When my daughter needed to see a specialist, I did what any parent would do: I did some research and asked for referrals before making an appointment.
I never met the doctor. The wheels fell off at the front desk. You see, prior to the visit, I received an info packet which included a lengthy form that I was to complete in advance. The early questions were routine. Name, address, and birth date. And then, Social Security Number (SSN). I know they don’t need the SSN, so I skipped that question. I always do (here’s why).
Next was my daughter’s medical history, as well as my medical history, and that of my husband, my parents, and my husband’s parents. You’ve been asked the same info before, I’m sure.
There was also a page about educational history. Jotting down my daughter’s level of education was quick. Listing the same for my husband and I took a little longer and I wasn’t sure why it was necessary. I guess the office wanted to determine my level of comprehension when it comes to understanding complex medical issues. Only, my two graduate degrees – in law and tax – won’t help with that at all. On a Grey’s Anatomy scale, I’m about a Season Three. But they didn’t ask me that question.
Other questions followed, the type we’d seen before on pediatrician’s forms. Did we have guns in the house? (Apparently, you can’t ask that question in some states, like Florida, but you can in Pennsylvania.) Did we use seat belts in the car? Did we have a dog? Does our child use a bike helmet? What sports and other after-school activities did our child participate in?
Then the form shifted to finances. Since I was the responsible party, I had to list my occupation, employer, length of employment, and SSN. I knew this drill because some offices – even when you’re insured – want to make sure that you’re a good credit risk when it comes to “optional” medical treatments such as specialty care in case insurance doesn’t pay. The office wanted to know the same information about my husband. It’s not his insurance plan but as a parent, I know that makes him also responsible, so I filled it out.
I didn’t love all of the questions but I answered most of them. That is, until the last couple of pages.
Since specialist care can be complicated, I had asked when I made the appointment whether I could pay cash for the first visit, rather than bill insurance. I know this isn’t allowed sometimes – I found that out the hard way – so I always ask in advance. This was just a consult – no labs, no testing, no exams. While I generally like the specialists in our area, there have been the odd visits that didn’t pan out – the endocrinologist who misdiagnosed Graves Disease as Lyme Disease and the doctor who misread non-fasting blood work and wrongfully declared “diabetes.” Not every visit is a home run. And my daughter has a complicated medical history, including a rare form of vasculitis, so I’m careful when checking out doctors and don’t want to commit before I feel comfortable.
This office confirmed that I could pay for the consult in cash. So when I got to the part of the form which included a blanket authorization to contact others, including the insurance company, about my daughter’s care, I skipped it. I also opted out of writing down my credit card number, signing a blanket payment authorization, and including a copy of my credit card.
At the appointment, the office manager asked for my insurance card and my ID. I reminded him that I was paying cash but he said they needed my insurance card anyway “for the file.” I handed both over and watched as he made multiple copies. There were piles of papers strewn all over and I didn’t feel terrific about the level of organization or security but I kept quiet.
He returned my card and my ID and then asked why I didn’t complete the form. I told him that I didn’t sign the consent because we weren’t using insurance. He said I needed to sign but could handwrite that I denied consent at the bottom. I asked what the point would be. He said it was “because of HIPAA.”
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is, as its name implies, a law that governs some health insurance provisions. That doesn’t mean that all insurance related requests are “because of HIPAA.” As it applies to consumers, HIPAA typically limits the amount of information that medical professionals can disclose without your consent.
(You can read the law here, downloads as a pdf.)
My credit card info? He said I had to include it, too, “because of HIPAA.” He and I both knew that it wasn’t true. Having my credit card number on file was an office convenience, not a HIPAA rule. Just like the SSN.
I was trying really hard not to be that parent. The office manager could sense my hesitation.
“Listen,” he said, his voice a bit strained, handing me a pen. “I need you to fill out the whole form. If it doesn’t apply, I’ll just shred those pages after your visit.”
I took the pen and stared at the piles of paper on his desk. I chose my words carefully, saying quietly, “No.”
He looked at me. “What?”
I tried to be polite. “I don’t feel comfortable including my credit card and other information when you’ve already told me that you don’t need it.”
“I told you I’d shred it,” he replied.
“But I don’t understand why you need it in the first place if you’re just going to shred it.”
He started, “This is the way we do things. If you want your child to be seen, you’ll follow the rules.”
There. He said it. He knew he held the power. And my guess was that it normally worked. It can be tough to get specialist pediatric appointments in our area: we had waited months.
And I’m a rule follower. I’m a middle child and a tax lawyer. I’m all about the rules. But these rules? They didn’t make any sense.
Every alarm bell in my head was going off. I took a breath and put the pen down. Then I turned around, papers in hand, and I left.
I know that your personally identifying information has value. It’s no surprise that a massive tax fraud takedown in Florida yielded personally identifying information (PII) gleaned from schools and health care providers. According to Michael DePalma, Special Agent in Charge for the Miami Field Office of Internal Revenue Service – Criminal Investigations (IRS-CI) and former National Identity Theft Coordinator for IRS-CI, criminals target places which store personally identifying information, saying, “any entity that houses data is vulnerable.” That includes not only doctor’s offices but other spots you trust with your information, like the offices of your advisors.
What kind of data can thieves get their hands on? Social Security numbers, for example. As I’ve noted before, chances are you drop your SSN at your doctor’s office on a regular basis. And your dentist. And your kid’s school. You do it even when there’s no balance due, even when you have insurance, and even if you’ve already provided it before. We’re trained to turn it over because our SSNs have become synonymous with personal identification numbers. But the reality is that the SSN wasn’t intended to be anything other than a way of identifying qualifying individuals for benefits. In fact, the SSA encourages you to protect your number, advising:
You should be careful about sharing your number, even when you are asked for it. You should ask why your number is needed, how it will be used and what will happen if you refuse.
I know what you’re thinking: why should I worry? It’s my doctor. Or my kid’s school. Or my trusted advisor. What’s the worst that could happen? But armed with your SSN and a few other bits of data, criminals can clean out your bank accounts, run up credit card bills, and take your tax refund.
Printouts of your personally identifying data, including your name, address, and employment data, as well as your SSN can be bought for as little as $50/name, nearly five times the hourly salary of the average medical office receptionist. Thieves rely on finding the weak link – maybe getting a person at the front desk who might be a friend (of a friend) or relative – to snatch up data. Or they steal it over the internet, attacking vulnerable data systems stored in the cloud.
Criminals can then use data – like the kinds of information provided on office forms – to match information on the web. You know those “secret questions” that you use to protect your bank account? Thanks to Facebook and other social media sites, thieves can determine where you were born, your pet’s name, and your favorite color. They may even know other “out of wallet” info like your mother’s maiden name or your father’s first name.
Thieves then match data and create master lists that can be priced and sold. You’re no longer just a random patient named Jane Smith. You’re Jane Smith, SSN 123-45-6789, born on January 1, 1970. You work at ABC Chemicals and you live at 123 Elm Street, Anytown, USA 12345. Your spouse’s name is William. You own your own home and a Subaru Outback. You have a dog named Asta that you take on trips to your favorite vacation spot in the Adirondacks. You were born in Virginia. You went to the University of Central Florida for college. That profile has value. And it can be sold again and again.
Sometimes, it only takes a few pieces of information. In 2015, thieves accessed taxpayer info at the IRS, including taxpayer filings, by using previously stolen SSNs and other personally identifiable information gleaned from other sources. Over the past few years, IRS has cited the theft of personal information used to fraudulently file a tax return and claim a tax refund as one of its Dirty Dozen Tax Schemes (including in 2017).
It goes beyond tax fraud. According to a recent Identity Fraud Study released by Javelin Strategy & Research, the overall incidence of identity fraud in 2016 rose 16% to affect 6.15% of U.S. consumers, from 5.30% in 2015 – the highest on record. An additional 2 million consumers were affected, with crooks pocketing nearly one billion more dollars, bringing the total of fraudulent losses to $16 billion.
Your personal information can be used as part of new account fraud (NAF). NAF occurs when thieves use your information to open new credit card accounts or apply for mortgages or lines of credit. Instances of new account fraud in a consumer’s name were up 20% last year. And, of course, your personal information can also be used for account takeover fraud (ATF): that’s where thieves use the information to access your existing accounts (instances of ATF rose 31% last year).
My reluctance to give up my credit card number when it wasn’t needed? Today, thieves don’t need your card, just your number. The growth of e- and m-commerce mean that thieves are more likely to go online: Card Not Present (CNP) fraud increased last year by a whopping 40% while the incidence of fraud at the point-of-sale (POS) remained basically unchanged from 2014 and 2015.
So what can you do?
- Be smart. Don’t give out information that isn’t necessary – in person or online. That includes your cell phone number. Adam K. Levin, author of the book, Swiped, says that cell phone numbers are a valuable commodity because so much information is stored on mobile. (For more, check out this article from Forbes’ Laura Shin.)
- Consider lying. Even the most difficult-to-crack password is vulnerable if your security questions are accessible. That’s why Levin suggests that you consider lying. Why does your bank or credit card company need to know the real name of your pet or the street where you grew up? That kind of information may be easily available on the web – on Instagram or Facebook, for example – if you tell the truth. But if you lie? You control the answer.
- Enable two-factor authentication. Sites from Amazon to Google now allow you to activate two-factor authentication, making it more difficult for thieves to access your accounts. If those options are in place on sites you use or shop, enable them.
- Remain alert. Regularly check bank accounts and other online accounts. Don’t ignore fraud alerts (if your bank or financial institution offers these kinds of alerts, take advantage of them).
- Don’t hesitate to ask questions about how your data is stored and protected and don’t feel bad about refusing to give in if you don’t like the answers. While you don’t expect the staff in your doctor’s or tax prep offices to be technology experts, they should know enough to answer basic questions about data security. Take it as a warning sign if that’s not the case. And if there isn’t a business purpose beyond convenience, consider that a red flag.
Remember, your identity is an asset. You don’t leave your car unlocked with the keys in the ignition when you park. And you don’t leave your front door wide open when you walk out of your house. You take precautions. So why be careless with your identity?
(For more tips on protecting your identity, check out this prior article.)
For the record, I did get a new referral for a specialist for my daughter – and it came with a new form. The new form was much shorter, the office was much more organized, and she and I both sleep better now.