CMS Warns About Medical Records Request Scam
Unauthorized release of medical records can result in HIPAA fines and damage to your organization’s reputation. It is important to verify the authenticity of any requests for protected health information. CMS has recently released a warning about phishing attempts to gain access to medical records.
Medical Records Request Scam: Watch out for Phishing
CMS identified phishing scams for medical records. This may include scammers faxing you fraudulent medical records requests to get you to send patient records in response; see example (PDF)
When you review any requests, look for signs of a scam, including:
- Directing you to send records to an unfamiliar fax number or address
- Referencing Medicare.gov or @Medicare (.gov)
- Indicating they need records to “update insurance accordingly”
A scam request may include:
- Poor grammar, misspellings, or strange wording
- Incorrect phone numbers
- Skewed or outdated logos
- Graphics that are cut and pasted
If you think you got a fraudulent or questionable request, work with your Medical Review Contractor to confirm if it’s real. Submit medical documentation through the Electronic Submission of Medical Documentation (esMD) system or CMS medical review contractor secure internet portals, when available.
For more information about HIPAA compliance, take a look at Medical Mutual’s HIPAA checklist.
This article falls under LEGAL/REGULATORYin the Enterprise Risk Management (ERM) risk domains.
Risk within this domain incorporates the failure to identify, manage, and monitor legal, regulatory, and statutory mandates on a local, state, and federal level. Such risks are generally associated with fraud and abuse, licensure, accreditation, product liability, management liability, Centers for Medicare and Medicaid Services (CMS) Conditions of Participation (CoPs) and Conditions for Coverage (CfC), as well as issues related to intellectual property.