Monday, September 21, 2009

Red flags at the doctor's office

It seems that the rampant, misguided identity theft prevention efforts have finally reached the doctor's office. I recently went in to the doctor I've seen a dozen times and was surprised to hear they now required my driver's license to verify my identity. After disillusioning myself that they would know who I was after all this time, I surrendered my license and watched them scan it. The receptionist apologized and said she didn't really know why they were doing this now. She guessed it was probably "a HIPAA thing."

Since this sounded like a total guess, I looked into it. Sure enough, it's not. The FTC has passed down the Red Flags Rule mandating several requirements health care organizations must now do to "fight identity theft." The basic gist is the office must verify the patient is the same person that is on file. While scanning the driver's license is NOT specifically required, it is a common way many offices are interpreting the requirements.

So if it's not explicitly required, can you opt out of this protection? Reports are mixed, and it isn't simple. Security expert Jennifer Jabbusch tweeted her experiences recently and finally convinced the office that she would not agree to a scan of her license on file. Other people have reported doctors refusing them services. Sherri Davidoff wrote a great post at exploring the problems this mandate will give to people that don't drive, the elderly, and children.

So why is the FTC so misguided? A chat with my doctor about their security strategy tells me everything. They are using out of the box Vista anti-virus and no wireless network. It was a short conversation. Can we expect more from private health care offices? What security measures would be sufficient to protect the drivers license images? It is apparent that the FTC has pushed more responsibility on the private practice than they are willing or able to be responsible for. Instead they have sweetened the pot by creating a very attractive target of driver's license info tied to medical info. By storing this information, they may prevent some identity theft in the office, but they are actually encouraging identity theft in other places.


CrazyDave said...

I had a similar experience at my Dr's Office when they "required" a photo to be taken (which I refused). They didn't refuse me service, however.

...It sounds like a recipie for disaster

LonerVamp said...

This certainly sounds irresponsible to be scanning (and probably storing!) ID card strips. The guidelines on the rule seem to imply heavily that a visual look at the card by a receptionist should be enough.

Bugbear said...

I had a similar experience recently during a visit to my doctor. Irony is, they did not ask me for my ID when I stopped by to grab a copy of my sons medical records two weeks later. Spoke to my wife about my experience (she works in health insurance) and she thought it most likely had to do more with insurance fraud than anything else.

Just my two cents.


Mike said...

This is nothing new for me. I have had a photocopy of my drivers license taken at every new medical clinic I have gone to in the 20 years or so. I assumed it was required by the insurance company.

Mike said...

I have had the same experience for the last 20 years of so. It seems that every new clinic I went to, wanted to photocopy my drivers license. I assumed that it was required by the insurance companies.

Sergey Zak said...

I believe the best ID would be an electronic passport, which you would have to open, for it to be scanned (say, a foil cover preventing RF emissions to reach a chip inside). A small photo would transfer into scanner along with your name and receptionist would be able to positively identify you.
Then we could reach the level of security the same as ... common key.
It's quite strange we're still not there, despite all hype.

Anonymous said...

I refuse to allow anyone to photocopy my license--they try that at some hotels. Most medical office receptionist don't know the legal basis for their request--because there is none. If a doctor refuses service for that reason, he has an ethics complaint in the mail the same day (Medical Board). One smart doctor I know takes photos of his patients for their file--that's all they need. Taking on storage of state documents raises the level of exposure for lawsuits if a case of identity theft should occur.

Anonymous said...

I like your idea, one I'd card with chip for all info
No paper, passport, health card, drivers licence
All with a photo I'd, it is to simple the Goverment wouldn't make money
Goverment & most people want to stay in the horse & buggy no change mode
Start a movement to get one card implemented

MDGUY said...

I live in Maryland and today 10/15 I saw my doctor and the lady asked for my drivers license. I didn't ask why, I just gave it to her. She didn't scan it, she typed in my driver license ID number.

In my opinion, I don't think this has anything to do with Identity theft at all. I believe it has something to do with the prescription drug monitoring program (PDMP). In MD, VA, PA & WV when you are prescribed a controlled substances such as hydrocodone), oxycodone pain medication mainly is what this program is for. When you are at the pharmacy in these states you have to show your ID before picking them up, they then type in your driver ID and what medication your picking up. From there your information goes into a database for all the major pharmacies to see. This programs purpose is to catch the folks who have more than one doctor, and getting narcotic meds from both or you get your narcotic meds from your family doctor then drive to another state to the ER and get another narcotic medication so if you try to fill both it will flag the pharmacist not to fill it, then this information goes back to your doctor. The data base is now live in VA,WV,MD & PA. So don't try to do it. I asked the Pharmacist one day why they were asking for our ID when picking up medications, she said they wanted to know it was actually you who was picking it up LOL, so I already knew it was a lie and they are not suppose to tell there customers there doing this. Also, if you do it Law Officials could get involved. So stick by the rules.