Stealing your good name

MGMA Connexion, Apr 2006 by Lopach, Dawn L

Identity theft poses human resource, risk management challenges

This article was adapted from a professional paper submitted to the American College of Medical Practice Executives (ACMPE) in partial fulfillment of requirements to achieve the certification of Fellow. The topic falls under Risk Management, one of eight performance domains identified in the ACMPE Body of Knowledge for Medical Practice Management.

Identity theft - the fastest-growing crime in America1 - has infiltrated the health care sector. In identity theft, an imposter obtains a key piece of personal information, such a Social Security or driver's license number, in order to impersonate the victim. The medical practice administrator plays a key role in protecting a group's employees and patients from this crime.

Health care bulges with personal info

Safeguarding patients' privacy is a commitment in health care that dates to the fourth century, B.C., and Hippocrates' oath. Today, individual health and medical data are gathered, collated, stored, analyzed and distributed in unprecedented quantities and put to diverse uses. Health care providers use data for research, to collect reimbursement, to conduct quality assurance and monitor other providers.

Health care organizations store an everincreasing amount of information in paper and computerized form and use both private and public telecommunications to transmit it among entities. The daunting task of developing and implementing policies to safeguard protected health information (PHI) for patients, physicians and employees frequently falls to the practice manager.

Physicians present especially tempting targets to scam artists. Health care providers must supply a wealth of information - unique physician identifier numbers, tax identifier numbers, dates and places of birth, Social Security numbers, Drug Enforcement Administration numbers, home and business addresses and phone numbers - to health plans, hospitals and other organisations with which they do business. The money that can be generated from this information makes physicians prime targets for identity theft.

Not surprisingly, in a medical organization, identity theft is often an inside job. It's the medical office manager's responsibility to prevent identity theft by employees.

How identity theft occurs

Identity thieves get information in many ways. They steal wallets and purses containing identification and credit or bank cards; they steal mail, including bank and credit card statements, pre-approved credit offers, new checks and tax information. They may complete a change-of-address form to divert mail to another location. They may rummage through trash for information.

Identity thieves perpetrate scams, often through e-mail, by posing as legitimate companies or government agencies. They get information from the workplace in a practice known as business-record theft by stealing files out of offices, conspiring with an employee who has access to business files or by "hacking" into electronic files.

Minimizing risk in the medical office

In a world of connectivity, it's difficult to prevent identity theft. However, you can minimize the risk with an awareness of the issues, an understanding of methods frequently employed by identity thieves and by managing personal information wisely.

Do not have open access to data. Open access is the No. 1 way thieves acquire identity information. Set computer screen savers to come up after a few minutes of inactivity. Password-protect any programs that contain personal information on patients, staff and providers. If the system cannot provide password protection for personal files, save to disk anything that contains identity information and lock up the disks.

Encrypt identity information when possible. You can buy an inexpensive software program that provides file encryption data security.

Watch for employees who regularly hang out around an area with protected files. They could be trying to glean passwords or other personal information by "shoulder surfing"- looking over the shoulder of an individual authorized to access personal identity information.

Memorize passwords and keep written reminders locked up. Do this instead of using standard password wizards installed in many software programs for frequently visited Web sites. Use different passwords for different sites; change them often.

Permanently erase old hard drives. When upgrading or bringing in a new computer system, make sure that data are permanently removed from old hard drives. Reformatting or deleting programs and files using the standard "uninstall" methods may leave recoverable information on the system. Know how old computers are disposed of and where they will end up. Also use caution when disposing of floppy discs, Zip discs, compact discs, high-end printers, fax machines, voice-messaging systems and telephone answering machines.

Shred documents before disposing of them. Mail theft and dumpster diving are major avenues for identity thieves to get information. Paper shredders, once considered a good idea, may become a standard provision for every garbage can due to rules defined in the Fair and Accurate Credit Transactions Act. The legislation, signed by President Bush on Dec. 4, 2003, provides for expanded access to credit and financial services for all Americans, enhancing the accuracy of consumer financial information and helping fight identity theft. Effective June 1, 2005, the previously undefined disposal provision of the law requires the "shredding or burning" or "smashing or wiping" of all paper or computer disks containing personal information before they're discarded.