August 1, 2007 by Insurance Bureau of Canada Investigative Services
As part of his day-to-day duties at the clinic where he worked, a health care provider prepared pre-approved framework documents, treatment plans and disability certificates as supporting documentation for his clients’ injury insurance claims. One day, a rather routine inquiry from an insurer about one of the clinic’s treatment plans led the health care provider to make an unsettling discovery: His signature appeared on the treatment plan, but, according to his clinical records, he had not authored — or signed — this particular plan. After further investigation into this puzzling circumstance, the health care provider asserted that, without his knowledge and on more than one occasion, a photocopy of his signature had been used on phony treatment plans submitted by the clinic to insurers.
This health care provider’s identity had been misappropriated to defraud insurance companies.
These days, the mention of “identity theft” conjures up, for most people, countless and varied scenarios — from thieves digging through dumpsters for personal information, to the complex identity-morphing tactics of the recently outed “Mr. Nobody,” Ciprian Skeid. Definitions of the term also appear to be equally numerous; the Canadian Internet Policy and Public Interest Clinic (CIPPIC) recently compiled a list of 32 published definitions of “identity theft.” CIPPIC itself defines identity theft as “a process involving two stages: 1) the unauthorized collection of personal information; and 2) the fraudulent use of that personal information to gain advantage at the expense of the individual to which the information belongs.”1
Most people have internalized the news stories of victims who have had their bank accounts emptied or their houses mortgaged and/or sold from under them and, in efforts to defend ourselves against these wrongdoers, actions such as PIN-guarding and document-shredding have been incorporated into our daily routines. Some have also purchased insurance coverage against this type of crime, as an added measure of protection.
Although identity theft is a recurring theme in the media and the topic of several recent publications by the Office of the Privacy Commissioner of Canada, there has been very little attention given as to how this crime is manifesting itself in health-care settings. The scenario described in the opening paragraph is an example of how opportunistic criminals are combining identity theft, which is recognized as a low-risk, but highly profitable criminal endeavour, with personal injury insurance fraud (also perceived as low-risk/high-profit) with very successful outcomes.
Insurance Bureau of Canada (IBC) is the national trade association of the private property and casualty insurance industry. As the voice of insurers who provide more than 90 per cent of the non-government home, car and business insurance in Canada, IBC is particularly concerned about this trend in identity theft. In excess of $3.6 billion in premiums written by the industry are lost to fraudulent activity and criminal organizations every year. This has a direct social, economic and emotional impact on all of IBC’s members and the communities they serve.
IBC works on behalf of its member companies to combat insurance crime by:
* Identifying questionable claims and alerting member companies about these to assist them in stopping payouts at the initial stages of a fraudulent claim;
* Where criminal activity is identified, processing that information into a concise workable investigative brief within the legal context and boundaries afforded IBC investigators to be presented to an enforcement or regulatory agency at the direction of our member companies;
* Supporting police, Crown prosecutors and regulatory agencies during their investigative processes seeking aggressive enforcement resulting from any criminal activity; and
* Providing training and support to the industry and interested stakeholders with respect to new trends in criminal activity and organized crime.
IBC fields complaints from registered health practitioners (RHPs) who have been victims of identity fraud, in an effort to reduce this type of insurance crime and thereby reduce its cost to the property and casualty insurance industry and its customers. IBC has received complaints from all manner of health care provider: physiotherapists, psychologists, massage therapists, chiropractors, occupational therapists and even a social worker. In all of these cases, criminals were using RHPs’ identities to fraudulently bill insurers for health care services that were never rendered.
Four Common Scams
IBC has identified four basic trends in identity theft involving a registered health practitioner:
1. A clinic using a current employee’s (an RHP’s) identity for purposes unknown to, and unauthorized by, that person. This trend is illustrated in the example described at the beginning of this article and underscores the importance of RHPs keeping their own clinical notes and records. (Document, document, document!)
2. A clinic using the identity of an RHP who has never been employed there, for purposes unknown to, and unauthorized by, that person (e.g., submitting fraudulent invoices in that person’s name to insurance companies). These cases are discovered when an insurer contacts the registered health college; the RHP is then contacted and alerted. The moral is for registered health professionals to keep their colleges up to date in regard to their personal contact information.
3. A clinic using the identity of a former employee (an RHP) for purposes unknown to, and unauthorized by, that person. To protect against this scenario, RHPs should advise insurers, colleges, and other relevant contacts each time they change employers.
4.A franchise or group of privately owned clinics using an employee’s (an RHP’s) identity to bill for services provided at more than one location on a given day. This scam is more complex than the three already described, and often involves “willful blindness” on the part of the RHP. Typically, the RHP is required to move from one location to another daily or every other day to treat patients. Insurers receive invoices for assessments and treatments from all clinics using the RHP’s name. In some cases, insurers have received invoices showing that one RHP treated clients for more than 30 hours in one day!
Consequences For Victims
Theft of a health provider’s identity is startling, disconcerting and often totally unbelievable. RHPs who suspect their identities have been used for fraudulent purposes face a variety of legal and ethical issues. For instance, the RHP is not responsible for submitting the false documentation, so would he/she be accountable if he/she pretended to be unaware of the identity theft? Would reporting the suspected activity breach client/patient privilege? What legal responsibility does the RHP have to his/her employer? What protection would be provided to the RHP if information he/she provided were turned over to an investigative body?
Victims of identity theft must put time, effort and money into reclaiming their stolen identities. For an RHP whose name becomes associated with insurance fraud, additional resources must be put toward clearing his/her name. This can translate into not only the need for legal assistance and the expense of replacing legal documents, but also missed business opportunities and the loss of productive time. Embarrassment and emotional stress are also real consequences for RHPs in this situation.
Identity Theft Prevention Tips For RHPs
There is no question that the use of computers to store and share information electronically has contributed to the proliferation of identity theft. Many of us are not security conscious when it comes to our computers; we neglect to install firewalls or virus detection software, we don’t use passwords, or worse, we don’t shut our comp
uters off when we’re not using them. It doesn’t take a hacker to copy files and critical data onto a portable flash drive from an office computer that has been left unattended. What is more, the rise of the electronic age has meant a decline in the use of paper-based documentation; in health care this means that signed hard copies of assessments, treatment plans and invoices are less common. Not to mention, because electronically stored information is so easily copied and travels so quickly, by the time an identity theft is discovered someone has usually already been defrauded.
The key to preventing identity theft, then, is safeguarding and monitoring the use of identity-related information. For registered health practitioners this can mean:
* Locking computers when they are left unattended;
* Making sure all college-registered contact information is up to date;
* Documenting all assessments, treatments and forms they complete;
* Keeping copies of their clinical notes and records;
* Advising colleges, insurance companies and other relevant contacts when they are leaving a clinic;
* Monitoring how much information they are providing and for what purpose(s) that information is being used;
* Examining the documentation their information is being used on;
* Knowing what is being invoiced in their names and examining bills/ invoices in detail to determine that the numbers, dates and treatment provided are represented accurately. Watching for additions and deletions that they have not authorized;2
* Ensuring that they have direct access to client information, clinical notes and records — in electronic and/or hard copy — throughout the assessment, treatment and invoicing processes;
* Never signing blank forms;
* Keeping electronic signatures and rubber stamps of their signatures and/or registration numbers in a secure location for their access only;
* Securing files so that only authorized persons have access under the RHP’s direction; and
* Instructing clients to be vigilant and ask for copies of all bills paid by their insurer to check the accuracy of the information.
RHPs need to protect information related to their professional identities at all times — no matter their employment status. For instance, on job applications, RHPs should provide only the information necessary to secure the position or an interview.
RHPs might also manage their risk of falling victim to identity theft by purchasing identity theft insurance, which is now available from a variety of insurers across the country.
Red Flags: Signs That a Health Care Clinic may be Committing Identity Theft
IBC’s research has shown that questionable clinics are typically owned and operated by persons that are not health care providers. RHPs should take note of their clinic’s ownership structure, and be on the lookout for the following warning signs of identity theft:
* The RHP is not permitted by the clinic to follow the day-to-day practices recommended by his/her college;
* The RHP does not have access to previous clinical notes and logs;
* The RHP has no, or limited, input into billing or invoicing; and/or
* The RHP does not sign off on services he/she has provided.
Recourse For RHPs Who Suspect Identity Theft
Often, the only way to uncover identity theft in health care environments is for a registered health practitioner to come forward when he/she suspects that his/her identity has been misused. RHP victims of identity theft can contact their colleges for support and direction. Ultimately, evidence of identity theft and any resulting injury insurance fraud should be reported to the local police.
An RHP who suspects that his/her identity has been misappropriated can choose to remain anonymous and still report the suspicions by contacting Crime Stoppers at 1-800-222-TIPS or IBC’s TIPS line at 1-877-IBC-TIPS. Anonymous tips and complaints can also be submitted electronically to IBC at www.ibc.ca.
All information submitted to IBC is confidential and is subject to PIPEDA (Personal Information and Electronic Documents Act) and freedom of information (FOI) rules. IBC is designated as an Investigative Body pursuant to Bill C-6 of the Parliament of Canada and recognized by the Privacy Commissioner.
IBC numbers and catalogues tips and complaints and makes the information available to its investigators. If a tip or complaint identifies a particular insurer as a victim of insurance crime, IBC investigators will notify the insurer within one business day to ask about any billing related to the tip. Insurers are entitled to follow up on invoices directly with a claimant, this is not done by the RHP. Suspicious invoices will be brought to the attention of IBC and, if possible, the RHP will be asked to verify the invoices.
IBC will not contact the person who submitted the information, unless that person has indicated an interest in being contacted. Though this is an important and unalterable policy, it sometimes hampers an investigator’s ability to gain a deeper understanding of the complaint or tip.
Depending on the issue and on resources available, IBC may have the complaint directed to the police, a regulated health professional college or another government body that would be interested in the identified criminal activity. IBC works on behalf of its members to seek aggressive prosecution and sentencing of insurance crime and, where possible, civil restitution and punitive damages.
RHP victims of identity theft who come forward without seeking anonymity may be asked to participate in a judicial or quasi-judicial hearing. As a witness, the RHP may be asked to testify to the facts of the case and to identify the misrepresentation and fraudulent entries found in suspect documents. To be most effective as a witness, an RHP should keep all notes and other documentation he/she has prepared about the alleged crime and make these available for disclosure at the hearing. Points that may be of particular interest to the court or regulatory body conducting the hearing include (but are not limited to):
* When the RHP first began working, and his/her registration number and work experience;
* When the RHP first became aware of the suspected criminal activity;
* Who the RHP’s employer was at the time;
* Whom the RHP reported to at the time; and
* What business practices the RHP was required to follow and which of those practices led him/her to suspect criminal activity.
Though the RHP may not take official documentation from the clinic to support an allegation, he/she can bring forth his/her own notes or logs that were prepared outside of work responsibilities. The RHP should also know that it is within his/her rights to provide the names of other employees who have left the employer for the same reason(s).
Keeping Identity Thieves at Bay
Identity theft appears to be the crime du jour, likely because it is perceived as a low-risk and highly profitable criminal endeavour. Now that opportunistic criminals have discovered an application for identity theft in the seemingly comparably low-risk/high-profit world of personal injury insurance fraud, their potential for ill-gotten gain seems almost boundless. But increased vigilance on the part of registered health practitioners can put limits on the realized profits and, in turn, the ambitions of these criminals.
IBC is Canada’s leading provider of investigative services to the property and casualty insurance industry, detecting and preventing insurance crime (particularly in the ar
eas of organized auto theft and Accidents/Benefits/Bodily Injury fraud) and recovering losses on behalf of its members.
1.CIPPIC (2007). “Identity Theft: Introduction and Background.” CIPPIC Working Paper No. 1 (ID Theft Series), March 2007. Ottawa: Canadian Internet Policy and Public Interest Clinic. Downloaded from http://www.cippic.ca/en/bulletin/Introduction.pdf
2.Many RHP colleges stipulate that their members are required to participate in billing for their services and to know what is being sent out in their names.
3.Office of the Privacy Commissioner of Canada (2007). “Business and Identity Theft.” Downloaded from http://www.privcom.gc.ca/id/business_e.asp
4.Office of the Privacy Commissioner of Canada (2007). “Fact Sheet – Identity Theft: What it is and what you can do about it.” Downloaded from http://www.privcom.gc.ca/fs-fi/02_05_d_10_e.asp
5.Office of the Privacy Commissioner of Canada (2007). Identity Theft: Submission Presented to the Standing Committee on Access to Information, Privacy and Ethics. Downloaded from http://www.privcom.gc.ca/parl/2007/sub_070508_e.asp
For additional information and resources regarding identity theft, visit the following web sites:
www.phonebusters.com Phonebusters National Fraud Reporting Centre
www.privcom.gc.ca/id/index_e.asp Office of the Privacy Commissioner of Canada
www.cbs.gov.on.ca Ministry of Consumer and Business Services Ontario
www.consumer.gov/idtheft U.S. Federal Trade Commission
U.S. Department of Justice