We recently reported that the number of cyber events involving the healthcare industry is expected to rise in 2014.
The reliance on electronic medical records and the use of insurance exchanges increase efficiency but also heighten the risk of medical identity theft.
In October 2013, the California Department of Justice published recommendations for preventing and managing medical identity theft. See Medical Identity Theft: Recommendations for the Age of Electronic Medical Records.
For insurance companies, the recommendations include:
-
Make Explanation of Benefits statements patient friendly. Include information on how to report any errors that are discovered.
-
Notify customers who have been identified as victims of medical identity theft by email or text or other agreed upon timely method whenever a claim is submitted to their account.
-
Used automated fraud-detection software to flag suspicious claims that could be the result of identity theft.
-
When medical identity theft is confirmed, the first priority should be correcting the patient’s claims record to eliminate the possibility that benefits could be capped or terminated.
In an earlier publication, the Department of Justice provided guidance for all companies that handle personal or private data. See Data Breach Report 2012.
The key recommendations include:
-
Encrypt personal information sent by email, mailed in thumb drives or tapes, or stored in laptop or desktop computers.
-
The Attorney General’s Office would make it an “enforcement priority” to investigate breaches involving unencrypted personal information and recommended that other agencies and regulators do the same.
-
Tighten security controls protecting personal information, including training of employees and contractors.
-
Improve the readability of breach notices.
-
Offer mitigation products or provide victims information on how to protect themselves against identity theft after a breach.
The Department of Justice’s recommendations are not detailed. Nonetheless, they may inform what constitute “best practices” in the healthcare insurance industry with respect to preventing medical identity theft. At the very least, the publications provide guidance about what precautions regulators consider most important.
Click here to read more about the California Department of Justice’s recommendations concerning privacy enforcement and protection.