You know the drill: Each time you visit a new doctor or hospital, you’re asked to provide personal data, including your social security number, address, health insurance information, and sometimes even your credit card number. The expectation – spelled out by federally mandated HIPPA privacy laws that patients must review and sign off on – is that this sensitive information will be safely stored. But new surveys reveal that’s not always the case.
In reality, medical data loss in the United States is occurring at an alarming rate. A 2012 survey from the Ponemon Institute (a research organization dedicated to advancing privacy and data protection practices) revealed that 91 percent of health care facilities with 250 employees or fewer confirmed they’d had at least one data breach. Even large health care organizations aren’t immune: 41 percent of hospitals admitted to 10 or more data breaches a year, according to a 2010 survey conducted by the identity security firm Identity Force.
“Accidental data loss is more common than actual theft,” says Larry Ponemon, chairman and founder of the Ponemon Institute. “The digitization of medical records is great for patients with conditions like rheumatoid arthritis [RA]; it allows multiple providers to coordinate care. But it also tends to result in larger data leaks than you’d have with paper records.” Any data loss is dangerous, because it increases the odds that unscrupulous individuals, hackers or crime rings can use your medical insurance for themselves, or make false medical claims (think Medicare fraud) under your name. That can lead to medical mix-ups, such as blood type mistakes or prescription errors, if their data is stored on your medical chart. It also can cause you to exceed your allotted insurance benefits, which can potentially limit your care, and even put you on the hook for medical bills that aren’t really yours but were submitted in your name.
According to the Federal Trade Commission, red flags for patients include bills for medical services you didn’t receive; debt collection or a credit report showing you’ve gone into debt collection for medical debt you didn’t accrue; or a notice from your health insurance company that you’ve reached the limit on your benefits. Take these steps to reduce your risk of data leaks:
Ask questions. Find out what information health care providers keep on file, how they use it, and if there’s any reason they’d share that information without your consent. “If your doctor thinks you’d be a good fit for a new RA drug trial, for example, you should be given the opportunity to say yes or no before the doctor passes your information to the pharmaceutical company or research team,” says Ponemon. Likewise, each time you see the doctor, ask the date of your last visit to make sure their records are accurate.
Put your photo on file. Many security-conscious providers now ask patients to provide photo ID to confirm your identity. If yours doesn’t, ask them to put a note on the top of your file to check your ID at future visits. It’s not a perfect system but it’s a start, say experts.
Look around. “If you notice files open and sitting around a medical office, it’s a sign that there may be sloppiness in how information is maintained,” says Ponemon.
Request your records. Providers are required by law to let you see your medical files. “If there’s lots of extraneous or erroneous information, such as the wrong billing address, it can be a sign they’re not being careful,” says Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology.
Review your medical claims statements and health care bills. “They should reflect doctor visits you actually went to and services, such as surgery, that you actually received,” says McGraw. If you notice an error, tell the medical office and your health insurance company, and request an updated statement reflecting the correction.
Safeguard your documents. “Shred all throw-away documentation, and store important documents in a secure place, like a locked filing cabinet,” says Robert Siciliano, a Boston-based identity theft expert and McAfee consultant.
Read your mail. “The federal government requires health care providers to tell patients if their data has been leaked,” says McGraw. If you receive such a notice, ask the provider these questions: Was the loss a theft or an accident? Was the data digital, and was it encrypted (in which case there’s a low probability it can be used)? Will the provider offer remedies? “Larger insurers and hospitals, in particular, often offer free credit monitoring to those affected by a security breach,” says McGraw.
If Your Medical ID Has Been Stolen …
Report it to the Office of the Inspector General for instructions and more information on how to deal with medical ID theft, visit oig.hhs.gov.