Watch an episode of SVU, Law & Order or CSI on TV, and you're bound to hear about doctor-patient confidentiality in hushed, almost reverent terms. Go to a new doctor's office and, amidst all the other paperwork, you'll be asked to sign a form enumerating your federally-mandated medical privacy rights. Call a hospital to check in on a friend and you're likely to hear that those rights prevent them from connecting your call.
So then why is medical identity theft one of the most common forms of identity theft and growing?
It's partially because, like many small businesses, doctor's offices often don't understand best practices when it comes to protecting the information they keep on their patients, and their record-keeping is often based on antiquated forms and methods of documentation that are long past their prime.
For instance, I recently made an appointment with a new, highly recommended physician whose staff immediately emailed me a new patient information form to fill out... and they suggested that I return it to a Hotmail account! I was dumbfounded that they would even recommend email -- which is transmitted in plain text (with a few exceptions) and easily intercepted -- to pass along my entire medical history.
Worse yet, most people don't know how dangerous it is to email this kind of personal information, or that you don't just have to hand over all the information that a doctor requests. So what are some of the things they ask for that they don't need to know?
1. Your Social Security Number
It used to be that your Social Security number was also your health insurance ID number (and, for those readers who use Medicare, it still is for the foreseeable future). But the vast majority of health care providers have changed that. So why do doctors still ask you for your SSN? Because the forms still list it, they're used to asking for it, because "it's what they've always done." But that's no reason for you to simply give it up. Leave it blank.
2. Family Members' Social Security Numbers
If they don't need your Social, doctors definitely don't need the SSNs of your minor children or your spouse. The more ways there are to find this information, the easier it is for that information to be lost or stolen, and child identity theft is itself a large and growing problem because their profiles are usually pristine and unlikely to be legally accessed until the age of 17.
A child's identity can be stolen and used for years before it is ever noticed. Remember how difficult it was for you to establish good credit when you were just starting out as a recent high school graduate? Now imagine that with years of bad credit to erase, all of which happened while your child was studying algebra.
3. Your Email Address
Yes, it's quite convenient to communicate via email but, as we've all learned from countless health care breach stories in the past year, it's also a very convenient way for others to eavesdrop on our correspondence or steal our identities.
If you want to keep your medical information private (and you do), then don't even give the doctor the option to communicate in this way with you. They may set up a secure portal where you can log in to see your test results, but they should never email your test results or other personal health information to you.
4. Any Financial Information Not Used to Pay Your Immediate Bill
There's absolutely no need for a doctor's office to keep your credit card on file. If someone in the front office asks if you'd like for them to file this information, politely decline. They may also ask to write your driver's license number on your check in order to help them collect if your check bounces; ask them if they can use another means of verification (one that isn't your SSN or other sensitive info).
Doctors are bound by the Hippocratic Oath to first do no harm and while they may be very good, or even the best, at what they do, the continuing parade of breach announcements in the health care area is a clear indication that many haven't a clue when it comes to information security. All the laws in the world, even the most vigorous enforcement of those laws, cannot supplant our individual responsibility for self-protection. Our identities are our assets and it is incumbent upon each of us to trust less and be covetous of our personal identifying information. Just because someone is trained to save a life doesn't mean they can't innocently put it in harm's way.