By Diane Palombi, OD
August 21, 2019
In the age of digital payment processing, and electronic records, identity theft could easily happen to you, or your patients via their interaction with your office.
Several experiences from my own life have showed me the importance of taking precautions to protect yourself–and all those you do business with.
When I opened my practice in 2000, I had no computers, no electronic health records and a credit-card machine that I didn’t worry about. I had been raised in a time that had the manual credit-card machine that impressed your credit card leaving three paper copies plus the carbons. Bank statements had your full account number on them, and so did your credit-card statements. The early credit-card machines gave you a receipt with your full credit-card number on it. Ironically, we did not have many problems then with security breaches.
Other Articles to Explore
Then personal computing came out and the game changed. Personal data suddenly became more accessible to everyone, including those who would use it to gain access to your personal finances.
It’s Easy for Breaches to Occur
My local grocery store got hacked, requiring me to be issued a new credit card. I was lucky. My son-in law had his debit-card information stolen, along with his money. It took months for him to recoup his losses.
I was also an ARBO data-breach victim. After two fraudulent Amazon credit-card attempts in six months, I ended up doing a seven-year credit freeze. Fortunately, thanks to my accountant also being hacked, I had credit monitoring at the time, so the fraud was caught immediately, and no damage was done. However, I had to file a police report and contact many government agencies, which was no picnic.
For over a decade I have been plagued by my identity being merged with another person. I don’t know 100 percent how it happened. Supposedly she was accidentally merged by a credit-reporting agency with me.
Unfortunately, she was not a good addition to my credit history. She owed many creditors, had judgements against her and even wrote bad checks. I got her removed from all three credit-reporting agencies only to have her pop up again a few years later.
It was scary how much information I could obtain on her from the credit report. Besides all the bad credit accounts, I had her several Social Security numbers available to me. In addition, all her addresses, phone numbers, places of employment and judgements were merged with my information.
I started getting letters from the IRS that were addressed to her. It turns out that she owed Social Security money. I sent the letters back marked “wrong address.” However, the government is not easily deterred. Their next step was to order an audit on myself and my practice.
I live in the St. Louis, Mo., region and the audit was to be in Kansas City, where she resides. I discovered that I could request a change of venue, so upon speaking with an IRS official about this matter, I managed to get out of the audit. They wanted this person, and I made them understand that we were two different people.
My knowledge of HIPAA helped me out. I asked if the other person was the reason for the audit. The IRS official said that she could not divulge that information. That led me to explain that I understood privacy concerns because I am an optometrist, and am familiar with HIPAA. We then got to talking, which ultimately, ended up with her cancelling my audit.
I finally thought that I was rid of her when I learned that my identity was still merged with hers on sites like White Pages and Spokeo. Company representatives said they could not excise her information from mine like the credit agencies had done.
All I could do was totally remove my information from their sites, but there is no guarantee that my information won’t pop up again merged with hers. I may be stuck with this person for the rest of my life.
When I was at the police station filing my ARBO data breach report, I took the additional step of having a personal identity security word issued. I was fearful that if I was ever pulled over, and there was an outstanding warrant on the other person, I could get arrested. This word identifies that I am myself. It is taken seriously. I went on a cruise for my 60th birthday. When I arrived back in the U.S., I was pulled aside by immigration officials, and taken to the front of the passport-control line where I had to give them my security word.
New Dangers = New Need for Enhanced Data Security
To avoid your patients experiencing the same difficulties I experienced, and to avoid having your practice becoming liable for HIPAA violations, we must be careful in how we store and handle patient information, whether it be their credit information, health-insurance information or personal health record. You do not want to be responsible for their information ending up in the wrong hands.
From the ROB article, “Key Steps to Increasing Your HIPAA Compliance”:
• Make sure that every computer in your office has a password that is required for log in, and that passwords are not shared, unless absolutely necessary. Many passwords, such as those used to log in for insurance verification, have to be shared. Employees should be trained on the importance, and consequences to them personally, of sharing those passwords with anyone outside of the practice staff.
• Set computers to lock out after a few minutes of inactivity, and require a password to log back in.
• Train employees to lock computers after walking away every time.
• Cross-shred all paperwork that has protected health information (PHI) instead of throwing it into the trash.
• Have patients sign a release waiver before providers discuss medical information with anyone not directly involved with their care.
• Don’t discuss any protected health information in public spaces.
Diane Palombi, OD, retired now, is the former owner of Palombi Vision Center in Wentzville, Mo. To contact her: firstname.lastname@example.org