Why Healthcare Can No Longer Ignore Identity Theft

By Gevik Nalbandian, Vice President of Software Engineering, NextGate
Twitter: @zgev
Twitter: @NextGate

Identity theft is so common in our daily lives that it’s not a matter of “if” it will happen, but “when”. In fact, the number of identity theft cases more than doubled in 2020 from 2019, to nearly 1.4 million, according to a recent Federal Trade Commission (FTC) report. Another survey from IDC finds over the past two years, 47 percent of U.S. consumers experienced identity theft.

In healthcare, identity theft occurs when someone uses another person’s name or insurance information to get treatment or prescription drugs. It also happens when hospital staff uses another person’s information to submit fake claims to insurance companies. For example, in a major fraud scheme in Texas, a family physician was sentenced to federal prison after he forged his patients’ records to issue over 600 high-cost scar prescriptions to reap millions in insurance claims. The prescriptions were issued without consultation with the patients and without their knowledge.

Vulnerabilities in medical billing are the result of the antiquated fee-for-service mentality of healthcare and the lack of digital identities where individuals can be accurately verified. Identity theft is rapidly growing in severity and will continue to flourish until new authentication and validation methods are in place.

If we look at how a doctor engages in fraudulent medical billing, like the physician in Texas, they simply falsify procedures, prescriptions or visits. Because the practice or clinic bills Medicare or the insurance company on the patient’s behalf, the office, clinic or even the pharmacy can bill whatever they want. This type of fraud could be prevented if the patient were made aware of every medical transaction and were able to correlate the visit, prescription or procedure. Similar to how consumers get notifications on their mobile device when a charge is placed on their debit or credit card.

Banks and credit card companies can do this because over the years, they have been able to create algorithms that identify individual spending patterns, including dollar amounts and locations, to detect uncharacteristic behaviors. In healthcare, real-time notifications of data breaches and billing errors don’t exist. It’s only months later that patients are notified of a hospital data breach or receive a surprise bill in the mail. Further, patients have likely signed a piece of paper that gives their doctor’s office the right to bill and negotiate on their behalf.

In order for physician practices and hospitals to maximize reimbursements from insurance companies, they need to hire specialists who know what medical procedure “codes” to use so they get paid the maximum amount, the fastest. In healthcare these are known as ICD-10 codes. No patient can figure these codes out, right? So, let’s assume patients don’t want to give up their day job to learn ICD-10 and leave that task to the coding specialists. However, if a patient knows every transaction that occurred under a hospital’s care and were left wondering why there were 14 X-ray procedures performed when they only had two, then they could immediately alert the hospital or authorities. Today, I get notifications from my banking and credit card transactions all the time. The tech exists. Now we just need to find the motivation for healthcare.

When patients have the ability to manage their identity, they can gain access to their medical records and see every healthcare transaction that was recorded. Having access and control over one’s personal data could not only help them lead a healthier life but also gain a clearer understanding of everything a hospital or doctor does on their behalf. Detection of any abnormalities in services could allow patients to get ahead of fraud and any medical or billing errors.

Being a victim of medical identity theft costs the average patient $13,500 out-of-pocket. It’s also considerably difficult to undo, taking months for patients to resolve, while leaving them frustrated with calls from debt collectors. If someone gets treatment under your name, their medical issues can become part of your health record, impacting your ability to get care or insurance benefits. It can even affect your doctor’s decision-making, leading to incorrect treatments, prescriptions and misdiagnoses.

Since identities are required to be verified, so should transactions in healthcare. Furthermore, transactions should be easily discoverable by data owners (the main actors being the consumer or patient; and in some cases, investigators or auditors). While technologies like blockchain might be overblown, there is merit in creating indisputable ecosystems; there is merit in zero trust security models.

These types of interactions are happening now around the world as governments and consumers adopt digital identity management tools. It is possible to bring the same experiences to U.S. healthcare. As society moves more and more of its services online, we as an industry must be prepared to develop private, secure, and consumer-friendly digital ID strategies to join the revolution.

This article was originally published on the NextGate Blog and is republished here with permission.