Protect Yourself and Your Practice from Identity Theft

Identity theft is a major problem in our country, and everyone is susceptible—especially physicians. That’s because, unlike anybody else, physicians are in possession of two forms of federally protected information: Health information, which is protected under HIPAA, and financial information. Both of these elements subject physicians to liability if they release the information without patient authorization.

But physicians’ exposure to identity theft doesn’t end there. Patients without health insurance posing as someone who actually has health insurance is a rampant form of identity theft. And of course, physicians need to ensure that their own personal information is not subject to theft. But there are steps physicians can take to protect themselves, their practices and their staffs.

Red flag provision

In June 2010, a FTC-mandated red flag provision is scheduled to take effect requiring all medical facilities, including physician practices, to have written policies and procedures in place to protect against patient identity theft. It starts with having a compliance person in your medical practice who is in charge of the policies, and the penalty for not having them in place can be substantial.

“If the FTC decides to start walking into your office and inspecting to see if you have [policies and procedures], and you don’t, it’s $2,500 for every violation,” says Charles Kutner, a New York-based attorney who represents the medical industry. “There’s no penalty for not figuring out that someone has stolen an identity, only if you don’t have a written policy and procedure in place.”

Kutner explains that the policies and procedures are fairly easy to implement. When a patient enters the office and presents an insurance card, ask them for a photo ID. If they don’t have one, that ought to send up a red flag. Or, if they present one and the person in the photo doesn’t resemble the individual standing at the front desk, another red flag. He suggests consulting the American Medical Association website for a sample policy.

“Even if it’s a patient you know, you should ask for a photo ID uniformly,” Kutner says. “Every patient should present a photo ID when they come to the office for treatment.”

Your own identity

Today, the use of online banking for paying bills and making other transactions, as well as deposits into retirement accounts, is commonplace—and the problem of identity theft is becoming almost as common. Dave Miller, chief security officer for Covisint, a Compuware subsidiary, says there are several precautions physicians should be aware of to ensure that hackers don’t gain access to important personal and financial information.

The first is called risk-based authentication, which is basically fingerprinting of the computer from which you access your accounts. Usage patterns are examined, such as where you live and the time zone in which you live. If you violate those rules, the system will ask a series of questions to revalidate that you are who you say you are. In addition, instead of simply entering a password, some systems now provide one-time passwords via a device you can carry on your keychain. When you log into an account, you type in the number on the device—and the number changes every time you log in.

“The advantage is it takes the hacker out of the equation,” Miller says. “Even if a hacker has compromised the system you’re on and obtains the password you entered, it doesn’t matter because it won’t be good anymore. And there are a lot of banking services and eTrade that offer the service. It costs a little more, but it gives you an extra level of security.”

Of course, Miller admits that physicians are limited by the services provided by the bank or organization with whom they’re affiliated. So in the absense of services noted above, take matters into your own hands. “Users who create extremely complex passwords and change them every 30 days are much less likely to be a victim of identity theft than those who don’t.” He also recommends an approach called hacksterization of a password, where you substitute numbers for certain letters, such as the number 3 for the letter E, or the number 7 for the letter L.

Additional precautions

Miller also advises that almost all finance systems today have the ability of setting alerts for transactions, whether it’s your credit card account, checking or savings accounts. You can set up your account so that if any transaction in excess of a set amount occurs, you receive a SMS or email message. He also suggests querying your financial organization about what type of fraud protection they offer.

“If you pick banks and financial organizations with good fraud protection scenarios, then more organizations will offer it as a service,” Miller says. “But if no one cares about it, then no one’s going to offer it. Start demanding that passwords aren’t good enough, and banks will start offering other options.”