Protecting Against Medical Identity Theft

Since the implementation of National Provider Identifiers (NPIs) by the Centers for Medicare and Medicaid Services (CMS), billing processes have been simplified and streamlined. The unique ten-digit identifier codes assigned to physicians and other healthcare providers by the US Department of Health and Human Services have now become a part of the majority of electronic health information being transmitted and are used in a variety of circumstances, including authentication, process control, individual claims, contracts, agreements, and more. Although the use of NPIs has improved efficiency and eased burdensome processes, their existence poses a potential threat of identity theft and medical fraud.

As evidenced in the case of six physicians, who faced financial disaster after a criminal stole their identities, NPIs can be the foundation for criminal activity, according to a recent Medscape report. Miguel de Paula Arias, a con man in Florida, stole the identities of six retired or semi-retired physicians, running a Medicare fraud scam of $1.6 million over 5 years. Throughout this time, doctors received bills from Internal Revenue Service for unpaid taxes and from Medicare for repayment of fraudulent claims. He was caught in 2017 and sentenced to 13 years in prison, however, the financial and legal repercussions for the physicians could have been detrimental.

The theft would not have been possible had Arias not obtained the physician’s NPIs. The frequent use of NPIs, especially when they are electronically transmitted, constitutes a danger for physicians, who need to take adequate steps to protect themselves. In most cases, physicians are unaware that their NPI is being used by an impersonator and could face legal repercussions or be held liable.

Public Availability of NPIs

Many physicians are unaware of how easily obtainable their NPI is, Zenobia Harris Bivens, a Houston-based attorney who defends Medicare fraud cases told Medscape in an interview. “They need to be more aware of what an NPI is and why it’s so important. Once people realize how important it is, they can be more vigilant about who they share it with,” she added.

Locating and misappropriating a physician’s NPI does not require advanced hacking or breaking into secure databases; the identification numbers are easily available and are included in most digital communications among practices as well as from the Centers for Medicare and Medicaid Services, laboratories, insurance companies, and other healthcare organizations. Some physicians even have their NPIs printed on their prescription pads.

Furthermore, anyone can enter a physician’s name into the public CMS registry and instantly have access to not only their NPI, but other data as well, such as NPI status, enumeration date and type, mailing and practice addresses, phone numbers, Medicaid IDs, and state license numbers. This publicly available information provides criminals with enough data to commit medical fraud and identity theft, among other crimes. With access to a physician’s NPI and other personal data, criminals can participate in a variety of scams – including the placement of fraudulent orders with Medicare, theft of prescription pads, as well as the delivery of opioids and other controlled substances to false mailing addresses.

Protecting Your NPI

While it is impossible to keep an NPI private – per federal regulations – physicians can take measures to protect themselves against identity theft, medical fraud, and other potential liabilities. Physicians should remain vigilant and aware of the way in which their medical practice uses NPIs. Who are they shared with? While the use of NPIs is required, a practice should avoid using them on documents and transactions where unnecessary. Within a practice, NPIs should only be shared with individuals who need them – such as coders and billers. Physicians should make sure that their practice is using appropriate identifiers and that former employers are not still using their number after they leave. Doctors who stop practicing should notify the CMS to flag their NPI as no longer valid.

Medical practices themselves should have policies in place aimed at preventing and detecting fraud and misuse, such as asking patients to report erroneous or suspicious billing statements. Most notably, both physicians and practices should routinely check Medicare and Medicaid statements for error or suspicious activity and follow up on any discrepancies. Physicians may also want to monitor their credit report for unusual behavior which could indicate their NPI has been compromised.

Although improved security policies may not prevent NPI misuse and identity theft, they can help detect criminal activity and locate its source, as well as any other information that could be valuable in the practice’s defense.

According to experts, NPI fraud is most often conducted by someone within a practice or someone a practice does business with – such as a vendor or laboratory. In certain cases, however, scams are conducted by con artists who take advantage of public access to physicians personal data. It is essential for physicians and practices alike to protect themselves from NPI-related theft and fraud as formal fraud investigations – often accompanied by bad publicity, halted Medicare and Medicaid payments, as well as seized records – can destroy a medical practice or career. While it is not possible for medical professionals to conceal their NPI from the public sphere, it is essential for healthcare practitioners and organizations to recognize the wide, public use of NPIs as a potential threat and pay careful attention to any suspicious activity or alarming discrepancies.