Medical ID theft: Double danger for doctors
■ The sooner medical identity theft is discovered, the more likely damage can be minimized. Physicians, patients, insurers and the government all can help detect it.
When Anne Peters, MD, a Los Angeles-based internist, started receiving phone calls in 2006 from patients who were not hers about medical procedures she didn’t perform or even offer at her practice, she figured out pretty quickly that she had become a victim of medical identity theft.
When Dr. Peters sought advice on how to resolve the situation, she not only came up empty-handed, but she soon started feeling like a criminal herself. She was visited by federal agents, she received notices from the Internal Revenue Service regarding back taxes on $750,000 she never earned, and she was even detained once at the airport for more than an hour when she returned from a trip abroad. Meanwhile, Medicare stopped sending her payments for legitimate claims.
The worst part, she said, was that she couldn’t find anyone to help her figure out what went wrong or how to resolve it. What went wrong was that a sophisticated international crime ring had stolen her medical credentials, set up shop under her name and was illegally bilking Medicare out of hundreds of thousands of dollars.
Six years and countless headaches later, Dr. Peters finally got her name cleared. Because of her experience, Dr. Peters is in demand as a speaker on medical identity theft and helps raise awareness among her colleagues and among federal agents, who have developed programs to help physicians in similar situations.
Medical identity theft is very much on the radar of Medicare and other agencies responsible for investigating identity theft. In recent years, it has become the fastest-growing type of identity theft in the world, according to reports. An estimated 2 million people become victims of identity theft each year. And more than 5,300 physicians have listed themselves in a federal database that tracks medical identity theft. For physicians, the threat is a double whammy.
There are two types of medical ID theft: the kind that involves a patient’s identity being compromised; and the kind that involves the physician’s professional identifiers being stolen. Both could bring professional or financial harm to physicians.
Problems for physicians could go way beyond the threat of spending more than a year and many thousands of dollars clearing their names when their professional identities are compromised. (A February survey by Ponemon Institute, which studies computer security and identity theft issues, estimates that identity theft victims spend more than $22,000 clearing their names.)
Physicians also face repercussions when their patients’ identities are stolen. Patients report losing trust in their physicians after a medical ID theft has occurred. There is also the potential for medical errors and bad outcomes caused by two patients using the same identity. Physicians also potentially could be subjected to violations of the Health Insurance Portability and Accountability Act if they did not adequately protect the data from being stolen.
Identifying cases of medical ID theft early can help lessen the damage. And it’s easier than one might think to detect it. Many times, the clues are not well-hidden — it’s just that neither physician practices nor patients are connecting the dots.
Physician practices can work with patients, payers, employees and others to help prevent and detect medical ID theft. The biggest key to detection is education, said Shantanu Agrawal, MD, who serves as medical director for the Center for Program Integrity at the Centers for Medicare & Medicaid Services. Many people don’t even know what medical ID theft is, so educating patients on the problem and how to detect it is well worth a physician’s time, he said.
Warning signs for physicians
Dr. Peters’ story was highlighted in a Feb. 1 article in The Journal of the American Medical Association, by Dr. Agrawal and Peter Budetti, MD, JD, that was meant to educate physicians. Dr. Budetti is CMS deputy administrator and director of the agency’s Center for Program Integrity.
Dr. Agrawal said that when physicians receive calls such as the ones Dr. Peters received from patients she knew she never treated, that should be an immediate warning sign.
In addition to educating patients on the importance of reviewing Medicare summary notices and the explanation of benefits documents sent by private insurers, physicians also should review their own Medicare remittance notices to look for services they never performed, or payments they never received. Names that don’t look familiar can be signs that someone is practicing in his or her name, and Medicare should be contacted immediately.
Physicians also can do routine checks of Medicare’s Provider Enrollment, Chain and Ownership System. This will list the practices associated with a physician’s name. If a practice has been set up using the physician’s Medicare identifier, it will show up on that list.
Jeremy Miller, a director at Kroll Advisory Solutions, a security response and mitigation firm, said other warning signs include mailings or phone calls that make reference to corporation filings or businesses under a different name than the actual practice. Other clues are credit reports that show accounts a physician doesn’t recognize.
“Don’t just assume it’s a mistake,” Miller said. “The earlier you capture those kinds of things, the easier it is to get it untangled.”
Physicians also should be aware that many thefts start with employees in the practice, said Bill Fox, senior director of the health care division at LexisNexis Risk Solutions. Some employees have access to passwords or identifiers that could be used to establish a fraudulent practice in the physician’s name. And they have the ability to intercept evidence that the fraud is occurring.
Risks for patients
Even though a large percentage of medical ID thefts that involve a patient using someone else’s insurance credentials to receive care are “Robin Hood” crimes involving willing victims, the consequences still could be devastating to both patients and physicians.
Patients run the risk of receiving improper medical treatment because of someone else’s information being in the medical record and used by physicians to make a treatment decision. And physicians who miss obvious signs that a patient is not who the medical record indicates could be held liable for any harm that was done because of the oversight, said Larry Ponemon, PhD, chair and founder of the Ponemon Institute.
Just as EOB documents are a good way to detect physician medical ID theft, they are also a good way for patients to see whether someone is receiving services using their insurance benefits. But many patients toss these notices aside.
A survey by Harris Interactive conducted on behalf of Nationwide Insurance found that only half of U.S. adults have reviewed their medical records, and only 24% have ever checked for fraud within their records.
It’s well worth a physician’s time to educate patients on the importance of the EOB or Medicare summary notices and how to read them, Dr. Agrawal said.
Practice employees also are a good resource, as they are on the front lines, processing the paperwork of patients who may not be who they say they are. A checklist of things the front desk and physicians can do to thwart identity theft:
- Ask for two pieces of identification. Jorge Rey, information security and compliance director for Kaufman Rossin & Co., an accounting firm in South Florida, said this simple request can be an easy way to sniff out criminals. If the patient has an insurance card but no photo ID, or if a second piece of identification is handed over and it looks fake, or the description doesn’t match the person, consider these as warning signs.
- Ask for a referral source. Rey said simply asking new patients how they heard of the practice can prove beneficial. New patients are generally there because they were referred by another doctor or by a friend. Those referrals, especially ones from other doctors, can be used to establish the person’s identity, if needed.
- Look for inconsistencies in the record. The advancement of health information exchanges will make these crimes harder to pull off, because physicians won’t need prior relationships with patients to know something about them. Having access to patient records from another facility can help physicians identify discrepancies such as dramatic changes in weight or height.
What to do if you suspect something
The first thing physicians should do about potential medical ID theft is to heed the warning signs. If physicians or patients suspect fraud, Dr. Agrawal said, they should call their insurer. Medicare has a toll-free number where potential cases can be reported, and all calls are taken very seriously, he said. Many times these calls result in a new investigation or add information to one in progress.
Similar steps should be taken if the patient is insured through a private plan. The Federal Trade Commission also investigates medical ID theft and has a hotline and website where complaints can be filed. A police report should also be filed, Dr. Agrawal said.
While Dr. Peters never asked nor wanted to become the poster child for medical identity theft, she has taken her role seriously. She uses every available opportunity to educate other physicians about the risks. She urges more focus on prevention.
Medical ID theft is much more complex than other types of financial or identity theft, Ponemon said.
If you lose your credit card, for example, you can call the bank and they will cancel your current card within seconds and send you a new card with a new number. Use of medical identification isn’t as simple to stop, Ponemon said.
“In the world of health care credentials, if you lose your wallet and your credential is gone and you contact your health [insurer], they may send you a card with the same number on it,” Ponemon said. “They don’t really have these anti-fraud procedures in place.”
The key is for health care organizations to have their own anti-fraud procedures and to be vigilant about using them, he said.