After the Target Corporation credit card breach, which affected thousands of customers, people seem to be more leery of identity theft and the illegal use of their personal financial information.
Although it was always something in the back of peoples’ minds, this particular, large breach seemed to incite conversation among all Americans, and made a once abstract idea more tangent. The breach has cost Target approximately $162 million in expenses, but the harm to the consumer psyche is just as damaging. Although people may actively protect their financial information to avoid identity theft, they often neglect to exhibit the same level of diligence in protecting their medical information.
Medical identity theft is on the rise, and the Medical Identity Fraud Alliance reported a 21.7% increase in the past year alone.1 As pharmacists, we can play an active role in preventing the theft of our patients’ medical information. Medical identity theft is defined as the unauthorized use of an individual’s personal information (eg, date of birth, Social Security number, and insurance policy number) to obtain or bill for medical services or medical goods. Medical identity theft is considered a form of medical fraud, and it can be harmful to both a patient’s finances and overall health. Not only can patients be subjected to false health insurance claims and pharmaceutical bills, but they can also have incorrect medical information in their files as a result of the thief’s conditions, thus jeopardizing their own health. As pharmacists on the front lines, we can help to not only prevent medical identity theft, but also detect it.
To decrease the incidence of identity theft, the Federal Trade Commission (FTC) has published the Red Flags Rule to aid businesses in implementing theft protection programs and detecting “red flags” of identity theft in their everyday operations.2 The Red Flags Rule may lay out a process for implementing a theft protection program, but for pharmacies, the first step is educating employees. Because of the easy access to healthcare and insurance information, a significant portion of medical identity theft is conducted by employees themselves. Employees should be instructed to only access patient records required to perform their job functions. Pharmacies should also consider implementing employee access codes to ensure that only company employees have access to patient records. With employee-specific codes assigned, pharmacies can also track individual employee actions, should an incident occur.
Pharmacies can take precautions to ensure that they are not unknowingly assisting medical identity theft. Being diligent with patient data and using shred bins for any sensitive data can go a long way in deterring thieves. Although physical precautions are important, technological safeguards should also be put into place. Pharmacies should never take possession of a patient’s Social Security card, or photocopy a patient’s insurance information to store a copy. Furthermore, pharmacies should refrain from using the “Notes” section of the dispensing software to enter personal and protected information about the patient that could be misused.
From a patient perspective, pharmacies should have a system in place for authenticating patient identities. This may be as simple as asking for photo identification at the point of service, especially for new patients or those who are asking for copies of their prescription records. Low-technology approaches may also include asking patients to demonstrate knowledge of their demographic information, or details about previous prescriptions received. This additional security step can deter many would-be thieves from using others’ insurance cards. According to the FTC, a major red flag is suspicious-looking documents, including identification documents that look altered or forged, or photo identification that does not match a person’s physical description.
Other red flags include suspicious account activity. For example, a patient may provide a change of address and telephone number, and then add or use a new credit card to pay for their prescriptions. Another red flag is a plethora of activity in a previously inactive account, and, although obvious, receiving information from the health plan or insurer about possible unauthorized charges or suspicion of fraudulent activity on an account is a clear red flag.
When a red flag is detected, pharmacies can respond appropriately and help curb medical identity theft. Although actions will vary depending on the degree of severity, some responses that would be appropriate include contacting the patient whose identity you believe has been stolen, refusing to fill a prescription if the suspect is a new patient, closing an existing charge account, or notifying law enforcement. As technology changes and thieves adjust their tactics, your pharmacy should adjust their policies and procedures related to identity theft. Medical identity theft is not a problem that is going away any time soon. Although it may be an inconvenience for pharmacies to deal with, this is not a problem that can be solved by any one organization, and pharmacies must take an active role in preventing cases of medical identity theft.
- Medical Identity Fraud Alliance. Fifth annual study on medical identity theft. http://medidfraud.org/wp-con tent/uploads/2015/02/2014_Medical_ID_Theft_Study1.pdf. Published February 2015. Accessed April 16, 2015.
- Federal Trade Commission. Fighting identity theft with the Red Flags Rule: a how-to guide for business. www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business. Published May 2013. Accessed April 16, 2015.