers, the American Medical Association questioned its applicability in the Fall of 2008, prompting the FTC to delay the rule's effective date to August 1, 2009 for healthcare providers.
Any financial institution or creditor that holds a covered account must comply with FACTA. A creditor includes any entity that regularly defers payments for goods or services or arranges for the extension of credit. Creditors include healthcare providers who regularly bill patients for medical services after they have been rendered and providers who regularly allow patients to establish payment plans after the completion of medical services. Thus, most healthcare providers are creditors. To avoid this situation, the provider may take payment up front, including co-payments. A covered account is used primarily for personal, family, or household purposes, and involves multiple payments or transactions, or any other account with a reasonably foreseeable risk of identity theft. Healthcare services often involve multiple payments, which are at a reasonably foreseeable risk of identity theft and most likely would be part of a covered account.
Elements of a prevention program
A written identity theft prevention program is required for applicable healthcare providers. Covered entities must develop written policies and procedures to prevent, detect, and mitigate identity theft. Such policies should address the misappropriation of information from the provider's own records and an identity thief's use of information procured externally to fraudulently obtain medical services from the provider. The policies should be uniquely tailored to the size, complexity, nature of operations, and actual experience of each entity. Guidelines for such policies and procedures are available at Appendix A to 16 C.F.R. part 681.
Policies and procedures should include four elements. First, the identification of patterns, practices, and specific activities that signal possible identity theft (red flags), which include:
* alerts, notifications, and warnings from consumer reporting agencies
* suspicious documents and/or personal identifying information, such as an inconsistent address or a nonexistent social security number
* unusual use of or suspicious activity relating to a patient account
* notices of possible identity theft from patients, victims of identity theft, or law enforcement authorities.
It is recommended that providers verify the identity of patients by photo identification.
Second, policies and procedures should address the detection of red flags including verification of new patient information with proper identification, authentication of patients arriving for services, and verification of insurance information.
The third required element is to respond accordingly to red flags, such as including a provision for appropriate response to detected red flags. The response should be proportionate with the degree of risk, and if necessary, insure the patient medical record is corrected.
The fourth element involves periodic updates to the policies and procedures such as recording how the program will be kept current. The program should reflect changes in risks to patients from new methods of identity theft or from incidents of identity theft actually experienced.
There is a four-step process for administering the program:
1. Obtain approval from the healthcare organization's board of directors, an appropriate board committee, or, if the organization does not have a board, a senior employee.
2. Involve the board, committee, or senior management employee in implementing, administering, and oversight.
3. Train staff to properly execute the program's requirements.
4. Oversee any service provider arrangements to ensure that the provider acts in a manner consistent with the organization's identity theft prevention program.
The identity theft rules interact with the Health Insurance Portability and Accountability Act (HIPAA), which focuses on maintaining privacy and confidentiality and on securing protected health information, and is aimed at preventing the compromise of patient information. The identity theft rules focus on recognizing evidence that a third party is involved in medical identity theft or that the internal system has been breached. Its aim is to prevent or mitigate the misuse of compromised information. Implementing the identity theft rules involve securing a patient's information from unauthorized access, part of which can be accomplished by the provider's HIPAA policies. Providers should review their current HIPAA policies and integrate the appropriate policies into the identity theft program as appropriate.
Consequences
There are penalties for noncompliance. The FTC can seek up to $3,500 in civil monetary penalties per violation. For repeated violations after an order to comply, the FTC can file a lawsuit seeking several times that amount for each violation. States are authorized to bring an action on behalf of their citizens and can recover up $1,000 for each violation as well as attorneys' fees. Affected patients can bring civil suit, seeking actual damages and attorneys' fees for negligent violations. For willful noncompliance, patients can seek actual damages plus punitive damages and attorneys' fees.
The FTC has published a handbook entitled Fighting Fraud with the Red Flags Rule: A How-To Guide for Businesses. The FTC, furthermore, has a fill-in-the-blank form for entities with a low risk of identity theft. This can be filled out online and printed. Both are available at http://ftc.gov/redflagsrule.
A nurse's role
The medical identity theft problem can have serious consequences to patients. A thief can get a patient's health insurance information and receive treatment under the patient's name or use the patient's identity to obtain narcotics. As healthcare providers, we have a duty to our patients to protect their identity and report suspected medical identity theft. The implications could be that the NP is partially responsible for the patient's identity theft when proper procedures to prevent identify theft are not in place.