FAQ: Medical ID Theft: How to Recover if You’re A Victim – And What To Do If You Are Worried About Becoming a Victim

This resource gives detailed steps for recovering from medical ID theft in Question and Answer format. This list represents the most frequent and important questions about medical ID theft.

Related Resource: WPF Medical ID Theft Resource Page

 

Introduction and Purpose

This list of frequently asked questions (FAQs) is designed to help victims find and document medical identity theft, and take steps to recover from it. This document is also useful for anyone who is interested in their rights and tools regarding their health records.

The tools this FAQ discusses can be used to trace medical identity theft. The tools include part of the rights granted to patients under federal health privacy rules (HIPAA, see #4 in this section) and other laws. Key rights include:

  • The right to access your health records,
  • The right to ask for amendment of your health records, and
  • The right to have an accounting (or history) of disclosures.

This FAQ details, step by step, what these tools are and how you can use them. The document also includes text and sample letters that can be copied and used for sending letters to doctors, hospitals, and insurance companies.

This document has five sections following this introduction. There is a background section, sections covering access, amendment, and accounting, and a final section answering other questions. Some information appears more than once in different sections. Sample letters are marked off with a red “Sample Letter” heading. These can be copied and pasted for your own use.

To navigate this document, either scroll down to read the document in its entirety, or just click on the FAQ that is of most interest to you.

 

 

I. General and Background Questions

 

1. What is medical identity theft?

2. Isn’t medical identity theft just a type of health care fraud?

3. If a health care worker steals my identity and opens a credit card in my name, is that medical identity theft?

4. What’s HIPAA?

5. Will this FAQ help me if my health records are wrong but I am not a victim of medical identity theft?

 

 

II. Access to health records

 

6. Can I see my health records and obtain a copy?

7. Why do I need access to my health records?

8. How do I make a request for access?

9. What records should I ask for?

10. What does it cost to obtain copies of a record?

11. Can health care institutions withhold some health records?

12. Do I have greater rights under state laws, other federal laws, or hospital policies?

13. What’s the best strategy for making a request?

 

 

III. Amending health records

 

14. Can I amend my health records?

15. How do I make a request for amendment?

16. Can I ask that wrong information be removed from my file?

17. What other limits are there on amendments?

18. Do I have greater rights under state laws, other federal laws, or hospital policies?

19. What happens when a covered entity agrees to make an amendment?

20. Can I appeal if a covered entity refuses to make an amendment?

21. Are there other remedies if my request for amendment is denied?

22. Can the covered entity still disclose the information that I disputed?

 

 

IV. Accounting for Disclosures

 

23. What’s an accounting of disclosures?

24. Why should I care about accounting of disclosures?

25. How do I make a request for an accounting?

26. Who has to provide me with an accounting of disclosures?

27. What does it cost to obtain an accounting?

28. What are the limitations of an accounting of disclosures?

29. The accounting of disclosures doesn’t appear to be very useful. Why get an accounting?

30. Do I have greater rights under state laws, other federal laws, or hospital policies?

31. What’s the best strategy for making a request?

 

V. Other FAQs for Medical Identity Theft Victims

 

32. I got a call from a bill collector about a medical bill for a doctor that I never saw.

33. Where else can I find useful information?

34. Are credit reports important in cases of medical identity theft?

35. I am dealing with a federal agency. How can I learn more about my rights under the Privacy Act of 1974 or the Freedom of Information Act?

36. Should I file a police report?

37. Why is addressing medical identity theft so hard?

38. What do I do if I have a PHR? (Personal Health Record)

 


I. General and Background Questions

1. What is medical identity theft?

Medical identity theft occurs when someone uses an individual’s name or other parts of the individual’s identity – such as insurance information or Social Security Number – without the victim’s knowledge or consent to obtain medical services or goods. Medical identity theft can also occur when someone uses the person’s identity to obtain money by falsifying claims for medical services and falsifying health records to support those claims. The essence of the crime is the use of a medical identity by a criminal and the lack of knowledge by the victim.

The World Privacy Forum’s report on medical identity theft is MEDICAL IDENTITY THEFT: The Information Crime that Can Kill You. You can find it at the WPF Medical Identity Theft page. <https://www.worldprivacyforum.org/medicalidentitytheft.html>.

If you think you might be a victim but your doctor’s office doesn’t know anything about medical identity theft, refer the office to resources from the AHIMA (American Health Information Management Association) <http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_039058.hcsp?dDocName=bok1_039058>.

^ back to top

 

2. Isn’t medical identity theft just a type of health care fraud?

Yes. Medical identity theft is a subset of health care fraud. But it is more than just a crime against the health care system. Medical identity theft can also have financial and other life consequences for patients. It’s a crime involving theft or abuse of identity information that places individual victims at a risk for medical mistreatment. It also affects health care providers and insurers who may directly bear financial losses. Medical identity theft needs to be understood in its context as an information crime that is similar to and different from other forms of identity theft. We emphasize the need for record keeping because the battle over your medical identity theft case may take a long time, and you won’t remember everything that happened if you do not write it all down in an orderly way. Your records may be important if you ever file a lawsuit over your case of medical identity theft. Your records are also important as you begin to correct and repair errors that may be in your health files.

^ back to top

 

3. If a health care worker steals my identity and opens a credit card in my name, is that medical identity theft?

Some identity theft cases arise in medical settings, but they are not medical identity theft. For example, if a hospital worker steals patient credit card number or other financially-related identity information and goes on a shopping spree at a mall, that is not medical identity theft. It is more traditional financial identity theft. In this situation, the crime did not affect the medical identity of the individual, even though it involved the use of personal financial information. The victim of this type of identity theft may not need the specialized responses to medical identity theft discussed in these FAQs.

If you are looking for more information on non-medical identity theft, try one of these other websites:

  • Privacy Rights Clearinghouse <http://www.privacyrights.org/identity.htm#ITRC>
  • Identity Theft Resource Center <http://www.idtheftcenter.org/>
  • Federal Trade Commission’s Identity Theft site <http://www.ftc.gov/bcp/edu/microsites/idtheft/>.

^ back to top

 

4. What’s HIPAA?

HIPAA is an important acronym for health records and medical privacy. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA refers to the federal HIPAA law as well as to a set of rules and regulations, including the HIPAA privacy rules and the HIPAA security rule, among others.

Under authority granted by HIPAA, a federal law, the Secretary of Health and Human Services issued health privacy regulations that became effective in 2003. The Office of Civil Rights is the HHS agency responsible for the privacy rule. <http://www.hhs.gov/ocr/hipaa>.

There is also a HIPAA rule governing security of health records. The Office of Civil Rights has also become the HHS agency responsible for the security rule. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html. You can find copies of the HIPAA rules and other useful materials at these websites. Both rules are long and complex. The HIPAA privacy rule is the most important rule for all individuals and for individuals who may be victims of identity theft. The HIPAA security rule describes security requirements for health care providers and insurers. Most individuals will not benefit from reviewing the security rule.

This FAQ summarizes the parts of the privacy rule most relevant to medical identity theft victims, but it does not cover every nuance.

An important concept in HIPAA is covered entity. Nearly every health care provider is a covered entity, as is every health plan. Health care clearinghouses are also covered entities, but they are not likely to be important to most patients. Anyone who is a covered entity (or a business associate of a covered entity) must comply with the HIPAA rules. The World Privacy Forum’s Patient’s Guide to HIPAA offers a broader view of your HIPAA rights <https://www.worldprivacyforum.org/2013/09/hipaaguidehome/>.

  • A note about business associates: A business associate of a covered entity is someone who carries out a function or activity involving health records on behalf of the covered entity. A 2009 amendment to the HIPAA law changed somewhat the status of business associates. Not all of the changes have been implemented through regulations. How a covered entity will meet its responsibility to provide access, correction, and accounting to patients for records held by a business associate of the covered entity will change. What these changes will be and whether they will make any difference to patients seeking to exercise the rights described in this FAQ is not clear. Until the rules become clearer, we suggest that patient seek to work directly with a covered entity and only pursue business associates if and when directed by a covered entity.
  • A note about changes to laws and regulations: The HIPAA law and its regulations have changed since they were put in place.They will change again.This FAQ is current as of the date identified at the end.However, more regulatory changes are in the works. Readers need to be aware that this FAQ may not always reflect current law. We do our best to keep this up to date.

^ back to top

 

5. Will this FAQ help me if my health records are wrong but I am not a victim of medical identity theft?

Maybe. The focus here is on victims of medical identity theft. A common problem faced by victims is the presence in their health records of information that is about someone else. Information about someone else may appear in anyone’s medical file for reasons other than identity theft (e.g., filing errors, mistaken identities, and data entry errors).

If your problem involves the presence of information in your health records about someone else, you may find the advice here helpful. However, if you want to dispute the contents of your medical file because you disagree with your doctor’s diagnosis, you may not find the advice as relevant. Nevertheless, the basic rules defining patient rights regarding access, amendment, and accounting are the same for everyone. This FAQ explains the basics.

^ back to top

 

 

II. Access to health records

 

6. Can I see my health records and obtain a copy?

The general answer is yes. The federal HIPAA health privacy rule requires health care providers and insurers to provide you with access to your health records. The details and limitations are described in other FAQs here. You have a right of access to health ßrecords whether or not you are a medical identity theft victim.

^ back to top

 

7. Why do I need access to my health records?

There are many reasons to see and keep a copy of your health records. Some people try to maintain a personal health record so that they have all health records in one place. For more information on this strategy, see the website of the American Health Information Management Association at <http://www.myphr.com/>.

For a medical identity theft victim, medical and health insurance records are essential to figuring out the facts in your case. The thief may have used your name when the thief saw a doctor, obtained prescription drugs with your health ID number, filed claims with your insurance company, or did other things that left a trail in your health records. The actions of the thief may be intermingled with the records of your own treatment and payment activities. For example, your health insurer may have records showing bills submitted by your dentist, drug store, and obstetrician together with other bills that resulted from the thief’s activities. In some instances, the crook is not someone who sought medical care but a health care provider who submitted a wholly fraudulent bill in your name, your spouse’s name, or your child’s name.

If you have reason to believe that you are a victim of identity theft, you need to find the facts. Obtaining a copy of your health records from your health care providers, hospitals, pharmacies, laboratories, and health insurers is the main way to learn what happened.

You may be tipped off to medical identity theft by receiving an explanation of benefits from your insurer for services that you never sought or received. You may receive a bill for services that you did not use. You may receive a dunning notice (a notice that a bill has not yet gone to a collection agency, but will if not paid soon) or phone call from a debt collector for a health care bill in your name that was never paid. If any of these things happen to you, you need to find the facts by obtaining basic records from providers and insurers. Ask questions, keep records of what you learn, preserve your rights, and follow the trail of information. It is very important that you keep records of what you do, what you are told, and who you talk to. Keep copies of all explanations of benefits (EOB) and other documents you receive.

^ back to top

 

8. How do I make a request for access?

Start by obtaining a copy of the notice of privacy practices that the HIPAA health privacy rule requires each hospital and insurer to publish. You may already have a copy. If not, each HIPAA covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

The notice of privacy practices describes your rights, including your right to inspect and obtain a copy of your record. Each covered entity may have its own process for accepting and fulfilling access requests. You will likely be asked to fill out a form in order to make your request for access.

When you make a request, the covered entity must act on your request within 30 days. It can take an additional 30 days to act if it provides you with a written explanation of the delay.

^ back to top

 

9. What records should I ask for?

Any HIPAA-covered entity must allow you to inspect or obtain a copy of your record. Some records can be withheld, and the limitations are discussed later in this FAQ. Just figuring out who to ask and what to ask for can be complex. Don’t assume that you need a copy of all records from all health care providers and insurers. Obtaining your health records can be complicated, may present some hard choices, and will require some planning. Don’t panic. Clearing up cases of medical identity theft will take time and effort.

First, while you generally have the right to inspect and obtain a copy of your health record, a health care provider or insurer can charge you a fee for a copy. Copying charges can be as much as $1.00 per page and perhaps more. Fees must be reasonable and cost-based. You may want to think about the costs involved before you ask. A hospital record can have hundreds of pages. You should not have to pay a fee to simply inspect your records. You may only be asked to pay a fee when you request a copy of the records.

Second, not every health care provider may have records that you need to track medical identity theft. If the thief obtained a prescription in your name, you will want the record from the pharmacy that filled the prescription and from the health care provider who wrote the prescription. You may not need your record from podiatrist, optometrist, or other provider you have visited in the past or even that you are seeing currently if you have no reason to believe that they have records related to the medical identity theft.

If you have been using the same hospital for 20 years and you think that the identity theft is recent, you may want to limit your request to records of the last several years or several months. Similarly, records held by the health insurer that covered you two years ago and that does not cover you today may not be relevant. But if the theft dates back several years, then older records may be essential.

You may not know which records you need at first. The point is that you want to obtain records that you think are relevant, but you may not want every record from every HIPAA covered entity. Most people have had dozens of health care providers in the course of their lives, and many records will not be relevant.

It is always possible that the thief who used your name obtained services from a health care provider, including a clinic, pharmacy, or laboratory, that you never used yourself. Don’t be surprised if the trail may lead you to unexpected places.

One part of the health care world that few people recognize is the Pharmacy Benefit Manager or PBM. A PBM is a company that contracts with managed care organizations, self-insured companies, and government programs to manage pharmacy network management, drug utilization review, and other activities. A PBM is likely to be the organization that fills your drug prescriptions by mail. A PBM may have relevant records in some cases.

Third, asking for a copy of your complete health record may provide more information than you need. It could be expensive. Your health records may include copies of x-rays and other diagnostic tests that may be costly to duplicate. You may not need everything in your health record to see if you were a medical identity theft victim.

Consider how you might limit your request for access so that you limit your costs. Admittedly, it may be hard to figure out the scope of the identity theft at first. See if you can talk to an individual in the record keeper’s office when you make a request so that you can negotiate what you really need. One idea is to not ask for copies of x-rays unless you discover that the x-rays are essential. If other records are especially expensive to duplicate, you may want to defer asking for those records too. Another idea is to ask to inspect your records first so you can decide which parts you want to have copied.

On the other hand, if records are electronic, it may be easy and inexpensive to obtain an electronic copy of everything or almost everything. If the covered entity has electronic records, it must give them to you in electronic form if you want them in that form. You can ask for hard copy of electronic records, but the cost might be higher.

Fourth, once when you receive some records, you may be able to focus later requests. If your insurance record shows bills from or payments to physicians or clinics that you never treated you, you will then know to make requests for records in your name at those offices.

Fifth, think about records beyond the health care system. The HIPAA rules only help for health care institutions such as providers and insurers. However, if the thief ran up unpaid bills in your name, you may need to obtain a copy of your credit report. To learn more about obtaining a free copy of your credit report, see the How Private Is My Credit Report? fact sheet published by the Privacy Rights Clearinghouse at <http://www.privacyrights.org/fs/fs6-crdt.htm>. You can also find more general identity theft information at <http://www.privacyrights.org/identity.htm#ITRC>.

^ back to top

 

10. What does it cost to obtain copies of a record?

The HIPAA rule allows a covered entity to charge for copying and postage. It can also charge for preparing an explanation or summary if you request one. Many health care institutions use record management companies to handle copying requests, and the costs can be as much as $1.00 a page or more. A copy of a record such as an x-ray may cost even more. You may want to limit your request to essential records in order to control costs. You may not know at the beginning which records you need. You should be able to inspect your records without cost to you.

  • WPF Policy Note: The World Privacy Forum believes that victims of medical identity theft should have the right to obtain a copy of health records without charge as often as necessary until the problems resulting from identity theft have been resolved. Victims of financial identity theft can obtain a free copy of a credit report. Medical identity theft victims should have free access to the records that they need.

^ back to top

 

11. Can health care institutions withhold some health records?

Yes. First, the right of access under HIPAA does not extend to psychotherapy notes, some laboratory records (CLIA labs), and materials compiled for litigation. These records are less likely to be relevant to your case anyway. The Department of Health and Human Services (HHS) proposed lifting the restriction on access to CLIA lab records in 2011. See: <https://www.federalregister.gov/articles/2011/09/14/2011-23525/clia-program-and-hipaa-privacy-rule-patients-access-to-test-reports>. If the rule on CLIA changes, you can find out at the Office of Civil Rights Website.

Second, a covered entity can deny you access to some records, including records maintained by a prison, some records of research participants, and records obtained from someone other than a health care provider under a promise of confidentiality. The HIPAA privacy rule does not require a health care institution to allow you to appeal the denial of these records, but some institutions might accept an appeal if you file one. Read the notice of privacy practices to learn if there is an appeal option.

Third, a covered entity can deny you access to some records, but there is a right of appeal if you are denied. If a licensed health professional determined that access is reasonably likely to endanger the life or physical safety of you or another individual, records can be withheld. Records about other people can be withheld if a licensed health professional has determined that access is reasonably likely to cause substantial harm to that individual or another person. Requests made by an individual’s personal representative can also be denied if disclosure would cause substantial harm.

Note: Be aware that you may have greater rights of access under state law than you do under the federal HIPAA health privacy rule. Any health care institution should know about state laws that apply to it, but that may not always be the case. See the next FAQ.

  • WPF Policy Note: The HIPAA access rule does not specifically address the special situation of medical identity theft victims. We believe that covered entities should consider the needs of medical identity theft victims whenever records are withheld. Sometimes, a covered entity will deny a request for access by the victim because the actual patient (i.e., the criminal) was another individual. This creates a situation where records in the patient’s file are withheld because a criminal impersonated the patient. Yet the records remain in the patient’s file and may continue to be used in ways that affect the record subject. The result is that the record subject’s rights and interests may be ignored on legal technicalities. This is the worst of both worlds. If this happens to you, ask the office to consider establishing “Jane or John Doe” records in which the identity thief’s information is maintained separately from the victim’s information with links to the original record.

If an institution withholds records, it must provide a written denial explaining the reason for the denial. It must also explain any appeal rights that you have.

The World Privacy Forum recommends that any medical identity theft victim explain to a health care institution about the reason for the request. Be friendly and be determined. It may help if you ask to speak to the institution’s privacy official. HIPAA requires each covered entity to designate a privacy official.

In general, health care institutions that have records about you are not criminals and share a common interest in solving medical identity theft problems. Those institutions may be victims too.

Sample Letter

Here is some language that you may want to use in your letters to alert institutions of the problem:

I may be a victim of medical identity theft. Some one may have obtained medical services using my name or my health insurance. The health records that your institution maintains about me may include information that is wrong or actually about some one else. That information could be used to adversely affect my personal health care or to deny me insurance benefits that I am entitled to receive. I am working to identity the effects of the medical identity theft and to remove incorrect information from my files.

Your institution not only has a responsibility to maintain accurate records, but it too may have been a victim of the same identity theft. We have a joint interest in resolving this problem. You may want to report my request to the part of your organization responsible for health care fraud.

The exemptions that permit withholding of records are mostly discretionary, and a record keeper can still disclose a record even if it is exempt from disclosure. If the withheld records are important to determining your status as a medical identity theft victim, there is a better chance that you will be given the records.

If records are withheld, you should pursue your appeal rights if you think that you need the records. But if you don’t think that the records are needed, then there may be no reason to appeal.

You can also complain to the Secretary of the federal Department of Health and Human Services about how your request was handled. You can find information about the process at <http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html>. Whether the Secretary will actually investigate your problem is uncertain.

^ back to top

 

12. Do I have greater rights under state laws, other federal laws, or hospital policies?

Maybe. Some states have health privacy laws that provide greater rights of access, fewer grounds for withholding records, and lower costs for copies. If your records are held by the federal government (e.g., Medicare or VA), your rights to have a copy of records under the Privacy Act of 1974 or the Freedom of Information Act may be greater than under HIPAA. When these laws have overlapping provisions, and you are entitled to the most favorable parts of each of the laws.

You may want to include the following language in any access request that you make. This may be especially important if a health care institution provides you with a form to fill out. Any pre-printed form may be designed to limit your request to the minimum HIPAA requirements, and you should ask for more just in case more is available.

Sample Letter

Add language like this to the form or to a cover letter:

This request for access covers all health records that are required to be made available under the federal HIPAA rule. In addition, if other federal or state laws provide greater rights of access to records, I also request that you provide a copy of all records within the scope of my request to which I have a legal right. If any records are being withheld, please reconsider the withholding because of my status as a possible victim of medical identity theft. If this request will result in any charges to me, please contact me first to discuss it. I will not pay any charges unless you inform me of the charges in advance and I specifically agree to pay them.

^ back to top

 

13. What’s the best strategy for making a request?

When making a request, try to talk to a person in the office that maintains your records. There may be a privacy official at larger institutions who will help you. Tell that person that you think you are a victim of medical identity theft and that you are looking for records that will document what happened.

The institution may also be a victim. If someone obtained services from a hospital in your name, the hospital may ultimately be stuck with the bill. It is in the hospital’s interest to learn about the crime too. The same is true for your health insurer. Everyone in the health care world is aware that fraud is a major and costly problem. With a little diligence and luck, you may be able to find someone who will pay attention to the problem that you have, help you get the records that you need, and ultimately solve your problem.

Remember that the wrong information in your health record can harm you. If your health records show the blood type of an identity thief rather than your own blood type, the wrong information can kill you. The same is true for prescription drugs issued in your name to an identity thief. Consider reminding people that you talk to that the wrong information may not only harm you, but it could make the record keeper legally liable for damages. However, don’t make idle threats about lawsuits. You want people to help you. Health care providers should already be sensitive to the possibility of incorrect information in medical files without much pressure from you.

If you are harmed by medical identity theft, it is possible that you may be able to sue someone for damages. That may include a hospital or insurance company that maintains and discloses incorrect information about you. However, your primary goal should be to resolve the problems resulting from medical identity theft and to correct your records. Nevertheless, you may also want to think about the possibility that you have a legal claim for damages. Keep records of everything that you do to resolve your medical identity theft case. Keep records of everyone you talk to as well. These records may be valuable in the event of legal action and will be useful otherwise.

You may also want to keep records so that you can file an administrative complaint about a health care institution that did not comply with the HIPAA privacy rule. You can learn more about filing an administrative complaint with the Department of Health and Human Services at <http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html>. It is uncertain whether HHS will be much help to medical identity theft victims. However, if a covered entity is not following the health privacy rule, you may want to report that entity to HHS.

Finally, the accounting of disclosures – a list of disclosures made by the institution when it shares your health records with some others – is another source of information. Under HIPAA, you have a right to have a copy of the accounting of disclosures for your health records. See the separate FAQ about requests for accounting of disclosure records.

^ back to top

 

 

III. Amending health records

 

14. Can I amend my health records?

Yes, but amending health records can be complex, difficult, and controversial. Later FAQs will cover details. If you are a victim of medical identity theft, your highest priority should be to remove information from your health records that may affect your medical treatment. A second priority should be to remove information from insurance records that will affect payment for future treatment.

^ back to top

 

15. How do I make a request for amendment?

Start by obtaining a copy of the notice of privacy practices that the HIPAA health privacy rule requires each hospital and insurer to publish. You may already have a copy. If not, each HIPAA covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

The notice of privacy practices describes your rights, including your right to ask for an amendment. Each covered entity may have its own process for accepting and fulfilling amendment requests. You will likely be asked to fill out a form in order to make your request for access. You will have to tell the record keeper what information is wrong or not about you and explain why you want the amendment.

When you make a request, the covered entity must act on your request within 60 days. It can take an additional 30 days to act if it provides you with a written explanation of the delay.

^ back to top

 

16. Can I ask that wrong information be removed from my file?

Yes, but it may not be that easy. A HIPAA covered entity does not necessarily have to remove incorrect information. It can mark the information as incorrect and add information that shows the correct information.

There is a reason for this policy. Suppose that your doctor suspects that you have an infection. Before the test results come back, the doctor prescribes an antibiotic. When the test later shows that you didn’t have the infection, the doctor tells you to stop taking the antibiotic. Now suppose that you ask the doctor to remove the initial diagnosis of an infection.

If the information is totally removed, it will be impossible for the doctor to explain or justify the prescription for an antibiotic. It may not be appropriate to remove the entire incident from the record because the doctor will be unable to explain the treatment provided or the bill. The doctor also needs to keep the record in the event that there are complications from the drug. The need for a history of the treatment that the doctor provided is understandable for legal and medical reasons.

For a medical identity theft victim, the remedy of marking and supplementing information may not be sufficient. Suppose that an identity thief goes to your hospital claiming to be you. The record of the treatment will become part of your record. The information about the thief could be hundreds of pages long. However, none of the information is actually about you. If, for example, the hospital determined the thief’s blood type and that information remains in your record – even if marked as incorrect – it might still affect your care if a subsequent provider did not see or pay attention to the correction. Even marked information may create confusion.

Health care providers are typically nervous about removing information from health records. For the most part, they have a reasonable concern. However, when the information in a health record is not about the subject of the record, the provider’s concern is weaker. When the information in your record is not about you and the presence of the information did not affect your subsequent care, the argument for removal is stronger. However, if the incorrect information did affect your treatment – even if that treatment was inappropriate – then retaining some or all of the incorrect information (suitably marked as incorrect and including a full explanation) may be legally and medically justifiable. You may be able to negotiate with the provider about how the information should be marked or otherwise segregated from your health record.

Whether you can justify total removal from your record of information about the thief will depend on the facts of your case. You can ask for total removal. Another remedy that might work is to ask the record keeper to put the information about the thief in a wholly separate record that is not directly associated with your health record. The two records –sometimes called “John or Jane Doe” records – might contain references to each other, but the substantive health information about the thief will not be in the normal file that a doctor reviews when treating you.

  • WPF Policy Note: The World Privacy Forum believes that the HIPAA amendment rule is inadequate to meet the needs of victims of medical identity theft. The rule should be revised to require covered entities to consider the removal of information that does not belong in the record of a medical identity thief victim. The problem of incorrect information will only become more acute as more medical information is routinely stored in and shared through health information networks.

^ back to top

 

17. What other limits are there on amendments?

A covered entity does not have to amend a record that it considers to be accurate and complete. It does not have to amend a record that is not available for inspection by you under the access provision.

More importantly, a covered entity is not required to amend a record that was not created by the covered entity. An exception to this rule exists if the record subject provides a reasonable basis to believe that the originator of the information is no longer available to act on the requested amendment.

  • WPF Policy Note: The World Privacy Forum believes that the exception is too narrow to protect the interests of all patients, including victims of medical identity theft. Providing evidence that the originator of the information is unavailable may be difficult for many patients. Proving a negative is often impossible. Further, if the originator is available but does not act on a request for amendment, the information in the subsequent covered entity’s record may be just as wrong and could have a continuing detrimental effect on the patient’s treatment or payment. It is uncertain how serious of a problem exists because of the HIPAA provision allowing a covered entity to reject an amendment request about information provided by a third party.

In many circumstances, a health care provider will act reasonably to verify information that may affect patient care. For example, if you tell your surgeon that you think that your blood type is A, the surgeon is not likely to cavalierly accept contrary information just because it came from a third party. Health care providers are likely to be suitably concerned about the possibility of wrong information and medical errors.

However, there may be real problems in some circumstances, and health insurers may not be as worried about errors, especially if the errors provide an excuse to deny a claim. Consider an identity thief who has an appendectomy while masquerading as John Doe. When the real John Doe has an appendectomy a year later and submits the bill to his insurance company, the insurance company is likely to reject the bill because no one has two appendectomies. If John Doe asks the insurer to amend or delete the record of the first payment, the insurer can refuse the request under the HIPAA rule because the information came from a third party, namely the surgeon who operated on the identity thief. If John Doe asks the surgeon to correct the record, the surgeon will reject the request because he will say that the request came from a John Doe who has the same name as his patient but who is not the actual patient.

For a patient stuck in this type of Catch-22 situation – where no one is willing to or is required to take responsibility for errors that were not the patient’s doing – it may be very difficult for the patient. The HIPAA health privacy rule provides no real assistance or remedy. The patient may only be able to ask for the good will, understanding, and cooperation of all concerned. For providers and insurers who operate in good faith, that may be sufficient notwithstanding the deficiencies of formal legal rights and remedies. Otherwise, the next step may be litigation, and that is often an expensive and unattractive alternative for everyone concerned, even when litigation is possible.

  • WPF Policy Note: The World Privacy Forum believes that the third party amendment exception in the HIPAA rule is unfair to all patients and especially to medical identity theft victims. If a provider or insurer has information on a patient that it is using to make determinations about that patient, then the provider or insurer must take some responsibility to determine if that information is correct when asked by the patient. There may be circumstances in which a record keeper holds information (e.g., an insurer that receives a diagnosis from a health care provider) that the record keeper cannot properly evaluate or change. However, the current HIPAA rule fails to protect some patient needs. The rule should require more flexibility by record keepers and more attention to the legitimate concerns of patients.

Sample Letter

For medical identity theft victims, here is some language that may be useful in making a case for amendment or removal of incorrect information from a health provider’s record:

I may be a victim of medical identity theft. Some one may have obtained medical services using my name or my health insurance. The health records that your institution maintains about me may include information that is actually about some one else. That information could be used to adversely affect my personal health care or to deny me insurance benefits that I am entitled to receive. I am working to identity the effects of the medical identity theft and to remove incorrect information from my files. Your institution not only has a responsibility to maintain accurate records, but it too may have been a victim of the same identity theft. We have a joint interest in resolving this problem. You may want to report my request to the part of your organization responsible for health care fraud.

^ back to top

 

18. Do I have greater rights under state laws, other federal laws, or hospital policies?

Maybe. Some states have health privacy laws that provide greater rights of amendment. If your records are held by the federal government (e.g., Medicare or VA), your rights to ask for amendment of records under the Privacy Act of 1974 may be greater than under HIPAA. These two sets of privacy rules overlap, and you are entitled to the best parts of both laws.

Sample Letter

You may want to include the following language in any amendment request that you make. This may be especially important if a health care institution provides you with a form to fill out. Add language like this to the form or to a cover letter:

I am requesting amendment of records because I believe that I am a victim of identity theft. My request is made pursuant to the federal HIPAA rule. In addition, if other federal or state laws provide greater rights of amendment, I also request that you provide any remedies available under those other laws.

^ back to top

 

19. What happens when a covered entity agrees to make an amendment?

The covered entity must:

1. Make the amendment;

2. Tell the requester what it did; and

3. Make reasonable efforts to inform others about the amendment within a reasonable time.

The third requirement is most noteworthy. If you convince a covered entity to amend your record, the covered entity must tell any persons that you identity who received the original incorrect information and who need the amendment. In addition, the covered entity must notify any persons who have the information that was the subject of the amendment and who may have relied or could foreseeably rely on the information.

To make sure that amendments have been appropriately distributed, you may want to ask for an accounting of disclosures. See the next part of this FAQ for more information about rights to accounting. What is important is that amendments be provided to those who may rely on the original incorrect information. Each patient has the right to tell a covered entity to send the amendment to anyone who received the original information and needs the information.

Be sure that any information that bears on your future medical treatment is shared with other health providers. Information that bears on insurance and payment matters may need to be shared with insurers and, possibly, with employers. The goal is to find and eliminate any information that others have that is incorrect.

This may take considerable effort, to make sure that every appropriate person has the information and that those with the information correct their own records. Every covered entity is required to take action when it receives a notice of amendment, but that doesn’t mean that it will be done quickly or properly. It may be appropriate to ask each appropriate covered entity to confirm that it actually made the amendment.

^ back to top

 

20. Can I appeal if a covered entity refuses to make an amendment?

Maybe. An institution must accept complaints about its health privacy policies and practices. Filing a complaint with an institution may not be the equivalent of filing an appeal of a denial of a request for amendment, but it may help if it forces someone new at the covered entity to review your request. However, some institutions may accept formal appeals. Consult the institution’s notice of privacy practices to see if there is an appeal method for a denial of a request for amendment.

You can also complain to the Secretary of the federal Department of Health and Human Services about how your request was handled. You can find information about the process at <http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html>. Whether the Secretary will actually investigate your problem is uncertain.

There is an additional alternative. When a covered entity denies your request for amendment, it must tell you that you can request that the covered entity provide a copy of your request for amendment with any subsequent disclosure of the disputed information. In most cases, this is an advisable step to take.

Sample Letter

You should write to the covered entity with this request:

I ask that my request for amendment be included with any subsequent disclosure of the information for which I requested an amendment. This is a right guaranteed by the HIPAA health privacy rule at 45 C.F.R. § 164.526(d)(1)(iii).

^ back to top

 

21. Are there other remedies if my request for amendment is denied?

Yes. You have the right to file a written statement of disagreement, and that is a very important right. When a covered entity denies your request for amendment, it must tell you about this right.

The statement of disagreement gives you the opportunity to explain your side of the story. The covered entity can reasonably limit the length of the statement of disagreement, so don’t plan on writing a novel-length document. We also suggest that your statement should be factual and should refrain from making personal attacks on anyone involved in the process.

Sample Letter

Here is a sample of a statement of disagreement that might serve as a model:

I am a victim of medical identity theft. Someone impersonated me and obtained medical treatment (or medical payment) using my name and health insurance. The information about the identity thief has been included in my record, and the [insert name of covered entity] has refused to remove it. The specific information that is wrong is about treatment for [insert description] that occurred on these dates: [insert dates].

Because this information is not about me, it does not belong in my health record. I want this information removed entirely because I am concerned that someone may mistakenly assume that the information is about me. If the information is wrongly used to affect my medical treatment, then I could be harmed or killed by inappropriate treatment. I want everyone who has access to my health record to be aware of the error and to take great care not to rely on wrong information when treating me or paying for my care.

The covered entity can write and circulate a rebuttal to your statement of disagreement. If it does so, it must provide you with a copy of its rebuttal.

HIPAA offers another protection even if you don’t file a statement of disagreement. The rule requires a covered entity that has received and denied a request for amendment to append or link the record in question with the request for amendment. The purpose here is to make sure that whoever sees the disputed record will also see the request for amendment.

^ back to top

 

22. Can the covered entity still disclose the information that I disputed?

Yes, but HIPAA offers additional rights. First, if you have submitted a statement of disagreement, the covered entity must disclose it when it discloses the disputed information.

Second, if you choose not to submit a statement of disagreement, the covered entity must include your request for amendment (and its denial) along with any subsequent disclosure only if you have requested that the covered entity do so. In most cases, this is an advisable step to take.

Sample Letter

You should write to the covered entity with this request:

I ask that my request for amendment be included with any subsequent disclosure of the information for which I requested an amendment. This is a right guaranteed by the HIPAA health privacy rule at 45 C.F.R. § 164.526(d)(5)(ii)

^ back to top

 

 

IV. Accounting for Disclosures

 

23. What’s an accounting of disclosures?

For a disclosure of medical information about an individual, an accounting is a record of:

  • The date of the disclosure
  • The name of the person or entity who received the information
  • A brief description of the information disclosed
  • A brief statement of the purpose of the disclosure (or, as an alternative, a copy of the request for a disclosure) An accounting is sometimes called a disclosure history. The requirement for health care institutions to maintain an account of disclosures comes from the federal HIPAA health privacy rule.

^ back to top

 

24. Why should I care about accounting of disclosures?

If you think that you may be a victim of medical identity theft, obtaining a copy of the accounting of disclosures for your health record will help you follow the trail of your information and identify those who have incorrect information about you. In some instances, you may not care about correcting records that were disclosed to a researcher or a public health agency. These disclosures may not have any immediate consequences for you.

However, if you learn that your records were disclosed to law enforcement or health oversight agencies, you might have reason to worry that the information disclosed will be used against you in some manner. By learning the purpose of each disclosure, you will be better able to make judgments.

^ back to top

 

25. How do I make a request for an accounting?

Start by obtaining a copy of the notice of privacy practices that the HIPAA health privacy rule requires each hospital and insurer to publish. You may already have a copy. If not, each HIPAA covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

The notice of privacy practices describes your rights, including your right to ask for an accounting. Each covered entity may have its own process for accepting and fulfilling accounting requests. You will likely be asked to fill out a form in order to make your request for an accounting. The covered entity must act on a request for accounting within 60 days, but it can extend the time limit for another 30 days if it provides a written explanation of the delay.

^ back to top

 

26. Who has to provide me with an accounting of disclosures?

Any HIPAA covered entity must provide a copy of an accounting of disclosures. For most individuals, your health care providers (doctors, hospitals, laboratories, pharmacies, etc.) and health insurers (HMOs, health plans, Medicare, etc.) will have the records that you want. You may also want to ask your Pharmacy Benefit Manager or PBM. A PBM is a company that contracts with managed care organizations, self-insured companies, and government programs to manage pharmacy network management, drug utilization review, and other activities. A PBM is likely to be the organization that fills your drug prescriptions by mail.

^ back to top

 

27. What does it cost to obtain an accounting?

You are entitled to receive at no charge one copy of the accounting of your health record in any 12-month period. If you make more than one request, the institution may impose a reasonable, cost-based fee. The institution must tell you the cost in advance so you have a chance to modify or withdraw your request.

  • WPF Policy Note: The World Privacy Forum believes that victims of medical identity theft should have the right to obtain a copy of the accounting of disclosures without charge as often as necessary until the problems resulting from identity theft have been resolved. Victims of medical identity theft can ask covered entities to cooperate with them by waiving fees if more than one accounting is needed. Remind the covered entity that medical identity theft is a problem for everyone, and that it is in the covered entity’s interest to find and remove wrong information from a health record.

^ back to top

 

28. What are the limitations of an accounting of disclosures?

There are many limitations in the federal health privacy rule. These limitations make the accounting of disclosures less valuable than it should be. First, health care institutions do not have to account for all disclosures. They don’t have to keep an accounting of disclosures for treatment, payment, or health care operations. They don’t have to keep an accounting of disclosures if you authorized the disclosure. There are other exceptions too.

For example, if a hospital gave care to someone in your name and billed your insurance company, you would want to know the details. You may not be able to obtain that information from the accounting of disclosures. Even worse, if a hospital told a credit bureau or collection agency that you did not pay your bill (i.e., a bill run up by an identity thief), the accounting may not reveal the disclosures. These disclosures may be exempt from the accounting requirement because they fall within the exception for disclosures for payment and health care operations.

A 2009 change to the law will eventually improve the situation somewhat. The law requires covered entities that use or maintain an electronic health record to keep an accounting for treatment, payment, and health care operations disclosures. This is a very positive change, balanced in part by the law’s limit that a patient has a right to an accounting for these disclosures for the last three years only.

  • WPF Policy Note: The World Privacy Forum believes that all patients but especially victims of identity theft should be able to obtain accounting records for treatment, payment, and health care operations disclosures beyond the three year period. It is likely that covered entities with electronic health record systems will maintain accounting records longer than required, and some covered entities may be willing to share the records notwithstanding the limit in the law. If you need the records, ask for them and explain why.

Second, health care institutions do not have to account for uses. A use of information occurs when a record is made available to someone within the institution that maintains the record. A disclosure occurs when a record is shared with someone outside the institution. The accounting requirement only covers some disclosures and no uses.

Third, sometimes an accounting that is required to be maintained can nevertheless be withheld from an individual who requests a copy of the accounting. Some disclosures to law enforcement, for example, can be made without telling the record subject for a limited time.

Fourth, the HIPAA requirement for an accounting started on April 14, 2003. A health care institution covered by HIPAA did not have to maintain accounting records before that date. Perhaps the biggest limitation is that the federal health privacy rule does not require an accounting of disclosures for treatment and payment. This means that a lot of information that you would want to find in an accounting will not be available.

  • WPF Policy Note: The World Privacy Forum believes that many of the limitations on accounting of disclosures in the HIPAA health privacy rule are a bad policy. Health care providers and insurers should be required to keep track of all disclosures and all uses. The World Privacy Forum observes that modern computer systems can readily keep track of uses and disclosures at very little cost. Many institutions already do so. The 2009 changes to HIPAA make some of the improvements recommended by WPF. We also recommend that the HIPAA rule should be amended to broaden accounting requirements so that health care institutions maintaining accounting of uses and disclosures that exceed federal requirements should be obliged to share all existing accounting records with a requester.

^ back to top

 

29. The accounting of disclosures doesn’t appear to be very useful. Why get an accounting?

Why bother going through the process of getting an accounting of disclosures? First, obtaining a copy of the accounting is free. All you have to do is fill out a form or write a simple letter. It may not do everything you would like, but it may have some useful information.

Second, the accounting may help some. You should be able to learn something about how your records were disclosed from the accounting. It may point you to some record keepers you didn’t realize had records about you. When accounting for treatment, payment, and health care operations begins under the 2009 requirement, the records will be more useful.

Third, obtaining an accounting is just one part of the process for learning about and recovering from medical identity theft. Also, if there has been a data breach of your medical information, this should come out in the accounting of disclosures.

Keep reading for other ideas about how to respond to and recover from medical identity theft. Also, see the WPF consumer tips on how to recover from medical identity theft: <https://www.worldprivacyforum.org/2012/04/medidtheft_consumertips/>.

^ back to top

 

30. Do I have greater rights under state laws, other federal laws, or hospital policies?

Maybe. A few states may have health privacy laws that require health care institutions to maintain better accounting records or to disclose more accounting records to you. If your records are held by the federal government (e.g., Medicare or VA), your rights to have a copy of an accounting under the Privacy Act of 1974 will be greater than under HIPAA. These two sets of privacy rules overlap.

You can find more information about your health privacy rights at the website of the Center for Democracy and Technology <https://www.cdt.org/getting-your-medical-records>. The website of the Georgetown University Center on Medical Record Rights and Privacy at <http://hpi.georgetown.edu/privacy/records.html> has information on state laws about access and correction of medical information.

Sample Letter

You may want to include the following language in any accounting request that you make. This may be especially important if a health care institution provides you with a form to fill out. The form may be designed to limit your request to the minimum HIPAA requirements, and you should ask for more just in case more is available. Add language like this to the form or to a cover letter:

I request a copy of all accounting records that are required to be made available under the federal HIPAA rule. In addition, if other federal or state laws provide greater rights of access to accounting records, I also request that you provide a copy of all accounting records to which I have a legal right. If your institution maintains accounting records for disclosures or uses that are not covered by HIPAA requirements, I also request that you provide a copy of all accounting records that you maintain, whether or not you are legally required to do so. If this request will result in any charges to me, please contact me first to discuss it. I will not pay any charges unless I am told of the charges in advance and specifically agree to pay them.

^ back to top

 

31. What’s the best strategy for making a request?

You only are entitled to one free request in any 12-month period. Think about when to make that request. If you learn that you were a medical identity theft victim two years ago, you probably should make the request right now. But if the medical identity theft is ongoing, you should realize that it can take time for your records to be updated to reflect current activities. Today’s record may not show events that happened in the last few weeks. However, even if you decide to wait to make the request, you should still notify the health care institution that you believe that there may be incorrect information in your file and criminal activity by an identity thief. You might try to discuss the problem with the covered entity’s Privacy Official to see if it is possible for you to obtain greater access than the law allows. Remind the covered entity that medical identity theft is a joint problem, in which both the patient and the covered entity may be victims.

The accounting of disclosures is just one source of information about medical identity theft. You may learn more by requesting a copy of your health record. The health record is likely to tell you about uses and disclosures of your medical information that are not covered by accounting rules.

If you have reason to believe that you are a victim of medical identity theft, tell the institution when you make your request. If someone obtained services from a hospital in your name, the hospital may ultimately be stuck with the bill. It is in the hospital’s interest to learn about the crime too. The same is true for your health insurer. Everyone in the health care world is aware that fraud is a major and costly problem. With a little diligence, you may be able to find someone who will pay attention to your problem and provide you with extra assistance.

Remember that the wrong information in your health record can harm you. If your health records show the blood type of an identity thief rather than your own blood type, the wrong information can kill you. The same is true for prescription drugs issued in your name to an identity thief. Consider reminding people that you talk to that the wrong information may not only harm you, but it could make the record keeper legally liable for damages. However, don’t make idle threats about lawsuits. You want people to help you.

If you are harmed by medical identity theft, it is possible that you will be able to sue someone for damages. That may include a hospital or insurance company that maintains and discloses incorrect information about you. Your primary goal should be to resolve the problems resulting from medical identity theft and to correct your records. However, you may also want to think about the possibility that you have a legal claim for damages. Keep records of everything that you do to resolve your medical identity theft case. These records may be valuable in the event of legal action. You may also want the records so that you can file an administrative complaint about a health care institution that did not comply with the HIPAA privacy rule. You can learn more about filing an administrative complaint at <http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html>.

Be friendly and be determined. In general, health care institutions that have records about you are not criminals and share a common interest in solving medical identity theft problems. Those institutions may be victims too.

Sample Letter

Here is some language that you may want to use in your letters to alert institutions of the problem:

I may be a victim of medical identity theft. Some one may have obtained medical services using my name or my health insurance. The health records that your institution maintains about me may include information that is wrong or actually about some one else. That information could be used to adversely affect my personal health care or to deny me insurance benefits that I am entitled to receive. I am working to identity the effects of the medical identity theft and to remove incorrect information from my files. Your institution not only has a responsibility to maintain accurate records, but it too may have been a victim of the same identity theft. We have a joint interest in resolving this problem. You may want to report my request to the part of your organization responsible for health care fraud.

^ back to top

 

 

V. Other FAQs for Medical Identity Theft Victims

 

32. I got a call from a bill collector about a medical bill for a doctor that I never saw.

Now what? If you hear from a bill collector, you should immediately pursue your rights under the Fair Credit Billing Act. Place a dispute on the collection notice right away. You can learn more about your rights under the Fair Credit Billing Act at the website of the Federal Trade Commission at <http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre16.shtm>. It is important to follow the proper procedures under that Act in order to preserve your rights.

Remember that it will take a while to obtain your health records and trace the scope of the identity theft so be sure to pursue your rights under other laws right away. Then start the process to find out what the bill was for by asking for your records from the doctor, hospital, and/or insurance company involved.

^ back to top

 

33. Where else can I find useful information?

The World Privacy Forum’s Patient’s Guide to HIPAA offers a broader view of your HIPAA rights, <https://www.worldprivacyforum.org/2013/09/hipaaguidehome/>.
You can find more information about your health privacy rights at the website of the Center for Democracy and Technology <https://www.cdt.org/getting-your-medical-records>. The website of the Georgetown University Center on Medical Record Rights and Privacy at <http://hpi.georgetown.edu/privacy/records.html> has information on state laws about access and correction of medical information.

^ back to top

 

34. Are credit reports important in cases of medical identity theft?

Yes. A victim of medical identity theft is a victim of identity theft just as if someone used your name and Social Security Number to open a credit card in your name. You have the same rights as any victim of identity theft. The problem is that those rights are geared toward victims of financial identity theft. However, if your credit report reflects a collection for a medical bill, this is a useful tip-off that you may be a victim. You have the right to get these items removed from your credit report when they are not accurate. The process of doing so, however, can take time.

^ back to top

 

35. I am dealing with a federal agency. How can I learn more about my rights under the Privacy Act of 1974 or the Freedom of Information Act?

A good resource is A Citizen’s Guide on Using the Freedom of Information Act and the Privacy Act of 1974 to Request Government Records published by the House Committee on Government Reform. You can find the report at <http://www.fas.org/sgp/foia/citizen.html> and <http://fas.org/sgp/foia/citizen.pdf>.

^ back to top

 

36. Should I file a police report?

Yes. If you are a victim of medical identity theft, a police report can help you in a number of ways. You may be asked frequently for a copy of the police report after you have filed it. It may provide some verification that you are a victim of a crime. A police report may make it easier for you to show creditors that you are a victim of a crime. You can also use a police report to seek a fraud alert on your credit report and to address errors in your credit report.

Filing an identity theft police report is a basic step for victims of financial identity theft. Police in most places should be aware of the need for a report.
The police report may validate and document that you are a victim of financial identity theft. For more, see the Identity Theft Resource Center Fact Sheet on obtaining a police report <http://www.idtheftcenter.org/artman2/publish/v_art_solutions/Solution_10.shtml>.

However, obtaining a police report in medical identity theft cases may not be that simple, and police may be less aware of the crime of medical identity theft. The records that show the crime may not be in a city or state where you live, and police may be unwilling to fulfill your request for a police report. Showing evidence of medical identity theft may be hard to do.

If you succeed in obtaining a police report, you may have to pay for a copy of the original report. It can take 10 to 14 business days before you can order the report. Make copies of the report to give to providers and insurers. Keep the original.

The World Privacy Forum thinks that a police report in medical identity theft cases may be useful, but it may not be the first priority for victims. Making sure that health care providers know about the problem is the first priority, as is getting a copy of affected health care files. Having the wrong records in your health file may affect the way you are treated.

^ back to top

 

37. Why is addressing medical identity theft so hard?

First, medical identity theft was only recently identified as a problem. The World Privacy Forum’s 2006 report – MEDICAL IDENTITY THEFT: The Information Crime that Can Kill You. <https://www.worldprivacyforum.org/2006/05/report-medical-identity-theft-the-information-crime-that-can-kill-you/> was the first to report on it, and it was this report that coined the term for this crime and defined it. As a result, not everyone in the health care world is properly aware of the problem. The World Privacy Forum’s medical identity theft map, <https://www.worldprivacyforum.org/2011/08/medicalidentitytheft-map>, shows that incidents are widely scattered across the United States, with heavier concentrations in Florida, California, and on the East Coast.

Second, the HIPAA health privacy rule does not address medical identity theft, and covered entities have little direction. The existing rule leaves a lot of uncertainties, and covered entities are often too conservative in dealing with the problems.

Third, some individuals falsely claim that they were victims of medical identity theft as an excuse to avoid paying bills for health services that they properly incurred. This unfortunate practice makes it harder for real victims to obtain relief.

Fourth, medical identity theft can be a very complex crime. Health records for a single patient can be shared among many types of providers, including physicians, hospitals, pharmacies, laboratories, and x-ray facilities as well as a multitude of entities that provide or service health insurance. The ongoing rise of electronic health information exacerbates some existing problems while at the same time it offers some hope for better responses.

On a more optimistic note, however, there is increasing awareness of medical identity theft. Some major health care providers have processes and procedures to deal with claims of medical identity theft. Professional health care associations, like the American Health Information Management Association (AHIMA) are working to provide advice to the industry about how to manage cases of medical identity theft.

^ back to top

 

38. What do I do if I have a PHR? (Personal Health Record)

A personal health record (PHR) is a health record about a person that generally is under the control of a patient rather than a health care provider. PHRs can include data gathered from different sources. For example, a PHR may have information from doctors, insurers, and gyms, among others. The information in a PHR may be made available to the patient and in some cases to those a patient authorizes. There are many different models for PHRs, many of which are made available online by different PHR vendors. Some are supported by providers or employers. Not everyone has a PHR, but if you have one, you are likely to know about it.

If your health record is affected by medical identity theft, the same erroneous information may appear in your PHR. Because of the different models for PHRs, it is not possible to offer specific advice. If you have a PHR and a medical identity theft problem, you need to be aware that your PHR record may include incorrect information. Do not assume that fixing problems with the health record at your provider will necessarily correct your PHR record at the same time. If you have a PHR for your own personal use, the problem may not require immediate attention. But if you share your PHR with new doctors or with others, the problem may be serious.

We advise patients with PHRs to be aware of the problem that their PHRs may be “contaminated” by medical identity theft. You will need to learn how you can change your PHR or how you can delete information from it. Your rights to alter a PHR may not be as great as you would like. If you have a problem, we suggest trying to discuss it with the PHR vendor. If you cannot get control over your PHR in the way that you would like, you may want to consider deleting the PHR entirely. You might start over with a new PHR once your health records have been purged of the information resulting from medical identity theft.

If you want to learn more about the privacy concerns surrounding PHRs, see the World Privacy Forum report Personal Health Records: Why Many PHRs Threaten Privacy

^ back to top

 

FAQ history

Author: Robert Gellman <http://www.bobgellman.com>

Contributor: Pam Dixon

Publication history:

Version 1.6 November 2013, most recent update.

Version 1.5 April 20, 2012 .

Version 1.4 March 18, 2008

Version 1.3 January 4 2008

Version 1.2 June 21, 2006

Version 1.3 June 30, 2006. First posting.