Purpose:

This policy is designed to ensure HIM staff understand how to detect, prevent, and mitigate medical identity theft in connection with the operations performed in the Health Information Management Department.Staff members must be alert for cases of possible identity theft.

Procedure:

1.When an employee reasonably believes identity theft has occurred or may be occurring, or when identity theft is alleged by a patient,

  • Notify the HIM Director immediately who will then contact the Chief Quality Office in her role as Compliance Officer.
  • The HIM Director will complete the Alleged Identity Theft Communication Alert Form, attachment A.

2.The following will be performed by the HIM Director or designee when identity theft has been alleged:

a.) Patient indicates he/she has been billed for care not provided and requests access to the medical record:

  • Validate to the extent practical the claim of the victim.
  • Compare the signatures on each medical record, if available, victim’s medical record vs. care provided to the alleged identity thief.
  • Validate the identity of the victim by checking a government issued photo ID.
  • Once validated, inform the Chief Quality Officer in her role as Compliance Officer.
  • The HIM Director/Privacy Officer should contact the victim to inform him/her of the suspected identity theft and ask the victim to complete a Medical Record Amendment Request Form.
  • Remove the records of the identity thief from the victim’s medical record based on the approved Medical Record Amendment Request. The HIM Department staff will remove all related documents from the medical record and make replacements with appropriately revised documents as indicated.
  • Obtain a signed authorization from the victim to review the amended medical record utilizing the Authorization to Use and Disclose Protected Health Information Form, in accordance with the policy, Release of Health Information. The victim/victim’s representative will only have access to documents reasonably believed to belong to the patient. The documents believed to belong to the identity thief cannot be viewed by the victim of the identity theft.
  • Obtain the victim’s/victim’s representative’s verification of the corrected medical record utilizing the attached form, Health Information Certification Form, attachment B.
  • Forward a copy of the signed form to the Chief Quality Officer to be documented into the Compliance Tracking System.
  • Correct the Master Patient Index (MPI): The HIM Director and the Patient Financial Services Director will verify all demographic and insurance information and will update the MPI for each patient. A new medical record and account number will be created for the record of the care provided to the identity thief. If the identity thief had more than one visit, each visit will be assigned a new account number while maintaining the same MRN for each account. If the real identity of the identity thief is known, the medical record will be assigned to the identity thief’s name. If not, the name on the record will be the first name of the victim and Idtheft as the last name:

Idtheft, Susan

If the first name of a subsequent victim has already been used on another ID Thief’s record,

  • Perform a patient search in the MPI by entering Idtheft as the last name. All Idtheft patients will be listed in alphabetical order.
  • Assign the next name in the sequence based on the sex of the patient.

Idtheft, Jane

Idtheft, Jane B

Idtheft, James

Idtheft, James B

The hospital address will be used as the address for the Idtheft.

  • Request for copies of medical records:
  • Patient requests: Copies of medical records will be provided to the patient upon written request in accordance with the policy, Release of Health Information.
  • Copies of medical records will be provided to the law enforcement agency which the victim authorizes. Before providing such records, the facility must ask for proof of identity, which may be a government-issued ID card. Document receipt of and copy all such information. Release may be made to law enforcement without the victim’s/victim’s representative’s authorization in accordance with, Disclosure of Confidential Patient Information during an Emergency.
  • Accounting for Disclosures: The HIM Director shall determine whether, as a result of identity theft, protected health information was inappropriately disclosed. If protected health information was inappropriately disclosed, the entity’s HIM department must account for such disclosures in accordance with HIM Policy Tracking / Accounting of Protected Health Information (PHI) Disclosures.

3.When Patient Misidentification Occurs. If it is determined that patient misidentification, but not identity theft, has occurred (as, for example, when a patient gives his or her real name, but the incorrect medical record number is assigned and the medical information of two patients is subsequently intermingled), the facility shall take the following steps:

  • Notifications: When patient misidentification has occurred, the employee discovering the misidentification will immediately notify the HIM Director who will notify thePatient Financial Services Director. If the incident occurs on a weekend, reporting should occur the next business day.
  • Notifying Affected Patients: Mitigation Efforts. Patients affected by patient misidentification will be notified by the HIM Director/Privacy Officer if the misidentification resulted in the release of medical information on the wrong patient. If it is determined that notification of the breach should be made, the HIM Director/Privacy Officer will contact the Chief Quality Officer for guidance and assistance. KRH will mitigate, to the extent practical, any harmful effect that is known to the facility as a result of unlawful use or disclosure of protected health information in connection with a case of patient misidentification.
  • Correcting Medical Records in Cases of Misidentification
  • Patient medical and payment records must be corrected when a case of patient misidentification occurs.
  • The HIM Department in conjunction with the nurse director and/or the attending physician (as needed) will separate the intermingled documents into two separate medical records.
  • If the HIM Department is still unable to determine which documents belong to which patient, the patient will be contacted to obtain appropriate validation.
  • The patient’s identity should be properly verified and documented.
  • The HIM department will make appropriate corrections to the patient’s medical record to ensure the record contains correct entries only (e.g., by transferring visit from incorrect MPI record to appropriate MPI record, see step below).
  • Corrections shall be made in accordance with the facility’s medical record corrections policy, Amending the Contents of a Patient’ Medical Record.
  • A detailed explanation of the corrections shall be generated by the facility and verified by the patient as indicated.
  • Pursuant to HIM policy the HIM department will send amended information to persons who have received incorrect or incomplete information.
  • The patient’s verification of the corrected medical record shall be documented and included as part of the case file forwarded to the HIM Director/ Privacy Officer and entered utilizing form Health Information Certification Form, attachment B.
  • Include this form in the patient’s medical record.
  • HIM will research the release of medical information from the record.
  • HIM will notify all entities receiving incorrect information and will provide the correct information so the entities’ medical and billing records can be updated.
  • Master Patient Index:The HIM Director and Patient Financial Services Director will verify all demographic and insurance information is correct and will update the MPI with the appropriate information.
  • Accounting for Disclosures: The entity’s HIM Director should determine whether, as result of patient misidentification, protected health information was inappropriately disclosed. If protected health information was inappropriately disclosed, the entity’s HIM department must account for such disclosures in accordance with HIM Policy, Tracking / Accounting of Protected Health Information (PHI) Disclosures.

4.Documentation. A copy of all documentation concerning identity theft or patient misidentification (resulting in incorrect release of information) must be provided to the Chief Quality Officer in her role as Compliance Officer.