In 2006, after passage of a state healthcare reform law that required residents to have health insurance, Massachusetts General saw a number of patients coming forward wanting to clear up discrepancies in their medical records and, in effect, admitting they had received care there under different identities, according to Haas. In response, the hospital information systems department led in the formation of a cross-departmental data integrity committee.
The hospital's data integrity committee meets monthly and, among other things, developed “red flag” policies and procedures to identify and thwart medical identity theft attempts while the patient is still at the hospital.
Haas said that the committee's role is to help promulgate policy and educate hospital workers about some telltale signs of possible medical identity theft so they can look out for it while they are interacting with patients. The policy also provides workers with specific guidelines on what to do when they suspect someone may be trying to obtain medical care under a false identity.
Haas said it is only natural that health information management workers take the lead in this new area of information technology.
“We believe this is a very good thing, raising awareness about this,” Haas said. “We also think this is a good thing for HIM. If we become the patient identification experts, we have a seat at the table where the problem exists, at the front end. That will make all of our lives easier.”
According to protocols established by the data integrity committee, “We will be the first person at Mass General that anybody calls if they expect an incidence of medical identity theft is going on.”
Here is the Massachusetts General data thus far: In 2006, there were 16 red-flag incidents reported through the program, Haas said. By 2007, there were 23; in 2008, 42; and through just the first six months of this year, 43.
On closer inspection, about a quarter of the red-flag incidents panned out to be true cases of medical identity theft, Haas said. In retrospective analysis, the red-flag program identifies and prevents on the front end about half of the medical identity theft cases at the hospital, Haas said.
Often, medical identity theft incidents involve large claims. One patient's bill at Massachusetts General was about $42,000. Another's was $35,000. A third case, $28,000.
And money isn't the only issue.
One woman came into the hospital to have an appendectomy, Brown said, using the identity and insurance coverage of a cousin, who happened to be accompanying the patient that day. The patient's cousin also had received care previously at Massachusetts General. Her scheme wasn't discovered until the appendectomy patient's blood type didn't match that of her cousin's in medical records from a prior visit.
When a red flag is raised, Brown said, “We'll start a track for a patient investigation. That information is being fed back in real time while the patient is still there.” The other track is to continue to provide patient care, she said.
The health information management investigation might include going back to the registrar who handled information gathering when the patient was admitted to review what questions were asked and how they were asked. For example, the registrar might be queried as to whether the patient had been asked to provide a street address and ZIP code, or did the registrar allow the computer system to populate the new admission record from existing data in the system.
Insurance fraud, drug seeking and immigration issues were the top three categories of medical identity theft cases at Massachusetts General, Haas said, but the research hospital uncovered a fourth category a few years ago. The hospital detected a patient who appeared multiple times under different names trying to collect $600 payments for participation in a research trial. The patient did not want to report the money on his taxes, Haas said.
“If you do training at your hospital, don't leave research out of the discussion,” Haas said.
Pam Dixon is the founder of the not-for-profit World Privacy Forum, which in 2006 focused national attention on the problem with a 56-page report that concluded medical identity theft remains "the least studied and most poorly documented of the cluster of identity theft crimes."
Three years later, Dixon said the Massachusetts General disclosure of its own statistics on medical identity theft investigations may be unique.
“I have not heard of a provider willingly giving out numbers before,” Dixon said. “What I found interesting is their numbers are growing so much. If you graphed this, it goes up sharply.”