Do you know how your personal health information is being used? More entities than ever are collecting health data. While most uses of personal health information are legitimate, some are not.
With so many people in the healthcare marketplace having access to private information, and given how easily data can be disseminated broadly, how can we be sure that our information is not misused? My office, HHS’ Office of Inspector General, and our government partners are working to keep everyone’s personal health information safe. However, this effort requires a collaborative approach with the support of healthcare industry officials and patients alike.
Today the OIG released a report examining pharmacies and other companies’ use of Medicare Part D eligibility information. We found that some of these companies may be using beneficiaries’ information improperly. If not processing a prescription, what are they using it for? Are they using information for inappropriate marketing purposes or selling it to others? To address these concerns, we recommend that the CMS tighten oversight and take appropriate enforcement action to prevent providers from abusing their positions of trust.
Our work to protect personal data is part of a broader effort by the federal government to safeguard patients’ private information. The CMS recently removed Social Security numbers from Medicare cards and replaced them with new numbers. So far, this action has improved program integrity, helping to protect patients.
We are also working hard to put those who run scams by misusing beneficiary health information out of business and, in some cases, behind bars. Along with our law enforcement partners, my office recently cracked down on a billion-dollar fraud scheme by medical equipment suppliers that paid kickbacks to fraudulent telemedicine companies. In one associated case, a CEO of multiple durable medical equipment companies was sentenced to 40 months in prison and ordered to pay $1.9 million for his role in the scheme. His companies paid kickbacks to obtain Medicare beneficiary information, which was used to fraudulently bill Medicare nearly $10 million for medically unnecessary medical equipment and orthotics.
The government is working hard to reduce risk, especially in situations that consumers cannot control. Still, patients and the healthcare industry can take steps to better protect healthcare data.
What can you do as a healthcare executive?
First, healthcare leaders must understand that eligibility verification transactions should only be used for legitimate purposes—for example, to determine a beneficiary’s prescription drug coverage. These transactions must not be used for other purposes, such as marketing. And providers should not allow marketing firms or other third-parties to use their national provider identifier to access beneficiary eligibility information.
In addition, healthcare industry officials must continue to play an important role in educating beneficiaries and patients about protecting their health information. We urge all healthcare providers to remind patients that they can take steps to protect themselves.
For example, if a telemarketer asks a patient for personal ID or health information, the patient should just hang up. Patients should never respond to unsolicited requests for their Medicare numbers or other personal information.
Healthcare executives and providers should also encourage patients to carefully review all Medicare explanation-of-benefits statements. If patients see a claim for a service not provided, they should follow up with the provider in case it’s an honest mistake. If it seems suspicious, contact the Office of Inspector General, Medicare or the Senior Medicare Patrol (1-800-HHS-TIPS; 1-800-MEDICARE; or 1-877-808-2468).
And we must continue to inform beneficiaries that the promise of a “free service,” saying “we’ll just bill Medicare,” is not free. Quite the opposite—it will cost every taxpayer. And patients may be putting their personal health information into the wrong hands.
Let’s work together to ensure that sensitive health information is protected from those who seek to misuse it.