Monday, September 21, 2009

Red flags at the doctor's office


It seems that the rampant, misguided identity theft prevention efforts have finally reached the doctor's office. I recently went in to the doctor I've seen a dozen times and was surprised to hear they now required my driver's license to verify my identity. After disillusioning myself that they would know who I was after all this time, I surrendered my license and watched them scan it. The receptionist apologized and said she didn't really know why they were doing this now. She guessed it was probably "a HIPAA thing."

Since this sounded like a total guess, I looked into it. Sure enough, it's not. The FTC has passed down the Red Flags Rule mandating several requirements health care organizations must now do to "fight identity theft." The basic gist is the office must verify the patient is the same person that is on file. While scanning the driver's license is NOT specifically required, it is a common way many offices are interpreting the requirements.

So if it's not explicitly required, can you opt out of this protection? Reports are mixed, and it isn't simple. Security expert Jennifer Jabbusch tweeted her experiences recently and finally convinced the office that she would not agree to a scan of her license on file. Other people have reported doctors refusing them services. Sherri Davidoff wrote a great post at http://philosecurity.org exploring the problems this mandate will give to people that don't drive, the elderly, and children.

So why is the FTC so misguided? A chat with my doctor about their security strategy tells me everything. They are using out of the box Vista anti-virus and no wireless network. It was a short conversation. Can we expect more from private health care offices? What security measures would be sufficient to protect the drivers license images? It is apparent that the FTC has pushed more responsibility on the private practice than they are willing or able to be responsible for. Instead they have sweetened the pot by creating a very attractive target of driver's license info tied to medical info. By storing this information, they may prevent some identity theft in the office, but they are actually encouraging identity theft in other places.

11 comments:

CrazyDave said...

I had a similar experience at my Dr's Office when they "required" a photo to be taken (which I refused). They didn't refuse me service, however.

...It sounds like a recipie for disaster

Unknown said...

This certainly sounds irresponsible to be scanning (and probably storing!) ID card strips. The guidelines on the rule seem to imply heavily that a visual look at the card by a receptionist should be enough.

Bugbear said...

I had a similar experience recently during a visit to my doctor. Irony is, they did not ask me for my ID when I stopped by to grab a copy of my sons medical records two weeks later. Spoke to my wife about my experience (she works in health insurance) and she thought it most likely had to do more with insurance fraud than anything else.

Just my two cents.

bugbear

Mike said...

This is nothing new for me. I have had a photocopy of my drivers license taken at every new medical clinic I have gone to in the 20 years or so. I assumed it was required by the insurance company.

Mike said...

I have had the same experience for the last 20 years of so. It seems that every new clinic I went to, wanted to photocopy my drivers license. I assumed that it was required by the insurance companies.

Sergey Zak said...

I believe the best ID would be an electronic passport, which you would have to open, for it to be scanned (say, a foil cover preventing RF emissions to reach a chip inside). A small photo would transfer into scanner along with your name and receptionist would be able to positively identify you.
Then we could reach the level of security the same as ... common key.
It's quite strange we're still not there, despite all hype.

Anonymous said...

I refuse to allow anyone to photocopy my license--they try that at some hotels. Most medical office receptionist don't know the legal basis for their request--because there is none. If a doctor refuses service for that reason, he has an ethics complaint in the mail the same day (Medical Board). One smart doctor I know takes photos of his patients for their file--that's all they need. Taking on storage of state documents raises the level of exposure for lawsuits if a case of identity theft should occur.

Anonymous said...

I like your idea, one I'd card with chip for all info
No paper, passport, health card, drivers licence
All with a photo I'd, it is to simple the Goverment wouldn't make money
Goverment & most people want to stay in the horse & buggy no change mode
Start a movement to get one card implemented

Medical Centre Keysborough said...
This comment has been removed by a blog administrator.
Kotasma said...
This comment has been removed by a blog administrator.
mark edward marchiafava said...

NO doctor here will treat me without a driver's license.
NOTE: I am a SELF PAY patient, NO insurance involved