AAMC Reporter: October 2008

Identity Theft Affects Health IT Progress

When Joanne Davis, a veterinary technician from Ohio, drove out of a gas station in December 2003 with her wallet still resting on the trunk of her car, she never imagined she needed to do more than cancel her credit cards. Within a few months, however, she began receiving medical claims in the mail for emergency room trips and dentist visits she never made. She called her insurance company to report the fraud and with an agent began an investigation.

To facilitate the process, Davis stopped seeking medical attention. Her insurance card was flagged, asking any health care provider to contact the police. She was once almost arrested for trying to fill a prescription. Eventually, the authorities caught a woman using Davis's medical identity to obtain Oxycontin. But the investigation took several months, and Davis said she still fears that her medical records are corrupted.

"I'm definitely still dealing with this," she said. "I'm concerned that my records aren't cleared at this point. This woman visited multiple hospitals—what if her blood type is on my charts somewhere? I had surgery recently, and that thought really concerned me."

Davis is not alone in her worries. There have been widely publicized security breaches at the Department of Veterans Affairs and at the National Institutes of Health (NIH), where a laptop was stolen that contained health information belonging to 2,500 clinical trial participants.

Medical identity theft accounts for 3 percent—249,000 incidents—of all identity theft in the United States annually, according to a 2005 Federal Trade Commission report. Although it is an uncommon crime, privacy experts worry it will become less so as doctors and hospitals gradually begin switching to electronic health record (EHR) systems, which could make it easier for people to access—legally and illegally—private health information.

Since 2004, when President Bush proposed that EHRs be in widespread use by 2014, implementation has been on the rise. However, public anxiety over privacy and safety has hampered the complete adoption of these systems.

So far, government agencies and health institutions, including many teaching hospitals and other academic centers, have moved to counteract patient fears by enacting measures designed to ease people's minds. In California, the legislature this year passed a law mandating that any company or other entity handling medical or health-insurance information make individuals aware of compromises in their medical records. The U.S. House of Representatives Energy and Commerce Committee also approved measures that promote the adoption of interoperable and secure health information technologies. Additionally, the U.S. Health and Human Services department's Office of the National Coordinator for Health Information Technology awarded consultants Booz Allen Hamilton a $450,000 contract to study the magnitude of medical identity theft nationwide.

Some are not sure whether these and similar initiatives will lead to more support for EHRs. "If the public is, indeed, circumspect about electronic health records, then it is good news because it indicates they are aware of the value and vulnerability of their personal information," said Nicolas Terry, a health law expert and the Chester A. Myers professor of law and senior associate dean for faculty at St. Louis University School of Law. "The real public reluctance to electronic health records will likely play out in the absence of public support for government initiatives in this area."

With physicians, the reluctance to use EHR systems is mostly financial. A study published in the New England Journal of Medicine in July reported that 83 percent of physicians currently do not use an EHR system, citing initial capital expenditures as the biggest barrier.

Monetary concerns notwithstanding, the sticking point for EHRs will be how they are implemented, said Pam Dixon, executive director for the World Privacy Forum, a nonprofit group that focuses on consumer education in the area of privacy, including health care and medical identity theft.

"The potential for patient and physician benefit is profound with electronic health records, but the people in charge of choosing the systems must think about all the spots where problems could come in," Dixon said. "They have to know the dangers and signs of medical identity theft and fraud, and they have to have a system in place to address those issues so entire patient records don't have to be deleted and recreated."

Patients must also play a role in protecting themselves, she said. After every doctor's visit, Dixon recommends that patients request a printout of their medical records so they have a running tab of their health information and can easily spot abnormalities.

The main threat to patients with information in an EHR actually comes from inside the doctor's office or hospital rather than mainstream hackers, and the problem is often worse in large medical environments than in smaller offices or clinics, Dixon said. But many academic medical centers that have either installed EHR systems or plan to do so have taken steps to ward off any potential security breaches.

For the University of Texas Medical Branch (UTMB) at Galveston, an EHR system not only centralized patient information but streamlined doctor-patient communication. UTMB began researching EHR systems in 2003 and has since transferred all lab, radiology, outpatient, and physician documentation to an electronic format. There is a plan to include nursing documentation within the next year, said Christopher Mast, M.D., assistant professor of family medicine, lead physician analyst for UTMB's EHR project.

"So far, we've seen increases in both physician satisfaction and efficiency, and as people become more accustomed to the system, their comfort and enthusiasm increase," Mast said. "Our patients like the fact that doctors can bring up their lab results or their medical records on a screen in the exam room rather than having to leave to find a paper file."

UTMB officials have safeguards in place to protect patient information and privacy, Mast said. Anyone accessing a patient's file must log into the EHR system with a username and password, and the system keeps a record of each log-in. Also, access to patient records is granted based on the parameters of an employee's job. For example, if an employee has no professional need to see a patient's insurance information, he or she is prohibited from doing so.

If a medical records breach occurs, UTMB offers patients resources to help them regain control of their health information, said Christopher Smith, a business practice operations analyst in UTMB's compliance program. Information security officers or institutional privacy officers will launch a full investigation if patients suspect their information has been stolen or corrupted. Smith also encourages patients to file a report with the UTMB police department and other local authorities.

The University of Miami Miller School of Medicine will soon join UTMB as an academic medical center using EHRs. At publication time, school officials were close to choosing a system with plans to begin implementation within 18 months, focusing largely on transferring ambulatory services, said Michele Chulick, associate vice president of hospital operations. The most important concern in selecting a system has been privacy.

"The system our administrators select will have strong security measures. In specific regard to medical identity theft, we want a system that includes encryption of shared information that runs across the system network," Chulick said. "And this isn't new with the electronic records system, but we have stringent policies and procedures in place that safeguard patient privacy and limit the number of people who can access patient information."

—By Madeleine Evans, special to the Reporter