Health care providers need to implement approaches to detect, prevent and respond to medical identity theft incidents. No single solution applies to all providers because of each provider’s unique size, overhead and available resources. Therefore, providers should implement a variety of techniques, including patient authentication, training and awareness, and risk assessment.
Providers should especially be awate of medical identity theft concerns because they could increase as the industry moves toward electronic health records and a national health information network. If networks do not have adequate privacy and security protections, huge volumes of health information could be improperly accessed and used for medical identity theft, as well as other purposes.
In many cases, providers have not yet considered the unique characteristics of medical identity theft as a part of their overall risk assessment. It is important for providers to evaulate whether there are any gaps in their policies and procedures that might lead to medical identity theft. The best time for this evaluation is during routine risk assessments.
Although entities covered under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) are required to implement a security awareness and training program for their workforce, medical identity theft is raraly addressed as a separate, individual risk. Requiring patient authentication – in the form of picture identification as well as a health insurance card – is one way to combat medical identity theft.
In addition to using education and training to prevent incidents of medical identity theft, providers should consider conducting training following an incident to ensure that employees and contractors have responded appropriately. This allows staff to debrief , identiry and apply lessons learned, and to continuously improve the quality of privacy and security process and procedures. It will also help providers respond and mitigate any threats as well as learn steps that can be implemented in the future to prevent similar incidents from occurring.
Guide to Medical Privacy and HIPAA. Health Care Series. December 2008, vol. 7, no. 11.
© 2008 Parsonage Vandenack Williams LLC