Tom Olzak

Beware Regulatory Hysteria

In Data Security, Government, HIPAA, Policies and Processes, Privacy on June 13, 2009 at 09:18

Regulatory Hysteria: Knee-jerk overreaction to new regulations, often placing individual privacy at risk.

For years, since before HIPAA and SOX, organizations have often overreacted to government mandates.  Some of the blame falls on accountants and security consultants who don’t understand the law, are trying to make a few extra bucks, or are simply covering their own butts. In other cases, organizations simply suffer from what I call regulatory hysteria.  Whatever the reason, overreacting to regulatory requirements can sometimes put customers and employees at greater risk.

Sherri Davidoff writes about a recent incident in which she appears to have been personally involved.  The post, located at philosecurity.org, describes the results of the FACTA and its Red Flag Rules on patient privacy.

Sherri was apparently confronted with a notice of a new requirement to produce a photo ID when she visited her doctor.  Since she didn’t have one, the office staff wouldn’t process her for her appointment.  While she stood there, Sherri observed staff scanning patient driver’s licenses for filing in their computer system.  Sherri was upset that she was inconvenienced and about her doctor demanding additional personal information.  Was she justified?  Maybe.

First, the Red Flag Rules are designed to protect us from criminals who seek to steal our identities for financial gain, including using our health insurance.  Health insurance theft is a big problem and growing.  The rules also help ensure someone can’t receive care under your name and have those results placed in your records, with the possible result of you receiving harmful care based on invalid assumptions about your health.  They are a good idea, and Sherri should simply get a photo ID—although there are other ways to verify identity, and the doctor might try to be a little more flexible.

Scanning of licenses or other photo IDs, however, is another matter.  There is no requirement to scan and store proof of identity.  The requirement is to demonstrate documented processes to:

  • Verify a potential patient’s identity
  • Report possible identity theft

This particular case looks like butt-covering rather than reasonable and appropriate compliance with the law.  And even if Sherri did produce a photo ID, how much effort is actually taken by the office staff to verify the ID itself?  What training did the staff receive to help them identify fraudulent documents?  Do they even compare the photo—I mean actually look at it—with the person standing in the reception window?  These are more important considerations than getting a scanned copy of a photo ID.  Finally, does the office staff simply accept verbal confirmation of identity for future visits once a scanned ID is in the system?  I hope their scanner is better than most, or picture quality will be close to worthless.

The other issue Sherri wrote about was her concern about the office potentially storing additional information about her in their computer system.  If the office is HIPAA compliant, and ePHI is protected in accordance with the security rule, this shouldn’t be an issue.  If it isn’t, Sherri has bigger problems than not having a photo ID or having an ID scanned.

My problem with Sherri’s visit is different from hers.  There is apparent compliance with the Red Flag Rules.  However, compliance extends far beyond a simple scan of an ID.  If the office manager simply uses the scans as evidence that an ID was produced without requiring trained employees to follow an actual identity verification process, then there is no compliance—just the appearance of compliance.  I think Sherri should be more concerned with how the office staff verifies her identity during each visit, and whether they are actually compliant with the HIPAA security rule, than whether they require a photo ID.

  1. Hi Tom,

    Excellent points, and thanks for the discussion.

    I just wanted to clarify that I am not “upset that [I] was inconvenienced.” Showing an ID doesn’t take much time or effort. Rather, I feel that the Federal Trade Commission has overstepped it’s bounds by regulating the doctor’s office.

    Medical privacy has become scarce in today’s world, where private insurers have access to medical records and information is traded and sold in third-party databases. As a person who values my privacy, I do not want doctors collecting a detailed medical profile on me, and then providing that to third parties. Pseudonymous or anonymous treatment should be an option, especially for individuals that pay their own way.

    In our “free country” it seems inappropriate for health care organizations to require that persons be, essentially, registered with the government in order to receive medical treatment. Patients are also at greater risk of identity theft- medical and otherwise- the more identification information is spread around.

    This ties in with your point about apparent compliance. Having seen the insides of many medical-related IT departments, from hospitals to health insurance firms, I can safely say that few if any of these organizations are even close to being actually HIPAA compliant, regardless of whether they’ve passed a superficial audit.

    Americans should have the right to PRIVATE medical treatment, which is not possible in an environment where hospitals are insecurely storing detailed medical records and providing access to third parties. Collecting and storing detailed information about patient identity is the first step in eroding privacy, and places all patients at greater risk of identity theft.

Comments are closed.

%d bloggers like this: