Leaking Your Personal Health Information to the WorldPosted: August 22, 2011
In the past 10 years we have become a nation intent on protecting the security and privacy of our citizens. To ensure the safety of citizens’ healthcare information, Congress has passed and imposed great quantities of legislation, including the HIPAA Privacy and Security Acts (2002), and the HITECH Act of 2009, which supplements and amplifies HIPAA regulations. But there are serious flaws in all of that legislation (where’s the enforcement?),
Right now I would suggest that one of the biggest threats for full-blown identity theft with all of the potential related security and privacy breaches might be in your doctor’s office.
What happens when you call for an appointment? Do you call a listed office number and speak with staff at the front desk or do you call a different number for the scheduling department? Typically if you are a new patient you are asked for some or all of the following: full name, date of birth, address, social security number, and insurance coverage information, including group and individual identification numbers.
Do you know who’s asking? Where is the scheduling department? Is it in a room adjacent to the front desk in the doctor’s clinic? Or is it in a building in Pakistan? in China? in Costa Rica? And if the person to whom you are turning over every piece of information that could be used to build a new identity does not speak English well, or has a discernible accent, do you ask where they are located? Will they tell you the truth if you ask?
“Wait, ” you might say, “I called a local phone number. So it has to be my doctor’s office down on Main Street, right?”
Uhhmmmmm, no! Ever hear of VoIP technology? VoIP (Voice over Internet Protocol) uses TCP/IP (Transmission Control Protocol over Internet Protocol). This defines a protocol that can do routing and is a transport layer protocol, as is UDP,a lightweight transport layer protocol. These transport layer protocols are routinely used with VoIP and can route your call from your home to a phone in China (with a lot of hops in between). It looks like the number you are dialing is a local number and it is treated as a local number for billing purposes, but in fact it is routed out of country.
You make calls like this more than you might realize. Many credit card operations have off-shore offices. A lot of hotels maintain off-shore scheduling operations. Earlier this year I called to make a reservation with a big-name U.S. hotel chain in Florida, using an 800 number from their website. The young man who answered, while impeccably well-mannered, had a difficult time understanding my requests for adjoining rooms and a refrigerator. I was frustrated because I could not understand him, either. When he asked for my credit card information, I balked.
I asked where he was located. He replied, “Off-site.”
I asked again. Same answer.
I then said, “So what country are you in?” Long pause, then, finally, “Southeast Asia.”
That didn’t exactly pinpoint the geographic location, but it told me what I suspected – my credit card information was being handled by someone outside the United States and technically beyond the reach of U.S. law. I sucked it up and gave him what was required to hold the reservation. He had my name, address, phone number and credit card number, including expiration date and 3-digit security code. I had a hotel reservation and whatever fraud protection my credit card company offers. I could hope that the hotel chain was prominent enough to take the security of its clients seriously. But I had no guarantees.
Well, if you are a patient at a medical clinic, hospital or any medical facility that has chosen to outsource medical billing activities to an offshore company, you may also have no guarantees.
Think about it for a long moment. Medical billing activities normally require access to most (or all) of a patient’s personal information. Identity thieves will pay dearly for access to that information. And while offshore companies are required to sign a HIPAA business partner agreement with your healthcare provider, neither you nor your doctor can know with any assurance if that is enforced. More importantly, if it is not, who’s going to know? And what are the consequences?
HIPAA and the HITECH Act are U.S. laws. They are not easily enforceable in India or China or Central America. And if you are suddenly thrown into the nightmare of true identity theft, you might never suspect how and where your information was obtained. If a medical facility denies off-shore outsourcing activity, you have nothing. There is no law against offshore outsourcing. There is no law requiring disclosure of such activity. But outsourcing personal health information – as it turns out – is a very dirty little secret. Large companies that purport to provide off-shore outsourcing solutions will advertise that they have capable teams of employees who have excellent verbal and written communication skills. But very rarely will they publicize where those employees actually reside and work. Smaller operations – some of them owned or financed by doctors themselves to do work for their own clinic operations – keep their outsourcing information private. In some instances employees (including employed providers) are only vaguely aware of the scope of the operations. In most instances state-side employees are “strongly advised” (or out-right forbidden) to disclose these arrangements to patients.
What can you do to protect yourself?
- Know the various components of medical billing and what information is required by someone performing that function.
- Ask your doctor, the front desk and scheduling personnel where they are located (if you don’t know them). They have no obligation to tell you the truth and have probably been given a script to cover the deception. But at least ask.
- Inform your congressional representatives about the issue. I am not one to endorse more legislation, but it is puzzling that the basic protection of full disclosure is not available even to Medicare participants.
To help, the following is a comprehensive list of medical billing functions and what personal health information (PHI) may be needed to do the job (risk assessments – green light = safe, red light = high risk – are based on personal opinion; feel free to make your own assessment).
Medical Transcription (definitely a green light). More commonly known post 20th-century as clinical documentation, this process has been outsourced globally for years. It is extremely well-suited to outsourcing and carries no more risk than outsourcing to a U.S. company. Typically transcriptionists and auditors have only dictation and an identifier number or code. Linkage to the patient’s medical records and all PHI is done at the medical facility once the transcription is returned completed.
Payment Posting. (yellow light, turning red quickly). In most outsource situations, the patient or insurance company mails the check to the doctor’s office or to a P. O. Box. Checks are batched, scanned, then deposited. Scanned images of checks are sent electronically to outsource site. Electronic payment information (explanation of benefits with electronic check information) may be acquired by outsource agents directly from intermediary website. Agents entering payments typically have full access to patient accounts and PHI. Additionally, those agents obviously have access to your bank name, location, account number and routing number. If you have paid by credit card and the original information is transmitted to them, they have hit the information lottery.
Scheduling. (red light!) Scheduling personal typically have access to the demographic screen or section in a medical billing system. The demographic screen may include name, date of birth, sex, marital status, address, all phone numbers, email address, social security number, employer name, address and phone number, your insurance company and plan information, including group number, insurance i.d., etc. Depending on the medical billing system used, this screen may link to all members of your family who are also patients of record. Demographic information for children will include full information for both parents and/or guardians. If scheduling agents have some insurance verification duties, they may also have access to all of the information stored in your insurance company’s web-accessible files. Access to these files is gained utilizing the tax i.d. number of the medical provider or facility.
Data Entry. (red light, obviously). Data entry personnel will enter, verify and update your PHI every time you access the medical facility. They have everything scheduling has, including insurance web access to verify insurance information as deemed necessary.
Charge Entry. (red light). It is anticipated in the industry that charge entry positions will morph into charge auditing positions as the EHR (electronic health records) mandate is implemented. In the interim, if charge entry functions are outsourced, the person doing that entry probably has access to most of your PHI. Some charge codes depend on age or sex, and some procedures require prior authorization or referral codes to be attached as they are coded.
Statements. (green light). Patient statements for large medical facilities are normally generated and sent by a third-party vendor. “Sending statements” involves generating and uploading a file. Most of the time this is done automatically by a computer program that is tasked to run during non-working hours.
Claims. (red light). Most initial patient claims to insurance companies (including Medicare) are sent electronically. Files are generated, compiled and sent through a third-part vendor (intermediary). This activity is hands-off and electronic. However, after files are sent, any claim rejections must be researched, corrected and re-sent. The people charged with that research and correction have access to all of your PHI. Claims that have not been paid and are being re-filed, or claims that have been denied and are being appealed, may be sent as paper forms. This is usually a function of a collection team; however, the staff tasked with this job also has full access to patient PHI.
Collections. (red light). Medical collections can mean anything from followup calls and letters to patients who have owed money for longer than 30 days to research and review of medical records in order to file appeals for denied services. Medical collectors deal with insurance companies and patients. They push insurance companies to pay claims. They work with patients to help them understand their bills. They typically interface with every department in the medical facility to get information for retro-active authorizations, track down referral information to attach to claims and get provider documentation to determine the viability of an appeal. A medical collector has access to everything they need to get the job done quickly and competently. That includes all of your PHI and all records that are web-available from your insurer.
IT Services. (non-blinking, solid red light). Computers don’t run themselves. Every medical office, large or small, relies more and more on whatever practice management system they are running. Computer expertise, whether it is IT or IS, is expensive; however, like everything else it is cheaper in a country like India or Thailand. Just be aware that help desk personnel tasked with helping clinic staff have access to every piece of information held on the company servers (which might also be located offshore). And don’t be comforted with talk of “limited access.” Any computer nerd worth his bytes can do a workaround, and many project managers don’t have the actual computing skills to detect it. Could a breach happen in the U.S? Of course! But risk management in the states includes some teeth, and identity theft of medical information is going to buy you some real jail time. Not so offshore. Especially if nobody realizes or admits where information is leaking.
Outsourcing medical billing is a common practice in the U.S. Medical billing offices generally offer economies of scale and a high level of specialized expertise. A physician or medical group can focus on treating patients and keeping up with medical developments in their field, placing their revenue cycle management with skilled professionals. Billing employees in these companies are normally appropriately bonded. HIPAA and HITECH regulations are carefully enforced. Billing experts watch for coding errors, coding that conforms to clinical guidelnes, and incorrect application of Medicare policies such as “incident to,” locums tenens, modifiers and the like. Billing personnel who are doing collections will most likely identify themselves as “Dr. Smith’s Billing Office,” but will give you the name of their company and their address if asked. Billing managers in the United States are well aware that they may be liable along with providers if fraud is charged.
Owners and managers of offshore billing companies clearly understand the threat to confidential information inherent in their operations. The lack of forthright disclosure by medical facilities and providers engaged in offshore outsourcing implies that they are aware that public reaction would be unfavorable. This might also be construed to imply that they are aware that the odds are against quality risk mitigation under these conditions.
An economy heading south and increasing government regulations certainly explain why a medical manager might find it enticing to pay only $5.00 per scheduler instead of the stateside average of $13 to $15, plus benefits. An added bonus is an inviting tax structure in foreign countries. Some countries currently offer foreign investors no taxes on business profits so long as those profits are re-invested in the host country. This is most probably the benefit that entices some doctors to fund off-shore companies to do billing for their U.S. clinics – profits can be re-invested in what may become retirement homes and income-producing properties. And profits could potentially be increased in the foreign country and decreased at home by adding management burdens to invoices for billing services. Often these enterprises are jointly owned and operated by a physician (or group of physicians) and non-physician managers. What is sometimes overlooked in this equation is that the medical practice in the United States is not a joint operation and is not the same operation.
In most states in the U.S. a medical practice can only be owned by a licensed physician. Physicians work long, hard hours at a job that is inherently stressful. A physician practice owner should not be constrained from profiting from his/her education and work. However, the responsibility for transparency to employees (including other providers), to insurance partners and to patients would seem obvious. A failure to make full disclosure to patients of where their personal health information goes for processing seems unprincipled.
How can patients protect themselves? Ask questions. Be skeptical. Call your congressman. And call your insurance company. Insurance companies credential affiliated (network) physicians about once every two years. It is interesting that they ask what foreign languages a physician speaks, but fail to ask what foreign country he/she may be funneling patient information to. If you discover that your PHI is being processed outside the U.S., be reasonable. Ask for a written disclosure listing which specific processes are being outsourced, and what personal information is being accessed to perform those tasks. Use the list included in this post and insist on specifics. Ask if the provider’s malpractice company is aware of this situation. Inform your insurance company if the provider is part of the insurance network. If you are a Medicare patient, let CMS know how you feel about it.
Globalization is here to stay and is not inherently a bad thing. Some processes such as clinical documentation lend themselves well to global outsourcing. Personal patient data is not at risk of being compromised. Other processes raise major questions involving the jeopardy to individuals if information is compromised and the apparent inability of U.S. law enforcement to define, discover and address such a threat.