Technology increasingly important in effort to ensure correct patient ID

Health system uses on-line tools, training to prevent error, fraud

News reports in recent months tell of computers with data on Medicare and Medicaid patients being stolen from a health system's regional office and a former hospital worker charged with fraud and identity theft for accessing and selling patient files.

Some patients, meanwhile, attempt to pay for their care with stolen insurance cards or give false Social Security numbers so hospitals won't be able to bill them.

Medical identity theft occurs when someone uses a person's name — and perhaps other pieces of identifying information, such as an insurance card — without the person's consent to obtain medical services or goods, or to make false claims for medical services, according to the World Privacy Forum.

It often results in erroneous data being put into existing medical records and can involve the creation of fictitious medical records in the victim's name, notes Patti Consolver, CHAA, CHAM, corporate director of patient access at Arlington-based Texas Health Resources (THR).

With increasing attention on preventing these kinds of crimes, says Consolver, on-line tools and other technology to ensure proper patient identification that were once "nice to have" are now in the "must-have" category.

"Technology like biometrics [see related story at end of article] leaves little room for error, lifts the burden from the registration personnel and, more importantly, offers patients a safe and secure process for their personal medical information," she adds.

THR, a 13-hospital system with more than 2,400 licensed beds, uses on-line processes to screen Social Security numbers and credit information for fraud alerts and to verify the accuracy of a patient's address, Consolver says.

With the Social Security software, for example, staff may receive an alert saying that the number given belongs to a deceased person or has never been issued.

When presented with that result, patients in some cases will admit the deception, Consolver adds. "You may find that an illegal immigrant has purchased a Social Security card. Sometimes they'll come right out and tell you that."

In other cases, even when staff know they've been given bad information, she says, "patients are adamant that it is the right number," knowing that they won't be refused care.

Although technology provides a big advantage in ensuring accurate patient identification, it is far from infallible, Consolver notes. One system, for example, goes out and verifies that a mailing address is actually a valid address, she says, but it doesn't say that the patient lives there.

A program such as Equifax that looks at a person's credit history will show the last three or four known addresses for that person, Consolver says, but they might be out of date, depending on the last time a credit check was done.

"At least these are tools that allow you to go out and try something else," she says. "It's just something that we need to make sure is a priority."

One of THR's on-line training modules addresses the issues associated with medical identify theft, Consolver notes. "Before, [registrars] would make a copy of an insurance card or a driver's license, file it, and not think twice." Now, she adds, they are instructed to "do a double check, make sure it matches, that the right one is in front of you, and take note of anything that seems suspicious."

THR access employees are told to involve the management team any time there is a concern with an account, she adds. Scripting has been developed to help staff communicate courteously and effectively with patients when questions come up regarding their information.

"If patients see [the registrar] looking at their credit or address information, they want to know where it's coming from," Consolver says. "You need to be careful how you explain that. You don't want to cause a bigger customer service dissatisfier."

Registrars certainly don't want to come across as though they are accusing the patient of lying, she adds.

Consolver suggests saying something like, "Our computer system is showing this. Can I double check that this is the right one?"

Protecting the patient's information is just as important as determining when what is presented is not accurate, she maintains. "Historically, patient access staff have made a copy of the driver's license and the insurance card, but copying this information can be as detrimental as copying a credit card."

If scanning is not an option, Consolver suggests, security measures need to be in place to ensure that such data are treated as protected health information.

Medical identity theft, she points out, frequently results in erroneous entries being put into existing medical records and can involve the creation of fictitious medical records in the victim's name.

This crime can be difficult to uncover, and may go unnoticed for years, Consolver adds, and with HIPAA constraints it can be difficult to view all pieces of a medical record to determine inconsistencies or fraudulent entries.

Those whose medical information is stolen, meanwhile, do not have clear pathways for recourse and recovery, she notes. "The Fair Credit Reporting Act allows for greater recourse for victims of financial identify theft than the HIPAA health privacy rule provides for victims of medical identity theft."

SS number no longer patient identifier

THR has used Social Security numbers as patient identifiers for more than 20 years, but discontinued the practice earlier this year for all new patients, notes Tauna Shelton, MHSM, MS, CHC, regional director, compliance and privacy.

"The issue came up and we had been trying to address it for some time, but we needed software and changes made to the computer system," Shelton says.

Concern on the part of customers prompted the action, she adds. "We want to make them comfortable, and it's such a compliance issue."

Her office, in conjunction with the security department, also has developed a toolkit to assist those who suspect that identity theft has taken place, Shelton says. "There is a whole packet that an individual can use to report theft or suspicion of theft [of patient information]."

In addition to a Federal Trade Commission booklet and other explanatory information, there is a questionnaire to help people determine their level of risk, she says.

Reports of possible instances of identity theft may come from a variety of sources, Shelton notes, including anonymous phone calls to a hotline by, for example, an employee who observes another employee doing something inappropriate. In other cases, she adds, a manager might question why an employee has certain information.

Another warning sign would be if a patient who has used a credit card to pay the hospital bill suddenly notices charges on the card that he or she has not made, Shelton says. "They notify somebody here and we begin to investigate, to see if an employee is holding on to a Social Security number or any kind of protected health information. So far nothing like that has happened here.

"What we have done when we have had potential cases is monitor that individual's accounts for credit agencies to see if there is any unknown activity," she adds. "We would contact the credit agency because the patient felt there was a problem or we came across something [suspicious] and wanted to make certain the individual was protected."

If there is a potential case of identity theft, Shelton says, a notification form is sent to the patient, including any information that might help them. "We give them the names of credit agencies, with phone numbers, and inform the patient that we will follow up with them."

THR employees are required to complete computer-based business ethics and compliance programs, which combined with HIPAA privacy and security material take about six hours to complete, she notes. "So we aggressively address this issue from a training point of view."

Document imaging promotes data security

The billing offices and health care facilities of Texas Health Resources are using a document imaging system to scan, view, fax, and store visual patient identifiers at their work stations, says Linda Powell, CHAM, director of patient access services at Harris Methodist Fort Worth Hospital.

"The patient identifiers are imaged and stored electronically, similar to the way you would file documents in the folder of a filing cabinet," Powell adds. The goal, she says, is to reduce billing errors and medical record duplication and provide patient safety by retaining accurate patient identification for future use.

"We're a trauma center, and a lot of times we don't get the most common forms of identification upon arrival of the patient," she notes. "Often we may get only a name from the local ambulance service, which is not enough to positively identify an individual as a previous patient when we search the Master Patient Index for a previous account.

"The most commonly acceptable patient identifier is the name and the date of birth, and sometimes the Social Security number," Powell says. When this information is not available, secondary patient identifiers — such as where a patient works, the name of their insurance company, or the fact that the patient was previously admitted at the facility — may come into play, she adds, "and more often than not, they cause a problem."

Document imaging, in place at Texas Health Resources since early 2005, "provides a way to positively identify patients using stored images on file," Powell notes. "You'd be surprised how many people leave home with just their car keys and a coat."

Powell says she knows from personal experience the problems that can ensue when institutions rely on secondary patient identifiers. She experienced them firsthand when her identity was confused with that of another Linda Powell, who also has the same middle initial, maiden name initial, and several other secondary identifiers.

With document imaging, such confusion doesn't occur, she points out. "You go into a previous account, acquire patient identifiers imaged in the system, and know that the person standing in front of you is who they say they are. You can positively identify the patient readily, quickly, repetitively when positive identification is imaged and stored in the patient account."

During the registration process, Powell explains, patients are asked to produce:

  • Positive identification in the form of any photo ID, preferably with evidence of mailing address.
  • Current health insurance card for services being reimbursed by a third-party carrier.

In addition to providing a way to instantly store and retrieve visual-imaged patient-identifying documents, Powell notes, the process makes existing paper documents available in a secure manner across the network.

"People sometimes just show up at the customer service area," she adds, "and say, 'I need to check on my bill. Can you help me?'"

If the person isn't carrying identification, Powell says, that customer service employee can now look in the file to confirm identity, rather than telling the individual he or she will need to answer correctly a series of questions pertaining to the identity of the patient listed on the account or come back later with positive identification.

Powell advises providers interested in instituting document imaging to select quality equipment and to make sure they get the type that fits their specific needs.

"You can image documents in bulk, so you don't disturb the flow of registration by stopping to scan at an entrance," she says. "You could keep a big basket there and do it by batch when staff are not busy."

Hospitals with fast-track ED registration or a fast-track pre-registration location, for example, might choose such a method, Powell adds.

On the other hand, it might not be cost-effective for a hospital with a completely decentralized registration operation to purchase a large, super deluxe scanner that sits in one area, she notes.

"We have desktop scanners on every registration desk at Harris Methodist Fort Worth Hospital, and we also do bedside registration, so we have scanners on our computers on wheels," Powell says. "We have eight buildings and 17 decentralized points of entry where registration functions are performed.

"Analyze your business and determine how best to get the job done," she suggests. "We bought a big scanner just in case, but we really don't use it often." Quality is important, Powell adds, because some types of equipment scan documents faster than others, which obviously has an impact on registration flow.

When putting a program in place, she continues, "Look at what you're really trying to accomplish — patient safety by establishing positive patient identification, reduction in duplicate medical records and reduction in billing errors — and put a process and policy in place where you start to collect valid patient ID upon admission."

Reeducating the public is sometimes a difficult task, Powell cautions. "If customers aren't used to bringing identification, it might take awhile before it becomes common practice to do so."

(Editor's note: Patti Consolver can be reached at PattiConsolver@texashealth.org. Tauna Shelton can be reached at TaunaShelton@texashealth.org. Linda Powell may be reached at LindaPowell@texashealth.org.)


Deliberate misidentification growing problem in EDs

Director looks at strict countermeasures

When access employees at Lake Pointe Medical Center in Rowlett, TX, register patients, a software program uses name and date of birth to simultaneously check the Social Security number and make sure it is valid, says Clyde Goins, patient access director.

If the registrar receives an "alert" saying that the number is not valid, Goins adds, staff double check the number with the patient, explaining to the person that it appears that someone else is using their information. The patient is then told that the hospital will have to report the incident to the police, he says.

"A lot of times at that point the patient comes forward with another number and says, 'Oh, it's actually this,'" Goins notes. "What I personally feel is going on is that some patients, especially in the emergency department, are becoming aware of the fact that we're going to take them [either way], and they intentionally provide bad information."

The hospital has a billing system that automatically sends back patient accounts with incorrect information, such as wrong telephone numbers, he adds, and most come from self-pay patients.

"I'd like to know, to do a study of how much this is going on in the ED," Goins says. "I really believe it's a big thing."

While Lake Pointe Medical Center has only a small uninsured population, with most patients self-pay because they choose to be, he notes, the problem is likely to be more widespread at larger, urban facilities.

The program that checks Social Security numbers has been in place a little more than a year at Lake Pointe, which is a Tenet hospital, but has been phased in over the past five years or so throughout the Tenet system, Goins says. "We were one of the last to get it."

Five years ago, he notes, hospitals "weren't paying that much attention" to double checking Social Security numbers and other strategies to ensure proper identification.

Lake Pointe now has a policy under which staff call local authorities if they know that a person has intentionally given a false Social Security number, Goins says. "We've already made contact with the police department and they've agreed to come out [in such situations]. They probably won't make an arrest, but they will talk to the person."

The hospital hasn't yet gotten to that point, but one of its sister facilities has called the police several times in such situations, he adds.

Whether or not police become involved when a patient is suspected of intentionally giving false identification, having staff take a proactive approach in such situations is likely to be a deterrent, Goins points out.

"The thing that's probably most important," he adds, "is that they won't come back here."

At his next meeting with the ED director and physicians, Goins says, he planned to propose that a policy be instituted whereby some medications are withheld from non-emergent patients who refuse to provide accurate identification.

"Of course we have to stabilize the patient and follow the EMTALA requirements," he adds. "But if the patient doesn't require emergency care, or if we provide care and have to give meds — not antibiotics, but, say, pain meds — we would say that in order for us to provide them, we need a form of identification."

(Editor's note: Clyde Goins can be reached at clyde.goins@tenethealth.com.)