Medical Identity Theft and HIPAA

On Wednesday the Queens Gazette ran a report on medical identity theft.
This certainly is an issue of concern. I blogged about medical identity theft earlier this year.
Combining identity theft with unauthorized access to medical information certainly can lead to magnified repercussions beyond wrecked credit ratings and hundreds of hours spent trying to clean up all the damage a criminal can do with personally identifiable information (PII). The potential increases for further abusing and horribly impacting the involved individuals, metally, physically and financially, by having access to their prescription information, insurance information, physician information, medical history, and everything else involved.


The Wednesday article indicated that the U.S. Federal Trade Commission (FTC) has documented 19,428 complaints of medical identity theft since they started tracking this problem on January 1, 1992.
The World Privacy Forum has also been tracking this issue. They have some great information about medical identity theft on their website.
In the article the World Privacy Forum executive director, Pam Dixon, “

asserts that medical identity theft is primarily an inside job perpetrated by employees with legitimate access to patients’ medical records. She estimates there is an average $1 million to $2 million payout per crime ring activity. Since much medical identity theft goes unnoticed and unreported, her best guess for how extensive the problem is indicates that 2.5 to 3.5 percent of all identity theft is medical identity theft. Regrettably, there is little that the average consumer can do to protect himself from this form of theft, but some corrective measures are possible. The public must keep their medical insurance cards in a safe place. Insurance cards should be treated as one would treat a bank card

.”
The insider threat certainly exists, and considering the typical environment within hostipals and medical clinics, the opportunity is often there for personnel to access patient medical records even if they do not have authorization to do so.
While the insider threat can never be eliminate completely, it can be addressed and reduced by performing criminal and background checks on personnel with access to PII of all forms, including protected health information (PHI), in addition to implementing a strong and ongoing information security and privacy awareness and training program for all personnel, including contractors, consultants and outsourced vendors.

“However, few cases of medical identity theft result from the theft of an insurance card. This form of theft occurs on a large scale in hospitals, doctors‚Äô offices, clinics and pharmacies without the patient ever knowing it is happening. A hospital you‚Äôve never been in could be charging your insurance company for a surgery you never had. Unless you read every explanation of benefits notice sent to you and question every charge, you may never notice that a crime has occurred.
Moreover, although you may eventually be able to recover your credit financially, due to HIPAA regulations, you may never be able to correct your medical record. The HIPAA (Health Insurance Portability and Accountability Act) enacted a privacy rule to protect patients from unauthorized access to their personal medical information, but that same rule can also make it
difficult to remove erroneous information from a medical record. When one considers the possible medical safety issues resulting from incorrect medical information in one’s medical record, such as incorrect blood type, drug interaction and allergy information, erroneous information could be life threatening.”

Certainly it is more important than ever before for individuals to keep track of their records, both financial and medical.
However, I do not agree that access to your own medical records is now harder under HIPAA. I do not know where the interpretation of HIPAA restricting access to your own medical records is harder than is was; HIPAA explicitly gives individuals the right to review and request corrections to their patient information. § 160.310 of the HIPAA Privacy Rule specifically states:

“(c) Permit access to information.
(1) A covered entity must permit access by the Secretary during normal business hours to its facilities, books, records, accounts, and other sources of information, including protected health information, that are pertinent to ascertaining compliance with the applicable administrative simplification provisions. If the Secretary determines that exigent circumstances exist, such as when documents may be hidden or destroyed, a covered entity must permit access by the Secretary at any time and without notice.
(2) If any information required of a covered entity under this section is in the exclusive possession of any other agency, institution, or person and the other agency, institution, or person fails or refuses to furnish the information, the covered entity must so certify and set forth what efforts it has made to obtain the information.”

The frequently asked questions (FAQ) provided by the Department of Health and Human Services (HHS) also explains this as follows:

“Ask to see and get a copy of your health records
You can ask to see and get a copy of your medical record and other health information. You may not be able to get all of your information in a few special cases. For example, if your doctor decides something in your file might endanger you or someone else, the doctor may not have to give this information
to you.
 In most cases, your copies must be given to you within 30 days, but this can be extended for another 30 days if you are given a reason.
 You may have to pay for the cost of copying and mailing if you request copies and mailing.
Have corrections added to your health information
You can ask to change any wrong information in your file or add information to your file if it is incomplete. For example, if you and your hospital agree that your file has the wrong result for a test, the hospital must change it. Even if the hospital believes the test result is correct, you still have the right to have your disagreement noted in your file.
Ôŵ In most cases the file should be changed within 60 days, but the hospital can take an extra 30 days if you are given a reason.”

Prior to HIPAA most hospitals and medical clinics would deny individuals access to their patient records. I have seen an improvement regarding this issue since this HIPAA requirement for access was enacted, so overall this is a good thing, not a bad thing.
I have also seen hospitals and medical clinics misinterpreting HIPAA, and sometimes doing things in a way that the spirit of the law did not intend. However, this is an awareness and education issue with getting covered entities (CEs) to understand the HIPAA requirements, and generally not a problem with this particular part of the HIPAA Privacy Rule.
And yes, this access is critical to ensure life- and health-threatening incorrect information is corrected.
I agree, providers definitely need to receive better and ongoing education about the rights of patients to their information under the HIPAA Privacy Rule. Although the HHS has an abundance of information on their website about this, very few of the CEs I’ve spoken with have have actually been to the site. Far too many rely upon the often incorrect interpretations of “HIPPA expert” consultants for how to meet compliance. Folks, if a consultant doesn’t know the acronym, then don’t rely upon him or her to know what HIPAA really requires!

“Elmhurst Hospital Director of Medical Infomatics Dr. Glenn Martin explained that the Queens Health Network is in the forefront throughout the nation in clinical use and access to computerized medical information. For the past three years Elmhurst and Queens Hospitals have given the ‚ÄúSmart Card‚Äù to approximately 15,000 patients. The Smart Card chip is a miniature computer used for cash transactions, storing, using and providing medical information on demand.
Elmhurst Hospital Director of External Affairs at Dario Centorcelli said that currently Elmhurst and Queens Hospitals are the only hospitals capable of programming information into this card, but every HHC hospital, as well as most hospitals in Queens, has the ability to access medical information from these cards. If a Smart Card patient is treated in a hospital other than Elmhurst, updated medical information can be sent to Elmhurst Hospital for inclusion into the card’s chip. These cards hold an abstract of the patient’s medical history including allergies, surgeries, chronic illnesses and current medications. Also, each card has a photo of the patient, assuring that only the person in the photo is being treated, not an imposter. These cards will soon have passwords and pins, as do bank cards. This will further ensure that only the person whose information is encrypted on the card will have access to this information. Doctors will have the ability to override the password for emergency purposes only.
Martin said that a consortium of hospitals in Queens, including Elmhurst, Queens, Jamaica, The Mount Sinai Hospital of Queens and New York Hospital of Queens, have received a HEAL grant to link the borough of Queens by upgrading the Smart Card and each hospital’s ability to enter and access information to this card. In the near future, Mount Sinai Hospital will begin giving Smart Cards to its patients.”

Based only upon what is reported it sounds like Elmhurst is really progressive and moving in a great forward direction with improving the security and privacy assurances of PHI. Of course much depends upon the implementation issues for the smart cards, but it certainly is a good possibility for limiting unnecessary access to PHI.

Tags: , , , , , , , , ,

Leave a Reply