When someone says Identity Theft, most often the first thing people think of is credit cards and bank statements.  There are television commercials about it, credit card companies bragging about their theft deterrence systems and zero liability programs, and notices are regularly provided to consumers providing tips on how to prevent it from happening. There’s even one company that will guarantee your identity will not be stolen. (Please read their fine print)
 
While financial identity theft can be devastating, it’s only part of the story.  The fastest area of identity theft is Medical Identity Theft (MIT). Just what is MIT?  It occurs when criminals obtain information such as a health insurance identification or Social Security number and use it to get health care, medical test, Medicaid benefits or to obtain reimbursement from insurers and others for false claims. That means your medical history and health care records can include someone else's information.

This can be life threatening: for example, causing a transfusion of the wrong blood type or adding medical conditions they don’t have – can result in dangerous mistakes in an emergency.  Additionally, the changes can create issues with employment, life insurance, rates can go up or benefits cancelled, or you could owe thousands of dollars for a procedure you never had.

Many experts are recommending or providing credit monitoring as a solution; but what is it about someone using your medical information that would ever make you think that it could be detected by credit monitoring?  Offering credit monitoring for MIT will soon test whether or not some insurance agent’s E&O insurance policies work because that’s what has been offered in some high-profile data losses lately. Since most insurance agents do not know any better, they assure their clients that credit monitoring will provide adequate protection, but when their clients find out that it doesn’t, they might be suing their insurance agent for bad information. 

Unfortunately, MIT victims often have no idea someone else is using their insurance or Medicare numbers.  Typically, the crime is discovered when the victims are billed for services they never received or are denied reimbursement or coverage by their insurance carrier.  MIT has been prominently featured in numerous magazines in the last 12 months. 

Reported in the 2006 November issue of Reader’s Digest, a Denver man got a collection notice from a billing agency for Littleton Adventist Hospital. The hospital wanted payment for surgery totaling $41,188. Joe Ryan, a Vail pilot, had never set foot in that hospital. Obviously there was some mistake. "I thought it was a joke," says Ryan. The Joe Ryan who checked into hospital for surgery in May 2003 was actually Joe Henslik, a career bank robber, check forger and con artist with a long prison record. Two years later, the first hospital bill arrived. "I wanted to help straighten this out," says Ryan, "so I went to the hospital, and they had a three-inch-thick record for me, but they wouldn't let me see it. I showed them my ID, and they said that's not Joe Ryan's signature. Well, of course not! They had this other guy's signature."

Ryan had fallen into a victim's Catch-22: If your record doesn't appear to be yours, you may not have the right to see it, much less change it. The 1996 Health Insurance Portability and Accountability Act (HIPAA) give patients broad privacy rights, as well as the right to examine their own medical records. But patients don't necessarily have the right to correct errors or even prevent errors from being passed along to other providers. That's because health care providers aren't required to amend records that did not originate with them. Victims can spend years expunging bad entries only to discover a mistake that reappears later -- transferred from a record that wasn't noticed earlier.

Victims of financial identity theft can depend on rights such as the ability to see and correct errors in their credit report, the ability to file fraud alerts, the right to obtain documents or information relating to transactions involving their personal information, and the right to prevent consumer reporting agencies (such as credit bureaus) from reporting information that has resulted from identity theft. B

y contrast, victims of MIT do not have a similar complete set of rights or redresses. Victims of MIT do not have the blanket right to correct errors in their medical files. In some cases, victims have not been allowed to even review the compromised files, nor do they have the right to prevent healthcare providers, medical clearinghouses, or insurers from reporting and re-reporting information that has resulted from identity theft. Even with professional legal assistance, correcting medical records can range from extremely difficult to almost impossible.

As guardians of medical records, it is not surprising that healthcare professionals are one of the key sources of medical information stolen and used for the fraud.  Closely linked with being the inadvertent source of unauthorized medical information are questions of security, foreseeability and liability regarding how the information was accessed. Fortunately, there are ways that healthcare providers can minimize their risk and ensure greater protection of patient information.  As outlined by the Federal Trade Commission, each business must have a non-public information (NPI) policy outlining specific requirements for protecting client and employee’s personal, sensitive information.  Additionally, all businesses must conduct mandatory meetings to educate employees on the NPI policy and about the risks and liabilities of data loss.

As medical identity theft continues to grow as a crime and a social, financial, security and health concern, questions of liability to healthcare providers who fail to provide sufficient protection for patient data become more crucial. In light of the criminal and health considerations, the litigious environment of the United States, and existing and emerging laws concerning business owner’s responsibility and liability for the protection of personal data, ALL healthcare providers need to be proactive to protect the data of their customers, vendors, contractors and, increasingly, their employees.  If unchecked, healthcare providers may never have certainty that the medical records they are relying on to provide care belong to the person who is being treated and patients may be equally uncertain that the records being used to treat them or determine whether a certain type of care is appropriate is based on their medical information, or fraudulently based on the records of an identity thief.

Compliance Assistance
IDT Consultants, LLC, a leading information risk management firm that specializes in data security, regulatory compliance, and industry certifications, assistance is based on FTC materials, guidelines, laws and requirements, that helps you identify the potential risk within your business, understand the liabilities you face, and begin the process of change required by the laws.  www.idtheft101.net

For more information,   call Michael Hill at 404-216-3751 or email This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Michael Hill maintains an extensive Referral Program whereby qualified third parties can profit by helping spread the word about Identity Theft in the Workplace, and our compliance assistance.  For more information or to register for the Referral Program, please contact Mike Hill (404) 216-3751, This e-mail address is being protected from spambots. You need JavaScript enabled to view it