It seems that the rampant, misguided identity theft prevention efforts have finally reached the doctor's office. I recently went in to the doctor I've seen a dozen times and was surprised to hear they now required my driver's license to verify my identity. After disillusioning myself that they would know who I was after all this time, I surrendered my license and watched them scan it. The receptionist apologized and said she didn't really know why they were doing this now. She guessed it was probably "a HIPAA thing."
Since this sounded like a total guess, I looked into it. Sure enough, it's not. The FTC has passed down the Red Flags Rule mandating several requirements health care organizations must now do to "fight identity theft." The basic gist is the office must verify the patient is the same person that is on file. While scanning the driver's license is NOT specifically required, it is a common way many offices are interpreting the requirements.
So if it's not explicitly required, can you opt out of this protection? Reports are mixed, and it isn't simple. Security expert Jennifer Jabbusch tweeted her experiences recently and finally convinced the office that she would not agree to a scan of her license on file. Other people have reported doctors refusing them services. Sherri Davidoff wrote a great post at http://philosecurity.org exploring the problems this mandate will give to people that don't drive, the elderly, and children.
So why is the FTC so misguided? A chat with my doctor about their security strategy tells me everything. They are using out of the box Vista anti-virus and no wireless network. It was a short conversation. Can we expect more from private health care offices? What security measures would be sufficient to protect the drivers license images? It is apparent that the FTC has pushed more responsibility on the private practice than they are willing or able to be responsible for. Instead they have sweetened the pot by creating a very attractive target of driver's license info tied to medical info. By storing this information, they may prevent some identity theft in the office, but they are actually encouraging identity theft in other places.
