Information security guide for small healthcare businesses

Don’t give information to strangers invite them to request in writing

While a call to your office for the fax number or the name of the office manager may seem innocuous, it may also be step one an effort to solicit information to be used inappropriately.  Don’t be so fast to give the information to just any caller.

Identity thieves like to get physician information and then use it to change the “remit to” address at payers so checks go to them, and not the physician.

Armed with the office manager’s name, the caller will call the receptionist and say, “I was working with “Mary” on a claim, and she forgot to tell me……”  The receptionist, being helpful will generally provide anything asked, from provider numbers to the physician’s social security number. You would be surprised how trusting receptionists, billers and other staff are in responding to callers who provide very little identification of themselves, and the reason for their call.  And extremely few challenge the caller, asking for a call back number, through the company switchboard to verify their identity.

Once the caller has that information, coupled with the information from your website, a payer’s website, they have all the information they need to send a change of address form to your payers asking that your “new” address be used for all remittances.  Those remittances are your checks.  Or they may try to redirect your electronic remittances to a bank account that they set up in your name, controlled by them.  Plans do not reach out verify this information, they accept what looks like a correct address change, after all, they have all the information.

Learn More About PCMH – Patient-Centered Medical Home- a Primary Care Model

Identity thieves have learned that they can run this scam for about 60 days.  Offices that are not on top of their receivables will take about 45 days before they start calling payers looking for money.  Then they know that they have another 15 days, plus before the payer identifies what is going on.  Now you have a problem, the payer will claim they paid the claim, you will, rightly, claim that you have not been paid.  Not a great position to be in, regardless of as to whether the payer will stand tall and make good the losses.

Another reason not to be fast and free with your fax number is that outsourcing companies have been will use the fax number to send recovery letters by fax, speeding up the process of shaking you down for money.

When dealing with payers, and their agents, their outsource companies, if they want something from you, unless it is something to help get a claim paid, then let them work for it, use the mails, which not only supports the US Post Office, it also makes them put it in writing, which can be read, reviewed by counsel, and clarifies what they are seeking, and why.

Read More: Do More than write it off

The general response to requests for information related to the business of your practice is best answered with the simple words, “I’d be happy to, just send me your request, in writing, on company letterhead, with the full name and title of the requesting party.”

Remember what your mother taught you – don’t talk to strangers.

 See Top Rated EHR Companies By User Choice:

  1. AdvanceMD
  2. Drchrono
  3. Care Logic
  4. ChartLogic
  5. Azalea Health Software