Tuesday, January 16, 2007

Identity theft and digital health records

This weeks’s Business Week has an article on medical identity theft (Diagnosis: Identity Theft). The article outlines three types of fraud that are apparently on the rise: 1) people who steal an identity to get treatment for themselves; 2) providers who steal an identity to submit fake claims; and 3) providers who misuse information they are entitled to have, in order to pad legitimate claims with fake claims.

Like a lot of articles in the area of patient privacy, I think this one touches on all of the right points but sensationalizes the issue with some egregious anecdotes and a few hyperbolic comments from “privacy advocates”. I’m also not sure how new some of this is. Identity theft certainly isn’t new, nor is fraud in medical claims. The Sopranos even had an episode a couple of years ago that was identical to one of the “new” types of fraud described in the article – organized crime “rings” using an ancillary healthcare provider organization to submit bogus claims. (Though according to HBO’s Mobspeak, Tony Soprano found the “taste” of medical fraud to be much less lucrative than racketeering or bookmaking.)

I’m not going to even try to answer whether our data is “safer” in digital health records, because this is unknowable, and anyone claiming otherwise isn’t being intellectually honest. The BW article gives short shrift to the ways in which electronic records will increase protection of patient information.

There are two different issues raised by the article: 1) how to prevent and detect medical fraud; and 2) how to prevent electronic health records from being used for identify theft (which may or may not be used for medical fraud).

It strikes me that EHRs can be helpful in preventing and detecting fraud in care delivery. The most obvious way is by giving a greater ability for “authentication” than is allowed by paper systems, in particular by incorporating photos in the medical record. Digital cameras are incredibly cheap and even the most simple EHRs and practice management systems allow photos to be attached to records. I’ve been a member of three athletic clubs over the last 2 years (including my local YMCA), all of which use photos for authentication every time I visit. It would hardly be an invasion of privacy for health care providers to do the same.

Electronic systems are also helpful in detecting fraud by providing the ability to identify “spikes” in activity that can then be followed up for validity (the article notes this). My credit card company does this now. A health insurer that does this could even use it as a positive opportunity to improve care, customer service, and relationship management – legitimate “spikes” in activity are the result of significant medical events, for which follow-up should be both welcome and appropriate. Honda Motor Corporation called me recently to ask how my local dealer performed during our last service visit. I wish Aetna would call me to ask how my doctor or hospital performed, not only when my activity has “spiked”, but after each visit I make (boy, would they get an earful).

Regarding identity theft, I think that EHRs could seriously reduce one of our greatest sources of risk – medical staff who abuse their privileged access to information. Good EHRs have role-based access, so that staff are able to access only that type of information appropriate to their jobs. Audit logs also allow tracking of access to records and monitoring of user activity. Paper records don’t allow such protections. And while such protections have been available in many hospitals for some time now, making them widely available in physician offices will put literally millions of medical records under a better security umbrella than they’re under today.

Of course, EHRs increase other types of risk by adding more to the amount of electronic data already swirling around the ether, so in that sense they do create greater incremental opportunities for some types of identify theft. This is true for any type of electronic data, however, and I'm not sure how much greater risk it adds on top of what's already out there. I was at Marshall’s department store the other day and they asked for my phone number as part of the payment process for a pair of socks (I didn't give my number to them but noticed that a lot of other customers gave theirs). I’ve also noticed recently that when I return items to Home Depot without a receipt the cashier swipes my credit card and does a search of everything I’ve ever purchased from them on my credit card before giving me a cash refund. I'm sure that these companies have privacy statements detailing what they do with this information -- I haven't bothered to read these statements, nor do I expect to any time soon.

The "digitization" of medical information is just another aspect of a general trend. We don't have to even discuss whether we should stop it, because I don't think we can -- the best protection for patients is to insist that EHRs get implemented in a way that accentuates their positive attributes and explicitly manages any additional risks that they introduce.

No comments: