Walking into the doctor’s office, I was surprised to see a new sign in front of the receptionist, which read:
“Red Flag Identity Theft Rule We are now required by law to ask for a Photo ID at the time of each visit. Please have your Photo ID ready for the receptionist to scan.”
As an avid bicyclist, I wasn’t carrying a driver’s license.
“I’m sorry, we’ll have to reschedule you,” said the receptionist. “We need to scan your ID before we can see you. It’s a new law.”
She looked me in the eye and said, “Sorry. I suggest you get a photo ID. You need to have one to be seen.”
“What if I’m paying for my own visit, and not using health insurance?”
“We need to scan your ID and have it in your file or we can’t see you.”
“I don’t think it’s right to deny care to patients who don’t have a Photo ID,” I said.
“Well, I can talk to my supervisor,” she said. “But I think you’re going to have to reschedule.”
As I waited, I watched the receptionist take another patient’s driver’s license and walk off into a back room. Apparently, in order to comply with the “Red Flag Identity Theft Rule,” the doctor’s office now scans a copy of every patient’s driver’s license and stores it in their computer systems.
How secure are my doctor’s computer systems? Patients don’t have the right to know. Doctor’s offices, hospitals and even health insurance companies get infected with viruses, worms and spyware all the time. These are generally not reported as patient data breaches, because they are far too common.
Just in the past few weeks, there have been news reports of patient data thefts from UC Berkely Health Service, Virginia Prescription Monitoring Program and Memorial Medical Center. The vast majority of breaches never get reported or even detected, however, because tiny little health care clinics and hospitals all over the country have neither the resources nor the incentives to institute appropriate detection measures.
And now they want to store a high-resolution copy of my driver’s license on top of everything else? What is this “Red Flags Identity Theft Rule,” anyway?
The Red Flags Rules are a collection of new Federal Trade Commission regulations aimed at reducing the risk of identity theft. The American Medical Association and dozens of other medical societies “have protested the FTC’s decision to apply the Red Flags rule to medical practices and other health care providers.”
Why on earth does the Federal Trade Commission affect who my doctor treats?
According to the FTC, “Health care providers may be subject to the Rule if they are ‘creditors.’ Although you may not think of your practice as a ‘creditor’ in the traditional sense of a bank or mortgage company, the law defines ‘creditor’ to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance.”
The FTC requires “each financial institution or creditor to develop and implement a written Identity Theft Prevention Program (Program) to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts.” Although the Red Flags Rules do not explicitly require doctor’s offices to make copies of patient identification, they are often implemented this way.
Ironically, spreading more private information around– such as high-resolution copies of driver’s licenses- increases patients’ risk of identity theft. As a 2008 World Privacy Forum report explained:
“When patients are, for example, asked for a drivers’ license when checking in to hospitals for surgery, the license itself may be copied or scanned and added into the actual patient file. This can give hospital insiders with criminal tendencies access to a treasure trove of photographic, biometric, and other information that may have been unavailable to them before. The result can be more identity theft (medical and otherwise).
“…Just because customer identity proofing is commonplace in the financial sector does not mean that it has translated perfectly or even well to the health care sector. The two sectors have different regulatory requirements, approaches to access points, security, and information flows. Banks and health care providers also have different competencies, staffing capacities, training, and in many cases even procedures when it comes to reviewing and managing customer identification documents.”
Everyone should have access to medical care– not just people who have registered with the government and obtained a photo ID. Furthermore, patients should have the right to health care without being forced to give up control of our personal information. As a patient, I don’t really want a copy of my Photo ID stored on a crappy unpatched Windows box at my doctor’s office. Today’s patients do not even have the right to know how well doctor’s offices and hospitals are secured, even in the face of constant reports of medical data breaches. That’s sick.
|PGP-signed text: 2009-05-28 (current)|