Do you trust your staff to do Medicare Lookups?

Medicare Card

Medicare Card Lookup

Medicare lookup and verification via HPOS is usually available to ALL staff using site PKI certificate in a web browser. This is a common scenario.

Medicare have stated that they will no longer be providing Medicare Card verification to practices ‘over the phone’ from 1 July 2019. As a result, Medicare lookup and Verification via HPOS will become the most common way that practices find Medicare card numbers for new patients that present without a card.

Delegation of HPOS credentials

I see many instances where doctors ‘delegate’ staff to look up billed items (eg care plan items) via HPOS (using PRODA credentials). Delegation allows staff to see details of payments / statements and additionally the private addresses of doctors. Consequently doctors should BE VERY CAREFUL in choosing who to delegate to.

I have seen many instances where the doctor had ordered a personal PKI dongle that lived in the practice manager’s desk draw, alongside with the passwords. In addition, staff would access HPOS pretending to be the doctor without the doctors explicit knowledge. Similarly, HPOS access using the doctor’s PRODA credentials remains common practice. Team members using the doctor’s PRODA credentials can ADDITIONALLY change the bank accounts that Medicare benefits are paid to.

The Dark Web and Criminal Gangs

According to this 2017 online article anyone can purchase Medicare Card details on the dark web with a patient’s full name + DOB.

Would you know if a staff member is performing illegal Medicare card lookups for criminal gangs? This blog about the above article includes this quote
It’s possible that OzRort has compromised a healthcare organization and has access to computer with the digital certificate.
How do practices know that they are not the compromised healthcare organisation?

What can practices do?

Not much‘ is the answer.

There are some logs on HPOS. These logs are available from HPOS >> My Details >> My Access History.

In these logs, all users accessing HPOS via a site certificate show as the principle contact (i.e. the doctor that owns the clinic). The level of detail shown for a Medicare Card lookup is limited to ‘Find a patient – Patient name and date of birth’. When I checked this log there were ten of those lines for just the previous day. As a result, the business owner could never know which patients were actually checked.

Ideally, for each Medicare Card details search we would like to see :-
– the identity of patient
– when the search occurred
– which internet address made the search
– details of the local network workstation that made the search, and
– which team member made the request.

I see that the HPOS system has been poorly implemented. Additionally I see that it is entirely possible that the business owner may well be liable for abuse. That is to say that the business owner may be completely unaware that someone on their staff could be selling details of non-patients to criminal gangs.