– Medical identity theft is one of several outcomes that may occur following a healthcare data breach. Individuals may be faced with medical bills for treatments that they never received, and can spend years working to remove the incidents from their record.
However, a Centers for Medicare & Medicaid Services (CMS) initiative hopes to make necessary strides in reducing this potential risk.
The Social Security Number Removal Initiative (SSNRI) intends to mitigate identity theft for Medicare beneficiaries. It will use a randomly generated Medicare Beneficiary Identifier (MBI) on Medicare cards, used for Medicare billing transactions, as well as eligibility and claim status.
A Social Security number-based Health Insurance Claim Number (HICN) is currently used on the cards. CMS explains that private healthcare and financial information can be better protected by eliminating that number.
“Moving to new Medicare numbers and cards requires a lot of changes to our systems and how we do business,” CMS stated on its website. “The same is true for you — our business partners. We’ve already started this work and want to help you shift to the new MBIs by April 2018. No earlier than April 2018, we’ll start sending the new Medicare cards with the MBI to all people with Medicare.”
SSNs must be removed from all Medicare cards by April 2019. The transition period will start no earlier than April 1, 2018 and will then run through December 31, 2019.
CMS added that the MBI won’t change Medicare benefits, and that individuals with Medicare may start using the new Medicare cards and MBIs once they are received.
A House hearing, “Protecting Americans’ Identities: Examining Efforts to Limit the Use of Social Security Numbers,” was held on May 23, 2017 and discussed the SSNRI.
CHIME explained in a submitted statement that it was a positive step that the committee was interested in securing and protecting identities.
“The use of social security numbers (SSNs) in healthcare is not just common, but frequent,” CHIME wrote in its letter. “The use of and reliance on SSNs in the provision of care is a direct result of language that has been included in appropriations bills since 1998.”
There is also no set standard on patient identification, CHIME noted. Instead, numerous identifiers (i.e. dates of birth, SSN, street address) are used.
“As patients visit multiple providers and records are exchanged, ensuring accurate identification is essential,” the letter stated. “With the growth of electronic health records, however, there is a greater risk of error if the bits and bytes do not match up.”
Furthermore, HIPAA regulations called for “a standard unique health identifier for each individual, employer, health plan and health care provider for use in the health care system.”
A healthcare-specific identifier will also help devalue health records on the black market, according to CHIME.
“We need a healthcare identification solution that, if stolen, does not have the same potential for fraud and abuse,” CHIME urged. “It is essential that Congress remove the language in the Labor-HHS Appropriations bill prohibiting HHS (in Sec. 510) from using any federal funds to ‘promulgate or adopt any final standard …. providing for the assignment of a unique health identifier for an individual.’”
Medical identity theft is an increasing concern, especially as cybersecurity threats keep evolving. Studies have shown that more individuals are affected by data breaches, with medical identity theft a top result from such security incidents.
An Accenture survey from February 2017 found that 26 percent of US consumers have had their personal medical information stolen in a healthcare data breach. Half of affected individuals added that they experienced medical identity theft, averaging approximately $2,500 in out-of-pocket costs per incident.
“Health systems need to recognize that many patients will suffer personal financial loss from cyberattacks of their medical information,” Managing Director of Cybersecurity in Accenture’s Health Practice Reza Chapman said in a statement. “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.”