Over the years I’ve thought about the many different issues involved with privacy, but something I had not pondered before came to my attention today as I read the just-released World Privacy Forum report, "Medical Identity Theft: The Information Crime That Can Kill You."
It has always been a concern of mine, and many others, that lack of security controls within computer systems and lack of privacy protections can have real, physical impact upon people. For example, some small modifications to the hospital databases for the amounts of medicine to administer to the patients could have insidious widespread and lethal impacts. However, this new report brings up another possibility…having medical files modified and/or falsified by unauthorized persons, and then the real persons receiving the wrong, potentially fatal, medical treatment based upon the modifications in the records.
The report indicates that, according to their research, between 225,000 and 500,000 people in the United States have been victims of this type of medical identity theft.
This is a 57-page report, quite intriguing reading. Here are a few of the many findings I found interesting and sometimes somewhat shocking:
First, their definition of medical identity theft:
"Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity ‚Äì such as insurance information — without the person’s knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name."
Now, just a few of the other excerpts:
"There have been 19,428 complaints regarding medical identity theft to the Federal Trade Commission since January 1, 1992, the earliest date the FTC began recording such complaints.
- Data from government identity theft hotlines and from identity theft surveys containing questions about medical use of data point with some consistency toward a range of approximately 1.5 to 2 percent for the rate of medicallyrelated identity theft in comparison with other forms of identity theft.
- Medical identity theft, as articulated by these numbers, translates in number of victims in 2003 to a range of a minimum of about 3,500 victims to up to a theoretical maximum of almost 3.25 million victims. However, our best estimate is that there could be as many as a quarter to a half million people who have been victims of this crime."
"Victims do not have clear pathways for recourse and recovery. The Fair Credit Reporting Act allows for greater recourse for victims of financial identity theft than the HIPAA health privacy rule provides for victims of medical identity theft. For example, victims do not have the legal right to demand correction of their medical information that was not created by the provider or insurer currently maintaining or using the information. This circularity can make it impossible for a medical identity theft victim to erase false entries from a medical or insurance record. This is true even when false entries were put in the record during the commission of a crime, such as health care fraud or medical identity theft."
Hmm…is this completely true? CEs are supposed to investigate, with demonstrated reasonable care, all requests from patients to correct PHI. Of course, if the fraud is committed by an insider (which it sounds like many times it is), these tracks can be covered pretty easily.
Remember that incident that occurred in January 2006, where Providence Health System notified 365,000 individuals that on December 31, 2005 their protected health information was stolen from an employee’s car? Well, after reading this report seems that that is the type of data that could be used to commit medical identity theft and not be readily noticed. So many of the companies who have such incidents, and even judges who make determinations of the penalties (or lack of) for such incidents, take into consideration if any known fraud has occurred. In the instance of medical identity theft it would be very hard to know until long after the fact, as in the cases of the victims that are described in this report.
The report’s summary and findings include:
"This report finds that medical identity theft is deeply entrenched in the health care system. Identity theft may be done by criminals, doctors, nurses, hospital employees, and increasingly, by highly sophisticated crime rings. The report finds that medical identity theft victims need an expanded right to correct their medical files in order to recover from this crime, and need more specialized consumer education that is focused on correcting the specific harms of medical identity theft. Key recommendations in the report include:
- Individuals’ rights to correct errors in their medical histories and files need to be expanded to allow them to remove false information from their files.
- Individuals should have the right to receive one free copy of their medical file.
- Individuals should have expanded rights to obtain an accounting of disclosures of health information.
- Studies are needed to determine what the incidence of medical identity theft is, how and where it is occurring, and how it can be detected and prevented.
- Notification of medical data breaches to consumers has the potential to save lives, protect health, and prevent losses.
- All working prototypes for the National Health Information Network need comprehensive risk assessments focused on preventing medical identity theft while protecting patient privacy."
Technorati Tags
medical identity theft
World Privacy Forum
HIPAA
government
information security
patient privacy
privacy