Reprinted with permission: Orginally published in Report on Patient Privacy - Volume 15, Number 3, March 2015

The name Moda Health, Inc. doesn’t appear on the Office for Civil Rights’ “wall of shame,” where HIPAA covered entities that have suffered a breach affecting 500 or more people are listed.

Nevertheless, Moda, a health plan and benefits manager in the Pacific Northwest with some 2 million customers, was the first in the nation to include among its standard benefits a new kind of protection against misuse of protected health information that may lead to medical identity theft.

In December, Moda began offering a product known as MIDAS, short for “medical identity alert system,” developed and sold by ID Experts, a 12-year-old breach prevention, assessment and mitigation firm based in Portland, Ore.

“Just as good health involves preventive care, we think protecting your medical identity involves pre­ventive tools to help you monitor that identity,” Moda spokeswoman Katie Paullin tells RPP.

On a Web page touting MIDAS, Moda calls medi­cal identity theft “more than just an invasion of your privacy — it’s a threat to your health and well-being. With enough information, an identity thief can use your medical benefits to submit false claims, rack up bills with fraudulent charges, fill prescriptions in your name, or add a new allergy or medication to your medical re­cords.”

ID Experts is perhaps best known for RADAR, its patented product that helps covered entities (CEs) con­duct a HIPAA security risk analysis (RPP 5/13, p. 11). And while MIDAS has been available only since Novem­ber, Rick Kam, ID Experts’ president and co-founder, tells RPP the market for MIDAS is just as big.

MIDAS can be used as an add-on to credit monitor­ing and breach mitigation that CEs would provide in the event of a breach. Or, as in Moda’s case, MIDAS can be bundled with a typical benefits package and used as a bulwark against rising incidents of medical identity theft. Such “incidents” rose nearly 22% from 2013 to 2014, according to a recent study by the Ponemon Institute, its fifth annual on the topic.

Credit Monitoring Falls Short

Credit monitoring alone “doesn’t do anything if your health insurance number is being misused,” Kam says. The danger in medical identity theft is not only that the cost for fraudulent services will be incurred, but also that wrong and potentially damaging or dangerous medical information could become part of the patient’s medical records, he points out.

CEs are suffering breaches every day, it would seem. The most recent to make the news was the monumental breach of possibly some 80 million records held by An­them, Inc., which was announced Feb. 4 (see story, p. 1).

Anthem initially drew the wrath of Connecticut Attorney General George Jepsen, who wrote a letter to Anthem on Feb. 10, signed by nine additional state AGs, demanding that Anthem speed up the process of inform­ing affected individuals of the details of the breach and ways they could protect themselves, including by of­fering credit monitoring services. They did not suggest medical ID theft protection, which many are not aware exists. ID Experts hopes to change that.

ID Experts CEO Bob Gregg penned an “open let­ter” back to Jepsen on the same day, stating that Jepsen’s emphasis on credit monitoring “misleads consumers.”

“The greatest and longest lasting potential harms that are likely to affect the individuals impacted by the Anthem breach will be medical identity theft,” Gregg wrote. “As a result, it can have a devastating impact on individuals, be difficult to detect, and be very costly to repair.”

Gregg urged Jepsen to “consider that some type of medical identity monitoring, to complement the credit monitoring, should be an essential requirement” for Anthem to provide affected individuals.

Robert Blanchard, Jepsen’s spokesman, said the AG had no comment on Gregg’s letter.

Secure Claims Are Sent

ID Experts describe MIDAS as “an innovative health care fraud solution…developed to lower healthcare costs and protect consumers’ medical identities through early detection and prevention of healthcare fraud.”

Kam says ID Experts had been “looking for some­thing to prevent medical identity theft.” It felt a product was needed that would function like credit monitoring and restoration services do for financial costs, but would be able to catch incidents that don’t necessarily or imme­diately have financial implications.

For example, a person could appropriate someone’s identity and obtain services under his or her insurance card, with no charges ever appearing on the patient’s credit card.

But seeing no such product, the firm decided to cre­ate one of its own. Payers support MIDAS “on behalf of their members,” Kam explains. “We price the program based on the number of potential members using the tool,” at a cost of “pennies per person per month.” Con­tracts for MIDAS are typically for three years, he adds.

The way MIDAS works is by tapping into a claims database — either the payer’s directly, or one ID Experts creates to house a MIDAS customer’s claim once it is sent to ID Experts. “We have a secure daily feed from the payer [of claims] with a limited number of data ele­ments,” Kam explains.

Once a claim is identified, ID Experts sends the patient an email or a text — depending on the option they’ve selected — alerting them to log into a secure website to review the claim. The text and email are not sent in an encrypted fashion. This part is similar to how credit monitoring works.

For example, as needed, firms such as Experian send customers with credit monitoring an email stating, “Information in your credit report has changed,” and telling them to log in to view the “alert.” If the alert refers to something that is a problem, the person has to contact Experian to resolve it.

With MIDAS, the member registers and sets the frequency of alerts; access to records for family members can also be granted, although those over 18 have to give authorization. It “works on just about any device with a web browser…[and] will adapt its screen size to fit all smartphones, tablets, laptops, and computer monitors,” according to information on the MIDAS website.

Once alerted to a claim, the person logs in and views the provider name, date of service and type, such as a routine check-up. The person indicates a choice to mark it as “valid,” “suspicious,” or “needs research.”

He or she can also note physicians commonly seen so alerts for them won’t be sent. In this way the system begins to “learn” the member’s pattern of health care service, the same way a credit card company compiles data that warn of aberrant purchases.

Any claim flagged as suspicious “is then encrypted and sent to MIDAS’s team of fraud experts for investiga­tion.” (For more information, see https://www2.idex­pertscorp.com/midas-software.)

Still ‘Pay and Chase’

ID Experts never sends PHI or other information, such as a Social Security number, in the alerts to patients or health plan members, so it does not run afoul of HIPAA or other laws, Kam stresses.

For now, ID Experts typically doesn’t hold up pay­ment of a claim while it’s waiting for the individual to verify it, although Christine Arevalo, ID Experts’ vice president for health care fraud solutions, says the firm “can modify our approach based on each health plan’s preference or business rules.”

But, she adds, “Obviously, I envision a future where these transactions are approved or denied in real time.” The system would work best, Arevalo says, “the sooner the better” the individual can enter “the data stream in order to spot suspicious activity quickly.”

However, “the limitations of the current ecosystem make that a dream for right now,” Arevalo tells RPP, especially because payers must meet requirements to process claims within a certain period of time.

MIDAS “is not…standing in the way of claims being paid. We, like the rest of the industry, are typically forced to use a ‘pay and chase’ model whereby we follow the fraud after it’s occurred, and the claim has been submit­ted for payment,” she says.

There Is Praise for the Concept

Despite the fact that credit monitoring has now become de riqueur following a breach of PHI, CEs aren’t even required under federal rule to offer such services. Reece Hirsch, a partner with Morgan, Lewis & Bockius LLP in San Francisco, points out that only the state of California comes close (but not very) to having some­thing of a mandate to this effect, following an 2014 amendment to its breach notification law.

The amendment, which went into effect Jan. 1, states that, “If the person or business providing the notification was the source of the breach, an offer to provide ap­propriate breach prevention and mitigation strategies, if any, be provided at no cost to the affected person for not less than 12 months, along with all information neces­sary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information” as defined by California law.

Hirsch notes that this is not a mandate because of the qualifier “if any,” regarding the provision of breach-relat­ed services. And it doesn’t mention protection from the risks of medical identity theft, which Hirsch says there is “definitely a need for.” “I think something like [MIDAS] would be very valuable,” Hirsch adds.

John Halamka, chief information security officer for Beth Israel Deaconess Medical Center, agrees. “That sounds like a very interesting service,” he tells RPP. Halamka sees an additional benefit, that of patient en­gagement. He isn’t sure how much true medical identity theft is happening; he’s aware of only one case at BID­MC, which involved a patient coming to his emergency room without insurance and with false identification.

“There are two separate issues,” Halamka says, but they can overlap. “If I am a Medicare mill in Florida, I can gin up phony medical records” and make claims to Medicare, he says. That’s Medicare fraud. But if the iden­tities of real people are used and the payments or servic­es go into their records, that’s medical identity theft, too.

BIDMC has had a secure patient portal since 1999, which some 250,000 patients use, he says. Massachusetts has an all-payer claims database, which mails explana­tion of benefits documents to patients.

Something like MIDAS “would be a great service to a payer,” he says, and can serve as a “check and balance” for both the payer and the patient.

He says the best way to engage patients is to “push” the information out to the patient the way MIDAS does when a claim comes in. “I am a big fan of engaging the patient and the family,” Halamka says, noting that this is also a requirement under meaningful use programs that provide payment for adoption of electronic medical records. Engagement is an area where groups are having the most trouble, he says.

Contact Katie Paullin at katie.paullin@modahealth. com, Kam at rick.kam@idexpertscorp.com, Arevalo at christine.arevalo@idexpertscorp.com, Hirsch at rhirsch@ morganlewis.com and Halamka at jhalamka@bidmc. harvard.edu.