Provider Vulnerability to Medical Identity Theft Addressed by CMS

Medical identity theft has become one the fastest growing forms of identity theft in the United States. Although individuals have used physician identifiers of deceased (see the Office of Inspector General report) and non-practicing providers to fraudulently bill Medicare for years, much of the focus on medical identity theft has been on theft of patient’s personal information and health insurance information to get medical treatment and prescription drugs or submit fraudulent bills to health insurance companies.

Health Care Providers Medical Identity Theft

For providers, medical identity theft happens when the identify thief uses a providers’ unique medical identifiers such as National Provider Identifiers (NPIs), Tax Identification Numbers (TINs) or medical licensure information to bill insurance fraudulently for items or services that the provider never provided or prescribed. For example, medical identity thieves may steal the personal information of providers through hacking databases or posting sham hiring ads, CMS Deputy Administrator for Program Integrity, Peter Budetti, MD, JD explained in a recently posted article on the CMS website titled “7 Ways to Protect Yourself from Medical Identity Fraud”.

According to CMS, legitimate providers do not become aware that their identities have been compromised until they begin receiving overpayment demand letters from the Medicare Administrative Contractors (MACs). While the identity thieves receive the illegitimate Medicare payments, the victimized providers are exposed to the financial liabilities, including overpayment demands and tax liabilities for income never received, and credit degradation. Nonpayment of the illegitimate debt may result in the debts being referred to the Department of Treasury for collection. In addition, a physician may become the physician of record for services for which he or she was not involved in any way.

CMS’ Provider Victim Validation/Remediation Initiative

Historically, victimized health care providers had difficulty exonerating themselves from Medicare financial liabilities associated with identity theft because there was no established protocol for addressing provider identity theft issues. CMS, however, has taken steps to address provider vulnerability to medical identity theft by establishing the Provider Victim Validation/Remediation Initiative to assist providers who have suffered unwarranted financial liability as a result of having their NPIs, TINs, or medical licensure information stolen to fraudulently bill Medicare.

Under the initiative, CMS, in coordination with Program Safeguard Contractors (PSCs) and Zone Program Integrity Contractors (ZPICs) has established Points of Contact throughout the country for providers to access if they have been the victims of identity theft and have suffered financial liability as a result. PSCs and ZPICs will conduct investigations and report their findings to CMS. CMS will make a final decision whether to relieve providers of liability based upon the evidence and other information. Providers who believe they are the victims of Medicare identity theft but who have not yet suffered any financial liability, should contact their jurisdictional MAC or contact the OIG hotline at 1-800-HHS-TIPS.

Steps for Providers to Protect Themselves against Medical Identity Theft

Budetti’s article focuses on how providers can protect themselves against medical identity fraud, identifying seven actions providers should take, including:

  1. Keeping medical information up-to-date – by reporting any changes to insurers, such as opening and closing of offices and moving between group practices.
  2. Actively reviewing Medicare remittance notices for items or services listed that the provider didn’t provide and payments to you for services you didn’t provide.
  3. Protecting medical information – by only giving provider information to trusted sources and check out potential employers or other organizations before giving out medical identifiers to ensure they are legitimate.
  4. Training staff – to properly use and distribute provider medical information including prescription pads, electronic health records, and other important documentation.
  5. Educating patients – to be on the lookout for fraudulent activity on their explanation of benefits statements and how to report fraud when they see it.
  6. Reporting any suspected medical identity theft – by calling the CMS program integrity investigative contractor in the provider’s region if the provider believes he or she is a victim of medical identity theft, or by report suspected cases of medical identity theft to the OIG hotline as noted above.
  7. Protecting prescription pads – by keeping prescription pads in a safe and secure environment, so identity thieves can’t use them to obtain prescriptions you never prescribed.

For a further discussion addressing physician vulnerability to medical identity theft fraud, see the Journal of the American Medical Association (JAMA) article written by Budetti and his colleague Dr. Shantanu Agrawai, which explains how medical identity theft occurs and how to prevent it.