Deliberately impersonating a patient is less common than other forms of identity theft but there have been reports of it in Australia. Why does it occur and how can practices mitigate this type of fraud?
Lack of access to affordable healthcare has been known to contribute to cases of impersonation in the US. In such cases, individuals may adopt a false identity to access healthcare or devices they cannot afford or prefer not to pay for.
In Australia, identity theft in healthcare often involves individuals stealing patient information to submit fraudulent insurance claims, obtain medical treatment, prescription medications or government benefits.
Motivations for impersonations or identity theft in healthcare may include:
• access treatments an individual has been refused, or fear they would be ineligible for
• avoid stigma if they fear a condition could affect their insurance, reputation, or professional opportunities
• access personal information about the real patient to cause them further harm.
“While frauds may be elaborate and hard to detect, they can simply involve individuals taking advantage of busy practices and insufficient identity checks.”
Implications of identity fraud
Whatever the impersonator’s reasoning, these frauds can harm both the person whose identity they stole and the practice involved. Consequences can include:
Financial harm – fraud victims in the US have faced medical bills totalling hundreds of thousands of dollars and endure years disputing debt collection and restoring credit ratings. Practices may also face financial losses if required to reimburse insurers or patients and could become subject to audits and penalties.
Privacy breaches – if health providers are misled into sharing personal information, patients can be put at risk. For example, angry former partners have used fraud to locate a patient’s address. Practices involved in such breaches may face penalties under privacy laws, reputational damage and legal liabilities.
Health risks – fraud could mean someone’s medical history is inaccurate and now includes information about the imposter. Victims of medical identity theft report experiencing misdiagnosis, treatment delays and even discrimination. Details including allergies or blood type could be incorrect and could lead to the patient themselves receiving inappropriate treatment or medication.
Minimising risk
While frauds may be elaborate and hard to detect, they can simply involve individuals taking advantage of busy practices and insufficient identity checks.
Reviewing your privacy and security processes may help avert a fraud.
Check you have clear processes for identifying patients and ideally use three approved patient identifiers (e.g. full name, date of birth and address). Remind staff why they need to confirm a patient’s identity at each visit.
Where family members share a Medicare or private health insurance card, check you are using the correct patient ID number on the card. This will help prevent honest mistakes as well as deception.
Check your processes for communicating with patients electronically to ensure you do not accidentally disclose information that could be used by an impostor. For more information Avant’s has developed a factsheet on email communication with patients.
Make sure staff consider patient privacy at the front desk and do not inadvertently disclose identifying information where it could be read or overheard.
Responding to identity fraud
Victims of identity theft can face years of work and anxiety to have their medical records cleared of their impostor’s information. If you become aware a patient’s records have been compromised, you will usually need to:
• Copy any of the impostor’s information into a new ‘unknown patient’ record.
In this case it would be appropriate to delete inaccurate information in the real patient’s record after transferring it to the ‘unknown patient’ record or other location. Add a note explaining what happened. For more information see Avant’s resources on correcting records.
• Notify the real patient as appropriate if they are unaware of the issue, and keep them informed.
• Contact any other providers if you have provided reports or referrals. Also cancel any prescriptions and follow the procedures for reporting prescription fraud in your state.
• Contact Medicare. You may also have to reverse the billing for the consultation.
Private health insurers may also need to be notified, as the practice may need to reverse any claims submitted for the impersonator’s treatment. Failure to do so could result in penalties or further audits.
• Consider whether you also notify the Office of the Australian Information Commissioner (OAIC) and/or contact police. For further information see Avant’s resources on Responding to a data breach.
Addressing identity fraud not only supports your patients but also demonstrates your commitment as an individual practitioner and as a practice to safeguarding personal and health information and ensuring compliance with legal requirements.
Always prioritise your team’s personal safety. Evaluate the situation and consider carefully before directly confronting the imposter.
About the Author: Dr Victoria Phan (BMedMD MClinUS DCH FPAA National Cert FRACGP) is a risk adviser at Avant.
More reading
A chance for Australian ophthalmic practice managers to level up
How to handle patient complaints
Advertising standards: Questions to ask yourself
