We owe it to the patients we serve to find better ways to reduce risk in a highly automated world rife with fraud and identity theft. Granted, this won’t be easy.
Proposals for a national medical identifier in healthcare give rise to alarming scenarios about a big brother state where information is aggregated by government and used for nefarious purposes. On the other hand, when Congress has reacted with federal measures to protect patient privacy, such as prohibiting government from collecting patient medical information without warrants, the result has sometimes been to open the door to fraud.
Without a national medical ID, U.S. providers have used Social Security (SSN) numbers to track patients in their medical records, increasing the identity theft risk and opening them up to potential fraud from a data breach. This can imperil patients’ credit, and cause cascading financial damages.
Medical ID theft is especially nefarious. Few good ways exist to detect those who obtain medical services using a stolen identity, since instances normally don’t appear on credit reports. Victims are saddled with debts they may not know about and inaccurate medical records, including treatments for illnesses they never had. The current balkanized environment for record-keeping means that some patients may never discover all the places their ID was fraudulently used.
Over the past 20 years, numerous laws have aimed to protect patient privacy. They include the SAMSHA Act protecting the mental health records of patients, California’s laws on increased patient privacy for HIV-positive patients, and numerous other state laws. The European Union General Data Protection Regulation (GDPR) has given us a workable model for how to protect patient privacy through the use of people, processes, and technologies. The 21st Century CURES Act provides an imperative to securely share information, and empowers patients to retrieve and use their information as they want. The HITECH Act, of course, incentivizes us to implement electronic medical records, and better share information. Meanwhile, mobile devices and associated apps allow providers to access information anywhere at any time.
Data Sharing & the Opioid Crisis
The opioid crisis has given rise to other patient privacy and tracking measures. Twenty years ago, organized crime took advantage of doctors who didn’t keep electronic records and prescribed to anyone who paid cash. Pharmacies that didn’t use computer systems or shared information were also utilized to make it difficult to trace these providers. In 2002, a physician in Bensalem, Pa., was the subject of one of the first notable cases of a provider convicted for illegally distributing opioid painkillers thanks to pharmacies sharing their databases and other information with law enforcement.
The opioid crisis is more difficult to confront because of the varied types of medical theft. One is doctor shopping, where patients game the system by visiting multiple providers and getting an opioid prescription from each. As part of IT training, hospitals now routinely teach team members how to check for and combat medical theft.
A number of states participate in limited information-sharing to determine if someone is trying to fraudulently obtain prescription drugs. This is similar to the world of finance, where the Patriot Act Sections 314(a) and (b) and Financial Crimes Enforcement Network facilitate data sharing among financial institutions to fight terrorism and fraud.
While we face growing risks to patient safety through SSN theft, we also see potential risks through omission of critical information. The Trusted Exchange Framework (TEFCA) provides the framework for a National Health Information Exchange, which will allow for better detection of fraudulently obtained treatments and omission of critical data.
TEFCA and a national medical ID can be major steps to help overcome the balkanization of healthcare information.
With the explosion of data since the advent of EHRs, and the numerous treatments needed by the most at-risk patients (like special needs children), it is difficult, if not impossible, for patients to accurately transfer their information from provider to provider, and for multiple care providers to collaborate on care and treatment plans.
Faxing, an unsecure 1980s technology, is still used to transmit medical records. So is the Postal Service. The onus is often on the patient to obtain copies of their charts and other data, and be responsible for their transfer from one provider to another. We have no way to verify the accuracy of this data, its origin, or who’s seen it. We rely on people manually scanning in or entering this data into EMRs, which creates delays in seeing specialists who have to evaluate the records. In cases of trauma with regional Level I centers using air ambulances, they often just fly in the records with the patient.
TEFCA allows us to create a virtual national database with privacy and security controls built in, to transfer the minimum necessary information. The system tracks and logs who accesses data and validates the data transferred. It will facilitate the original tenets of the HIPAA Security Rule, which protects the confidentiality, integrity and availability of patient data. Although CMS Administrator Seema Verma has stated she wants to get rid of faxes, as does the British National Health Service, they can’t do so until there is a satisfactory replacement.
That is where the national patient ID fits in. In part two of this blog, we’ll examine the barriers that still exist, and what needs to happen going forward.