CMS Alerts Providers to Medical Records Phishing Scam

The Centers for Medicare & Medicaid Services (CMS) issued a warning in its weekly MLN Matters to providers about phishing scams targeting medical records. The warning said to watch out for scammers faxing fraudulent medical records requests to providers to get them to send patient records in response. An example of such a fax can be seen here.

CMS said when you review requests, look for signs of a scam, including:

    • Directing you to send records to an unfamiliar fax number or address
    • Referencing Medicare.gov or @Medicare (.gov)
    • Indicating they need records to “update insurance accordingly”

Scam requests may include:

    • Poor grammar, misspellings, or strange wording
    • Incorrect phone numbers
    • Skewed or outdated logos
    • Graphics that are cut and pasted

If you receive a suspicious request, work with your Medical Review Contractor to verify its authenticity. Submit medical documentation through the Electronic Submission of Medical Documentation (esMD) system or CMS medical review contractor secure internet portals, when available.

Compliance Perspective

Issue

Phishing is a type of social engineering used to trick individuals into disclosing sensitive information via electronic communication, such as an email or fax, by impersonating a trustworthy source. Phishing scams targeting medical records pose a serious threat. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires that facilities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI) in any form.

Discussion Points

    • Review policies and procedures related to HIPAA and PHI. Ensure that they address how to secure PHI and how to avoid falling prey to security breach efforts by unauthorized individuals. Update as new information becomes available.
    • Train all staff on HIPAA and PHI upon hire and annually, including how to avoid phishing schemes, malware exposures, and unauthorized release of PHI. Document that these trainings occurred and file the signed training document in each employee’s education file.
    • Periodically audit to ensure that the facility’s policies and procedures for HIPAA and PHI are being followed by all staff, and that each person demonstrates understanding and competency. Conduct ongoing risk analysis and keep systems updated.

*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*

You May Also Like