identity theft and ehrs

Identity theft and digital health records

This weeks's Business Week has an article on medical identity theft

(Diagnosis: Identity Theft). The article outlines three types of fraud

that are apparently on the rise: 1) people who steal an identity to

get treatment for themselves; 2) providers who steal an identity to

submit fake claims; and 3) providers who misuse information they are

entitled to have, in order to pad legitimate claims with fake claims.

Like a lot of articles in the area of patient privacy, I think this

one touches on all of the right points but sensationalizes the issue

with some egregious anecdotes and a few hyperbolic comments from

"privacy advocates". I'm also not sure how new some of this is.

Identity theft certainly isn't new, nor is fraud in medical claims.

The Sopranos even had an episode a couple of years ago that was

identical to one of the "new" types of fraud described in the article

- organized crime "rings" using an ancillary healthcare provider

organization to submit bogus claims. (Though according to HBO's

Mobspeak, Tony Soprano found the "taste" of medical fraud to be much

less lucrative than racketeering or bookmaking.)

I'm not going to even try to answer whether our data is "safer" in

digital health records, because this is unknowable, and anyone

claiming otherwise isn't being intellectually honest. The BW article

gives short shrift to the ways in which electronic records will

increase protection of patient information.

There are two different issues raised by the article: 1) how to

prevent and detect medical fraud; and 2) how to prevent electronic

health records from being used for identify theft (which may or may

not be used for medical fraud).

It strikes me that EHRs can be helpful in preventing and detecting

fraud in care delivery. The most obvious way is by giving a greater

ability for "authentication" than is allowed by paper systems, in

particular by incorporating photos in the medical record. Digital

cameras are incredibly cheap and even the most simple EHRs and

practice management systems allow photos to be attached to records.

I've been a member of three athletic clubs over the last 2 years

(including my local YMCA), all of which use photos for authentication

every time I visit. It would hardly be an invasion of privacy for

health care providers to do the same.

Electronic systems are also helpful in detecting fraud by providing

the ability to identify "spikes" in activity that can then be followed

up for validity (the article notes this). My credit card company does

this now. A health insurer that does this could even use it as a

positive opportunity to improve care, customer service, and

relationship management - legitimate "spikes" in activity are the

result of significant medical events, for which follow-up should be

both welcome and appropriate. Honda Motor Corporation called me

recently to ask how my local dealer performed during our last service

visit. I wish Aetna would call me to ask how my doctor or hospital

performed, not only when my activity has "spiked", but after each

visit I make (boy, would they get an earful).

Regarding identity theft, I think that EHRs could seriously reduce one

of our greatest sources of risk - medical staff who abuse their

privileged access to information. Good EHRs have role-based access, so

that staff are able to access only that type of information

appropriate to their jobs. Audit logs also allow tracking of access to

records and monitoring of user activity. Paper records don't allow

such protections. And while such protections have been available in

many hospitals for some time now, making them widely available in

physician offices will put literally millions of medical records under

a better security umbrella than they're under today.

Of course, EHRs increase other types of risk by adding more to the

amount of electronic data already swirling around the ether, so in

that sense they do create greater incremental opportunities for some

types of identify theft. This is true for any type of electronic data,

however, and I'm not sure how much greater risk it adds on top of

what's already out there. I was at Marshall's department store the

other day and they asked for my phone number as part of the payment

process for a pair of socks (I didn't give my number to them but

noticed that a lot of other customers gave theirs). I've also noticed

recently that when I return items to Home Depot without a receipt the

cashier swipes my credit card and does a search of everything I've

ever purchased from them on my credit card before giving me a cash

refund. I'm sure that these companies have privacy statements

detailing what they do with this information -- I haven't bothered to

read these statements, nor do I expect to any time soon.

The "digitization" of medical information is just another aspect of a

general trend. We don't have to even discuss whether we should stop

it, because I don't think we can -- the best protection for patients

is to insist that EHRs get implemented in a way that accentuates their

positive attributes and explicitly manages any additional risks that