What is Medical Identity Theft? It is a crime that involves the theft of your insurance ID, Medicare number or Social Security number (SSN) and use of this information to obtain potentially expensive medical treatment or drugs under your name and, in larger cases of health insurance fraud, bogus payouts.
Who Commits this Crime? The perpetrator could be an organized crime organization conducting a large-scale insurance scam or a single criminal targeting you alone. There have been instances where the crime has been committed by unscrupulous medical professionals or billing personnel or a friend or a family member who “borrows” the victim’s medical identity to get free care in their name. While most who commit this crime steal for financial gain, some, like the AIDS patient who used his cousin’s insurance information to get treatment, steal for medical need.
How Big is this Crime? To date, reliable data has been difficult to obtain because the entities who should be tracking it -- healthcare providers and insurers – are either not doing so or are not sharing what they track. However, in a few weeks the World Privacy Forum (Forum) will release its 2010 report which promises to show significant growth in the incidence and impact of medical identity theft since the Forum’s last report in 2006. Also, the new decade will see a major nationwide initiative to improve access to medical records by converting them from a paper-based format to an electronic format. Unfortunately, greater access for heathcare providers and insurers will also mean greater access for medical identity thieves, and more opportunities for your medical identity to be placed at risk. That is why the U.S. Department of Health and Human Services (HHS) has created under the Health Insurance Portability and Accountability Act (HIPAA), a stringent new Breach Notification Rule that penalizes breaches of your personal health information (PHI)1 and requires that you be told when your PHI has been breached.
Your Risks? There are many, starting with financial risk. The financial risks of medical identity theft are similar to other financially-based forms of identity theft. You face the risk of bills for services you did not receive. Depending on the sophistication of the thief, you may not learn about these bills until they show up in collection notices, or as debts on your credit reports, ruining your credit and exposing you to potential legal liability. For information on managing financially-based identity theft, you should review the materials available on the New York State Department of State Division of Consumer Protection's site here in the section “Identity Theft Prevention and Mitigation Program Resources”, especially the brochure “A Consumer’s Guide to Preventing and Mitigating Identity Theft.” If you have any questions about these materials, contact the Division’s Consumer Assistance Unit at 1-800-697-1220 for assistance. Unfortunately, medical identity theft presents more than financial risks. You may also face medical, insurance and employment risks as a result of the conversion or takeover of your medical records by the thief who is impersonating you. These risks may go undetected for a long time and may have very serious consequences. According to the Forum, “(v)ictims of medical identity theft may receive the wrong medical treatment, find their insurance exhausted, and could become uninsurable for both life and health insurance coverage…(and they) may fail physical exams for employment” 2 due to the documentation in their medical records of diseases from which they never actually suffered.
More risks? Yes, including the loss of reputation, the loss of medical records privacy and the loss of time and the expense involved in clearing your record. When you are accused of a crime based on the behavior of your impersonator you face both a risk to your reputation and possible criminal liability. This happened to a woman with no children who was accused by law enforcement of child endangerment when her impersonator sought belated medical care for a drug-addicted child. If your altered medical records are subpoenaed in a criminal or civil lawsuit, you risk the loss of your medical records privacy, although the court may agree to seal the records. Finally, you risk the loss of time and the expense that will be required to amend or correct your altered records and restore your reputation. You need a strategy to help reduce the threat of medical identity theft, identify when your medical identity has been stolen, and to fight back. To assist you in creating your strategy, the New York State Department of State Division of Consumer Protection recommends the following:
- WHAT TO AVOID.
Avoid carrying your Social Security or Medicare card or your insurance information in your wallet unless you will need to use them. Thus, if you should lose your wallet and it did not contain any of these items, you will not have to worry about medical identity theft.
Avoid letting a friend or family member borrow your Social Security or Medicare card or insurance information in order to obtain medical services. It is illegal because your friend or family member is not entitled to these services under your name. It is also dangerous because it will cause your medical records to be altered with information that is inconsistent with your history and may lead to misdiagnosis and mistreatment in the future.
Avoid providing your SSN, Medicare number or insurance information to any persons you do not know who represent themselves as healthcare providers offering “free” medical services. If the services are really free, these “providers” do not need your insurance information, and their request for your information could be part of a scam.
- WHAT TO LOOK OUT FOR
Read carefully every “Explanation of Benefits” (EOB) statement you receive from an insurer. Are there charges for office visits you did not make or medical services or equipment you did not receive? Even though you are not being asked to pay any money there may be a problem. Contact your insurer and let them know your concerns.
Request a listing of the benefits your insurer has paid under your name at least once a year. If you have a serious concern, make your requests more frequently (e.g., once every three months). If the thief has changed your billing address to avoid detection, this listing may be the best way to learn about all of the bills charged to your account. Contact the insurer about any charges that you do not recognize.
Check your credit reports for any medical debts that are not yours. You may obtain a free copy of your credit report once every 12 months from each of the three credit reporting agencies -- Equifax, Experian and TransUnion -- by visiting www.annualcreditreport.com, calling toll-free 877-322-8228 or by completing an Annual Credit Request Form at www.ftc.gov/bcp/menus/consumer/credit/rights.shtm and mailing to Annual Credit Report Request Service, P.O. Box 1025281. The Division recommends that you stagger your requests by asking for one free credit report from one of the credit reporting agencies every four months. If you find medical debts that are not yours, you should inform the company claiming the debt. - HOW TO FIGHT BACK
If you believe that you are a victim of medical identity theft, you need to investigate and fix the problem. Your first step is to obtain copies of the “Notice of Privacy Practices” from all of your healthcare providers and insurers. This notice will explain your rights under HIPAA to: (i) obtain copies of your medical records (for a reasonable fee), (ii) to request an amendment of inaccurate or incomplete records; and, (iii) to receive an accounting of disclosures made of your medical records to certain third parties. 3 As a New York resident, you also have a right of access to your medical records (also for a reasonable fee) under Section 18 of the New York Public Health Law.4
Obtain copies of your medical records. Under HIPAA, you do not have the right to see and copy everything. You can be denied access to a variety of records including certain lab tests, psychotherapy notes and any materials the disclosure of which your healthcare provider or insurer believes may result in significant harm to yourself or another person. If you are granted access and the right to copy, your next concern should be cost. Due to the size of these records and the nature of some of the materials contained within these records, you may face significant copying expense. Copies of x-rays, for example, may be very expensive so consider carefully what records you actually need to review. Be prepared for a denial of your request on the basis that the information relates to someone else (i.e., the identity thief) and not to you. Under HIPAA, the healthcare provider or insurer is not required to provide you with a right of appeal for any denial of access. If you get denied, check the ”Notice of Privacy Practices” to see if there is a right of appeal and, if so, how to exercise it. Explain in your appeal why you believe that you are a victim of identity theft and why the records are needed for your investigation. Alternatively, you should consider making your request under the New York Public Health Law which contains different exceptions but does provide for a State-mandated right to appeal a denial access in all cases.
Have your altered records amended to remove inaccurate or incomplete information. Under HIPAA, you do not have an absolute right to amend your medical records, only a right to request an amendment subject to your healthcare provider’s or insurer’s review. If you want inaccurate or incomplete information removed from your records, it is important to show that the disputed information is not about you. If the misinformation has not yet affected your care, you have a reasonable case for removal. However, if the misinformation has already affected your care, then for legal and medical reasons it may need to be kept in your records. At a minimum, you should be allowed to enter into your records a statement that you disagree with the information and provide the reasons why you disagree. It is critical that your statement be entered into your records as a “red flag” to healthcare providers and insurers signaling that certain information is inaccurate or incomplete. Be aware that under HIPAA your right to request an amendment does not extend to any healthcare provider or insurer who did not create the record in dispute.
Obtain an accounting of disclosures. Under HIPAA, you are entitled to an accounting of disclosures made of your medical records to certain third parties during the twelve month period preceding your request. This is a log that includes the date of the disclosure, the name of the person or entity who received the information, a brief description of the information, and a brief statement of the purpose for which the information was disclosed. Be aware that no accounting is required for disclosures you authorized, for disclosures related to treatment, payment or healthcare operations, or for internal disclosures, i.e., disclosures made to personnel within the entity to which you made the request. With so many loopholes why bother to ask for this? The entity may provide a greater range of disclosures than it is actually required to do so under the law. Even if the entity takes a very conservative approach, there will still be useful information in the accounting that may help you in your investigation. Additionally, keep in mind that there is no charge for an accounting. 5
File a complaint with the Office of Civil Rights (OCR) of HHS. You should consider this action if you believe that your request for access or amendment of your records or for an accounting of disclosures is not being properly handled. File your complaint through the OCR section at http://www.hhs.gov/ or by telephone at 1-800-368- 1019.
File a Police Report. File a police report immediately to notify law enforcement that a crime may have been committed. Send copies of the police report to the three credit reporting agencies and to your healthcare providers and insurers. Finally, make sure you take the time to file a medical identify theft complaint with the Federal Trade Commission (FTC) at https://www.ftccomplaintassistant.gov/ or call the FTC's toll free hotline at 1-877-IDTHEFT (438-4338). It is important that you contribute your own experience to help the FTC, the Division and others better understand and fight back against medical identity theft.
Reducing your risk of identity theft in any form -- including medical identity theft -- should be part of your everyday routine. Because your rights against medical identity theft are not as strong as your rights against financial identity theft, you will need to pursue them as aggressively as you can. Don’t be afraid to negotiate with your healthcare provider or insurer to get what you want.
- Under HIPAA, PHI is defined as "any information, whether oral or recorded in any form or medium" that "is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse"; and "relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual." See 45 CFR 160.103; 45 CFR 164.501.↑
- “MEDICAL IDENTITY THEFT: The Information Crime that Can Kill You”, Spring 2006, at p. 6. ↑
- For a detailed discussion of each of the actions mentioned in this section, please review the “Patient’s Guide to HIPAA: How to Use the Law to Guard your Health Privacy” (Release date: March 31, 2009) at http://www.worldprivacyforum.org/. ↑
- http://law.onecle.com/new-york/public-health/PBH018_18.html ↑
- http://www.health.state.ny.us/publications/1443/ ↑