Failing to protect privacy could cost healthcare providers far more than their progress on an IT project, according to experts on medical identity theft. Hospitals and physician practices risk damage to their reputations from public exposure by the media whenever patients become identity-theft victims at their facilities.
There is little question in the minds of security experts that the healthcare industry already represents a ripe target for identity theft.
In July, the American Health Information Management Association released results of a survey of members, many of whom serve as healthcare privacy officers. It found the number of AHIMA members who believe their organization has achieved "significant compliance" with privacy rules linked to the Health Insurance Portability and Accountability Act dropped to 85% in 2006, down from 91% in 2005.
"The most recent stats indicated just a little bit of softening of compliance and security issues," says AHIMA President Jill Callahan Dennis. She says she's not heard a lot about an increase in medical identity theft, "but it has been the sort of thing that's been endemic for years. Someone somewhere gets a really malevolent idea to exploit information that they have access to. But boy, once the news reports gets out there, it gives a whole new generation an idea that, 'Hey, there is money here.' "
John Macaulay is a physician who is vice president for the healthcare and life sciences division at Anakam, San Diego, a company specializing in providing identity authentication for banking and other industries.
Last month, Macaulay testified before the confidentiality, privacy and security work group of the American Health Information Community, the HHS healthcare information technology advisory panel established last year by HHS Secretary Mike Leavitt. Macaulay said the banking industry, which is targeted by more than 500 online attacks a day, provides a glimpse into the future of healthcare IT.
"We believe that as PHRs (personal health records) and EHRs (electronic health records) proliferate and users reach the tens of millions, fraudsters will set their sights on many of these healthcare sites, starting with those with the largest user bases coupled with the weakest defenses ... because that is where the money is."
The wave of the present
According to Pam Dixon, executive director of the World Privacy Forum, that future is now. Dixon, who also testified before the AHIC privacy work group last month, said healthcare already is under attack, most commonly from healthcare workers of all stripes, including physicians, nurses, technicians and other trusted employees. Dixon said medical data has a street value today of $50 a record.
"Once you are an insider, you have the run of the chicken coop," Dixon testified. "I urge the committee to pay great attention to healthcare insiders."
Burke Kappler, a Federal Trade Commission lawyer, says the forum's report is credible, and Dixon is "the leading authority on this issue."
The report, Medical Identity Theft: The Information Crime That Can Kill You, uses the same narrow definition of medical identity theft as the FTC, noting that, "Unlike purely financial forms of identity theft, medical identity theft also may harm its victims by creating false entries in their health records at hospitals, doctors' offices, pharmacies and insurance companies. What happens if, heaven forbid, he gets rolled into that hospital unconscious?" Dixon says.
The transition from a paper-based healthcare record system to an electronic system is "inevitable," according to Dixon's report. But if the identity-theft issue isn't addressed, current efforts to link isolated IT systems into an interoperable, electronic healthcare network will only make IT systems richer targets for thieves. And that, paradoxically, could make healthcare more dangerous for the patients, which could hamper IT adoption and expansion.
"Digitized information is much more portable and lends itself to rapid transmission," according to the report. "These are usually seen as benefits, but in the hands of an identity thief, these benefits may become liabilities."
Further, it said, if errors in medical charts and documents arising from medical identity theft are left uncorrected, "as they are by and large today," they could "percolate through a nationwide system."
"Without more attention, patients who have incorrect files in one city will find their same incorrect files available to all doctors and insurers that use the health network," the report said. "The same errors may also affect the factual accuracy and quality of medical research and public health interventions based on that data."
Dixon urged the AHIC work group on confidentiality, privacy and security to consider recommending to HHS that risk assessments become a routine part of healthcare IT projects, particularly large-scale ones such as regional healthcare information organizations and the government's work on a national health information network.
Finally, when the fraud is discovered, the victim often is denied access or permission to correct his or her own medical records because of HIPAA privacy issues, Dixon says. The hospital that has been defrauded refuses to show the victim their own medical records because they've been commingled with the records of someone else.
"It's happened to person after person after person," Dixon says. "This is a common refrain. It's the Catch-22. They'll get a dunning notice or see a credit report where there is a $150,000 write-off, and it's killing their credit. And they go to the hospital waving a credit report with a score of 300 on it and saying 'This isn't me,' and the hospital clams shut as if the records are buried in the deepest ocean."
Dixon said in the World Privacy Forum's report that HIPAA provides patients with a right to seek corrections in the healthcare records and most institutions will make changes when errors are spotted, but some will not. Under HIPAA, a patient has the right to ask for an amendment to their medical records, but the provision does not apply to medical information not created by the provider or insurer.
"This means that any medical information sent by one provider or insurer to another provider or insurer does not have to be corrected by the recipient of the information," according to the report.
The reason for the HIPAA limitation -- that a third party may not have the knowledge to make a decision about the correctness of the information -- "provides no recognition of the problem faced by medical identity theft," according to the report.
One option: the government should look to the Fair Credit Reporting Act, which requires credit bureaus and other credit-reporting agencies -- both of which receive information from others -- to investigate victims' claims of inaccurate information and make changes as necessary, seeking to create a reasonable balance of interests. HIPAA, in contrast, "essentially washes its hand(s) of the problem with an overly broad exemption," the report said.
One fear with an interconnected national health information network is that the exemption makes it possible "that a network will contain information for which no identifiable organization has responsibility to consider amendments. Everyone with access to the network may claim that someone else is responsible in order to avoid the expense and complication of handling amendments."
Dixon also recommended the government close a HIPAA loophole that maintains audit trails on who is given access to patient-identifiable healthcare information. Patients are allowed under HIPAA to ask for and receive copies of their audit trail, but "covered entities" -- providers, health plans and claims clearinghouses -- are exempt from the requirement of providing patients audit trails for tracking records used for "treatment, payment or healthcare operations," she wrote.
This loophole often makes it impossible for a patient to track the flow of medical information back to perpetrators of medical identity theft, the report concludes. Eliminating even the limited audit trail requirement, as HHS' Office of Civil Rights -- the first line of enforcement of the HIPAA privacy rule -- "has publicly but unofficially stated it is considering, would serve to ensure that consumers never found out where their records have gone."
"A better approach (under HIPAA in the private sector) would be to have a universal accounting rule covering all disclosures without exceptions," Dixon wrote.
Complaints that the rule would create too cumbersome a burden fall flat, according to the report. "The federal government has operated under the Privacy Act of 1974 for many years and no problems with accounting for healthcare disclosures have been reported." Dixon also recommended the government study medical identity theft specifically to get a better idea of the extent of the problem.
Coming Wednesday: Breaches by the batch