In 2014, nearly 9 million patient health records were breached in 164 reported incidents. By March 2015, that number had increased tenfold. In fact, it is estimated that one in three health records were compromised during 2016 alone.1 Records can be physically stolen from medical facilities, so it is important to prevent data acquisition in this manner. But with the prevalence of health IT systems in place, cybersecurity—not just on the backend, but with a complete security ring around data—is absolutely critical to eliminate the prevalence of medical identity theft. Health systems must implement a 360-degree risk mitigation strategy to cover every potential breach.
The impact of medical identity theft
Protected health information (PHI) is highly valuable on the black market because it can be used to obtain pharmaceuticals, commit insurance fraud or obtain medical care through channels such as Medicaid and Medicare. In fact, according to the FBI, stolen health information currently fetches $60-$70 on the black market, while a Social Security number goes for less than $1.1
The fiscal impact of medical identity theft is considerable, generating losses to the health industry of more than $30 billion each year. However, patients also sustain financial consequences of fraud, having to pay an average of $13,500 to resolve these issues.2
The current thinking in the industry today is that performing computer-generated data conciliation processes in the backend increases the risk of data corruption. However, the entire focus of medical identity theft is to emulate another person. While many organizations feel they don’t have a medical identity theft problem (the “it’s-not-me” belief), the astronomical costs tell otherwise.
But the costs are not just monetary. Medical identity theft can cause delays in treatment, misdiagnosis and inappropriate care. The health data of the imposter is merged with the identity of the real patient, creating serious inaccuracies in health data that can be life-threatening.
Coincidence or crime?
Patient misidentification may not necessarily involve criminal activity. Often medical identity issues arise due to the inadequacy of name and birthday as current identifiers. Even if the identity of a patient is verified, there is a significant chance that other patients in that system share the same name or birthday, and sometimes both.
Although released several years ago, the Harris Health System in Houston published a set of data that demonstrates just how many similar identifying factors some patients share. Among more than 3.4 million patients, two patients sharing the same first and last name occurred 249,213 times. In the same set of data, patients sharing the same first name, last name and birthday occurred almost 70,000 times. Five or more patients shared the same first and last name more than 76,000 times. Are these records unique individuals or duplicates? How many represent different people? Or is medical identity theft a factor?
Securing patient identity
There are numerous coinciding factors that providers use to identify patients. The verifiability and accuracy of these records is imperative for health organizations to keep track of individual patients and manage the overall patient population. To prevent medical identity theft and keep treatment and diagnosis as accurate as possible, health systems need a reliable method of deciphering patients with an uncompromising identity-proofing process.
Health organizations must invest in the appropriate health IT to ensure patients are not vulnerable to the costly risks of medical identity theft—and that technology must involve identity-proofing individuals across multiple healthcare settings, not just in siloes. Implementing a unique health safety identifier (UHSI) is a great first step in strengthening IT security, preserving data integrity and saving health organizations and their patients’ money. And taking these legacy challenges out of the health IT ecosystem will allow an acceleration toward a value-based care delivery model.
The success of value-based care demands innovative, reliable health IT solutions. A unique health safety identifier is a positive start to improving data quality at the point of care, as well as along the entire spectrum of care and within the growing virtual care arena. The goal for every care provider must be: one patient, one identity, one record.
1.http://www.information-age.com/technology/security/123461306/healthcar-fraud-five-step-plan-diagnosis-and-treatment April 2016.
2.Medical Identity Fraud Alliance. Fifth Annual Study on Medical Identity Theft, February 2015.
By Tom Foley, Director of Global Health Solutions Strategy