Is That Medical Record Request a Phishing Scam?

CMS warns healthcare providers about phishing scams targeting patient records. Verify any unexpected requests before sharing medical records to ensure they’re legitimate. Watch the video to learn more!

Referenced Link:

CMS Link

Advertisement

Transcript:

Recently, CMS issued an alert to healthcare providers about potential phishing schemes and phishing scams attempting to gain access to a patient’s medical records through medical record requests. So we want you to be alert and know what to watch for when you receive a medical records request, especially when they’re coming in via email or through your fax. So this is, this is what you can do to ensure that it’s okay. First of all, if you’re not expecting that request, if you issued a payment for something and that request is coming back and is directly affiliated with the payment that you have requested, then that should be a first red flag. Doesn’t mean it’s not legitimate. It just means it should be a red flag. What you can do in these cases is look and make sure that the patient has signed an authorization or a right of access. Now, when it is directly related to payment, of course, that’s a part of treatment payment and healthcare operations. So HIPAA does allow you to share it, but you have to take reasonable precautions to ensure that the requesting entity is actually authorized to receive it. So if you’re getting it from a secondary insurance of which you never filed with, that should be a red flag. If it’s coming into you not related to a payment without a patient authorization that has a signature that matches what you have on file, or a right of access request with similar type of verification on the signature, then that should also be a red flag for you.

Additionally, if you look at it and it has, maybe you sending those medical records to a fax machine that doesn’t match anything else that you’ve ever sent to before, or if it’s referencing medicare.gov or medicare.gov or something along those lines. Or if it’s telling you something random, like they’re trying to update an insurance accordingly. These should be red flags. These are types of red flags that CMS had in their alert. Obviously you also want to watch for if it has poor grammar, it has misspellings or some strange wording, incorrect phone numbers, skewed outdated logs or graphics that look cut and pasted. All of these should be red flags for you. I know this sounds pretty obvious to everybody, but that this gentle reminder sometimes may help you protect your patient’s information and protect their health records appropriately.

Now, if you think you have something that looks legitimate, but it’s not accompanied with anything, and it may not be directly related to a specific payment request that you have on file at the moment, another way to do it is to pick up the phone and call the patient, ask them if they have an affiliation with this particular entity before you release those records. Sometimes you don’t have to respond at all. In fact, we have seen through some previous requests from members that sometimes you’ll get a request from a random entity on a patient that you don’t have. We actually encourage you in those instances, if the patient you’ve never seen before and you’re getting a medical, medical record request for them, you can actually ignore that request. It’s the best thing to do in those cases is to actually just not respond to that request at all, because in those instances, it could just be an entity that is looking to find who is treating a specific patient, or it definitely could be a phishing scheme. In those particular cases, they will use social engineering to try to get more information. So we just encourage you, in those cases not to respond.
Now the others, you can verify with the patient, you can verify with the with the insurer, or that payment entity that they are making that request, and they ask them for the exact location that you should be sending it to, if it’s a fax number, if it’s an email address, don’t use the document that was sent over and the phone numbers on that. But of course, they’ll man those and they’ll they’ll verify. But on the flip side, you want to contact the pair directly through their provider relations number to determine that it is appropriate or verify through the patient. Hopefully this information helps you out. Make sure you check out the CMS link below. We’ll catch you next week.

Now the others, you can verify with the patient, you can verify with the with the insurer, or that payment entity that they are making that request, and they ask them for the exact location that you should be sending it to, if it’s a fax number, if it’s an email address, don’t use the document that was sent over and the phone numbers on that. But of course, they’ll man those and they’ll they’ll verify. But on the flip side, you want to contact the pair directly through their provider relations number to determine that it is appropriate or verify through the patient. Hopefully this information helps you out. Make sure you check out the CMS link below. We’ll catch you next week.

About Author

Marc Abla, CAE

Marc Abla began working at the Illinois Chiropractic Society in 2002 and became the Executive Director in 2008. He brings his extensive financial, administrative and association experience to the ICS. He is a Certified Association Executive and a graduate of the Certified Leadership Series through the Illinois Society of Association Executives. Additionally, he is a member of the Illinois Society of Association Executives, the American Society of Association Executives, Association Forum, Congress of Chiropractic State Associations, and the American Chiropractic Association.

Corporate Club Members

Article Categories