.

 

 

 

Access, Amendment, and Accounting of Disclosures: FAQs for Medical ID Theft Victims

 

Introduction and Purpose

This list of frequently asked questions (FAQs) is design ed to help victims find and document medical identity theft. This document is also useful for anyone who is interested in the rights and tools regarding their medical records.

The tools this FAQ discusses can be used to trace medical identity theft. The tools are part of the rights granted to patients under federal health privacy rules (HIPAA, see #4 in this section) and other laws. These key rights include:

  • The right to access your medical records,
  • The right to ask for amendment of your medical records, and
  • The right to have an accounting (or history) of disclosures.

This FAQ details, step by step, what these tools are and how you can use them. The document also includes text that can be copied and used for sending letters to doctors, hospitals, and insurance companies.

This document is organized into four sections plus this introduction. After the introduction, the first three sections cover access, amendment, and accounting. The last section answers other questions that may help medical identity theft victims. Some of the same information appears more than once in different sections.

I. General and Background Questions

I. Access to Medical Records

III. Amending Medical Records

IV. Accounting for Disclosures

V. Other FAQs for Medical Identity Theft Victims

 

I. General and Background Questions

 

1. What is medical identity theft?

Medical identity theft occurs when someone uses an individual’s name or other parts of the individual’s identity – such as insurance information or Social Security Number – without the victim’s knowledge or consent to obtain medical services or goods. Medical identity theft can also occur when someone uses the person’s identity to obtain money by falsifying claims for medical services and falsifying medical records to support those claims. The essence of the crime is the use of a medical identity by a criminal and the lack of knowledge by the victim.

The World Privacy Forum’s report on medical identity theft is MEDICAL IDENTITY THEFT: The Information Crime that Can Kill You. You can find it at the WPF Medical Identity Theft page. <http://www.worldprivacyforum.org/medicalidentitytheft.html>.

 

2. Isn’t medical identity theft just a type of health care fraud?

Yes. Medical identity theft is a subset of health care fraud. But it is not just that, because the crime can also have financial and other life-consequences for patients. It isn’t just a crime against the health care system. Medical identity theft needs to be understood in its context as an information crime. It’s a crime involving theft or abuse of identity information as well as a crime that makes individuals victims in addition to the providers and insurers who may directly bear financial losses.

 

3. If a health care worker steals my identity and opens a credit card in my name, is that medical identity theft?

Some identity theft cases arise in medical settings, but they are not medical identity theft. For example, if a hospital worker steals patient credit card number or other financially-related identity information and goes on a shopping spree at a mall, that is not medical identity theft. It is more traditional financial identity theft. In this situation, the crime did not affect the medical identity of the individual, even though it involved the use of personal financial information. The victim of this type of identity theft may not need the specialized responses to medical identity theft discussed in these FAQs.

 

4. What’s HIPAA?

HIPAA is an important acronym for health records and medical privacy. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA is composed of a complex set of rules and regulations. such as the HIPAA privacy rules and the HIPAA security rule, among others.

Under authority granted by HIPAA, a federal law, the Secretary of Health and Human Services issued health privacy regulations that became effective in 2003. The Office of Civil Rights is the HHS agency responsible for the privacy rule. <http://www.hhs.gov/ocr/hipaa>.

There is also a HIPAA rule governing security of health records. The Centers for Medicare & Medicaid Services is the HHS agency responsible for the security rule. <http://www.cms.hhs.gov/SecurityStandard>. You can find copies of the HIPAA rules and other useful materials at these websites. Both rules are long and complex.

This FAQ summarizes the parts of the privacy rule most relevant to medical identity theft victims, but it does not cover every nuance.

An important concept in HIPAA is covered entity. Nearly every health care provider is a covered entity, as is every health plan. Health care clearinghouses are also covered entities, but they are not likely to be important to most patients. Anyone who is a covered entity must comply with the HIPAA rules.(The FAQ only considers the rules most relevant to victims.)

 

5. Will this FAQ help me if my medical records are wrong but I am not a victim of medical identity theft?

Maybe. The focus here is on victims of medical identity theft. A common problem faced by victims is the presence in their medical records of information that is about someone else. Information about someone else may appear in anyone’s medical file for reasons other than identity theft (e.g., filing errors, mistaken identities, and data entry errors).

If your problem involves the presence of information in your medical records about someone else, you may find the advice here helpful. However, if you want to dispute the contents of your medical file because you disagree with your doctor’s diagnosis, you may not find the advice as focused. Nevertheless, the basic rules defining patient rights regarding access, amendment, and accounting are the same for everyone. This FAQ explains the basics.

II. Access to Medical Records

 

1. Can I see my medical records and obtain a copy?

The general answer is yes. The federal HIPAA health privacy rule requires health care providers and insurers to provide you with access to your medical records. The details and limitations are described in other FAQs here. You have a right of access to medical records whether or not you are a medical identity theft victim.

 

2. Why do I need access to my medical records?

There are many reasons to see and keep a copy of your medical records. Some people try to maintain a personal health record so that they have all health records in one place. For more information on this strategy, see the website of the American Health Information Management Association at <http://www.myphr.com/>.

For a medical identity theft victim, medical and health insurance records are essential to figuring out the facts in your case. The thief may have used your name when seeing a doctor, obtaining prescription drugs with your health ID number, filing claims with your insurance company, or doing other things that left a trail in your medical records. The actions of the thief may be intermingled with the records of your own treatment and payment activities. For example, your health insurer may have records showing bills submitted by your dentist, drug store, and obstetrician together with other bills that resulted from the thief’s activities. In some instances, the crook is not someone who sought medical care but a health care provider who submitted a wholly fraudulent bill in your name, your spouse’s name, or your child’s name.

If you have reason to believe that you are a victim of identity theft, you need to find the facts. Obtaining a copy of your medical records from your health care providers, hospitals, pharmacies, laboratories, and health insurers is the main way to learn what happened.

You may be tipped off to medical identity theft by receiving an explanation of benefits from your insurer for services that you never sought or received. You may receive a bill for services that you did not use. You may receive a dunning notice (a notice that a bill has not yet gone to a collection agency, but will if not paid soon) or phone call from a debt collector for a health care bill in your name that was never paid. If any of these things happen to you, you need to find the facts by obtaining basic records from providers and insurers. Ask questions, preserve your rights, and follow the trail of information.

 

3. How do I make a request for access?

Start by obtaining a copy of the notice of privacy practices that the HIPAA health privacy rule requires each hospital and insurer to publish. You may already have a copy. If not, each HIPAA covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

The notice of privacy practices describes your rights, including your right to inspect and obtain a copy of your record. You will likely be asked to fill out a form in order to make your request for access.

When you make a request, the covered entity must act on your request within 30 days. It can take an additional 30 days to act if it provides you with a written explanation of the delay.

 

4. What records should I ask for?

Any HIPAA covered entity must allow you to inspect or obtain a copy of your record. Some records can be withheld, and the limitations are discussed later in this FAQ. Just figuring out who to ask and what to ask for can be complex. Don’t assume that you need a copy of all records from all health care providers and insurers. Obtaining your health records can be complicated, may present some hard choices, will require some planning, and will take time. Don’t panic. Clearing up cases of medical identity theft will take time and effort.

First, while you generally have the right to inspect and obtain a copy of your health record, a health care provider or insurer can charge you a fee for a copy. Copying charges can be as much as $1.00 per page and perhaps more. Fees must be reasonable and cost-based. You may want to think about the costs involved before you ask. A hospital record can have hundreds of pages. You should not have to pay a fee to simply inspect your records. You may only be asked to pay a fee when you request a copy of the records.

Second, not every health care provider may have records that you need to track medical identity theft. If the thief obtained a prescription in your name, you will want the record from the pharmacy that filled the prescription and from the health care provider who wrote the prescription. You may not need your record from podiatrist, optometrist, or other provider you have visited in the past or even that you are seeing currently if you have no reason to believe that they have records related to the medical identity theft.

If you have been using the same hospital for 20 years and you think that the identity theft is recent, you may want to limit your request to records of the last several years or several months. Similarly, records held by the health insurer that covered you two years ago and that does not cover you today may not be relevant. But if the theft dates back several years, then older records may be essential.

You may not know which records you need at first. The point is that you want to obtain records that you think are relevant, but you may not want every record from every HIPAA covered entity. Most people have had dozens of health care providers in the course of their lives, and many records will not be relevant.

It is always possible that the thief who used your name obtained services from a health care provider, including a clinic, pharmacy, or laboratory, that you never used yourself. Don’t be surprised if the trail may lead you to unexpected places.

One part of the health care world that few people recognize is the Pharmacy Benefit Manager or PBM. A PBM is a company that contracts with managed care organizations, self-insured companies, and government programs to manage pharmacy network management, drug utilization review, and other activities. A PBM is likely to be the organization that fills your drug prescriptions by mail. A PBM may have relevant records in some cases.

Third, asking for a copy of your complete health record may provide more information than you need. It may also be especially expensive. Your health records may include copies of x-rays and other diagnostic tests that may be costly to duplicate. You may not need everything in your health record to see if you were a medical identity theft victim.

Consider how you might limit your request for access so that you limit your costs. Admittedly, it may be hard to figure out the scope of the identity theft at first. See if you can talk to an individual in the record keeper’s office when you make a request so that you can negotiate what you really need. One idea is to not ask for copies of x-rays unless you discover that the x-rays are essential. If other records are especially expensive to duplicate, you may want to defer asking for those records too. Another idea is to ask to inspect your records first so you can decide which parts you want to have copied.

On the other hand, if records are electronic, it may be easy and inexpensive to obtain an electronic copy of everything or almost everything. If the covered entity has electronic records, it must give them to you in electronic form if you want them in that form. You can ask for hard copy of electronic records, but the cost might be higher.

Fourth, once when you receive some records, you may be able to focus your later requests. If your insurance record shows bills from or payments to physicians or clinics that you never treated you, you will then know to make requests for records in your name at those offices.

Fifth, think about records beyond the health care system. The HIPAA rules only help for health care institutions such as providers and insurers. However, if the thief ran up unpaid bills in your name, you may need to obtain a copy of your credit report. To learn more about obtaining a free copy of your credit report, see the How Private Is My Credit Report? fact sheet published by the Privacy Rights Clearinghouse at <http://www.privacyrights.org/fs/fs6-crdt.htm>. You can also find more general identity theft information at <http://www.privacyrights.org/identity.htm#ITRC>.

 

5. What does it cost to obtain copies of a record?

The HIPAA rule allows a covered entity to charge for copying and postage. It can also charge for preparing an explanation or summary if you request one. Many health care institutions use record management companies to handle copying requests, and the costs can be as much as $1.00 a page or more. A copy of a record such as an x-ray may cost even more. You may want to limit your request to essential records in order to control costs. You may not know at the beginning which records you need. You should be able to inspect your records without cost to you. 

 

  • WPF Policy Note:The World Privacy Forum believes that victims of medical identity theft should have the right to obtain a copy of medical records without charge as often as necessary until the problems resulting from identity theft have been resolved. Victims of financial identity theft can obtain a free copy of a credit report. Medical identity theft victims should have free access to the records that they need.

 

6. Can health care institutions withhold some medical records?

Yes. First, the right of access under HIPAA does not extend to psychotherapy notes, some laboratory records (CLIA labs), and materials compiled for litigation. These records are less likely to be relevant to your case anyway.

Second, a covered entity can deny you access to some records, including records maintained by a prison, some records of research participants, and records obtained from someone other than a health care provider under a promise of confidentiality. The HIPAA privacy rule does not require a health care institution to allow you to appeal the denial of these records, but some institutions might accept an appeal if you file one. Read the notice of privacy practices to learn if there is an appeal option.

Third, a covered entity can deny you access to some records, but there is a right of appeal if you are denied. If a licensed health professional determined that access is reasonably likely to endanger the life or physical safety of you or another individual, records can be withheld. Records about other people can be withheld if a licensed health professional has determined that access is reasonably likely to cause substantial harm to that individual or another person. Requests made by an individual’s personal representative can also be denied if disclosure would cause substantial harm.

 

  • WPF Policy Note: The HIPAA access rule does not address the special situation of medical identity theft victims. The needs of medical identity theft victims should be considered whenever records are withheld. In some instances, a request for access by the victim has been denied because the actual patient (i.e., the criminal) was another individual. This creates a situation where records in the patient’s file are withheld because a criminal impersonated the patient. Yet the records remain in the patient’s file and may continue to be used in ways that affect the record subject. The result is that the record subject’s rights and interests may be ignored on legal technicalities.

If an institution withholds records, it must provide a written denial explaining the reason for the denial. It must also explain any appeal rights that you have.

The World Privacy Forum recommends that any medical identity theft victim explain to a health care institution about the reason for the request. Be friendly and be determined.

In general, health care institutions that have records about you are not criminals and share a common interest in solving medical identity theft problems. Those institutions may be victims too.

Sample Letter

Here is some language that you may want to use in your letters to alert institutions of the problem:

I may be a victim of medical identity theft. Some one may have obtained medical services using my name or my health insurance. The medical records that your institution maintains about me may include information that is wrong or actually about some one else. That information could be used to adversely affect my personal health care or to deny me insurance benefits that I am entitled to receive. I am working to identity the effects of the medical identity theft and to remove incorrect information from my files.

Your institution not only has a responsibility to maintain accurate records, but it too may have been a victim of the same identity theft. We have a joint interest in resolving this problem. You may want to report my request to the part of your organization responsible for health care fraud.

If an institution withholds records from you, it may be especially important to tell the institution about your status as a medical identity theft victim. The exemptions that permit withholding of records are mostly discretionary, and a record keeper can still disclose a record even if it is exempt from disclosure. That’s why you need to explain that you are a medical identity theft victim. If the withheld records are important to determining your status as a medical identity theft victim, there is a better chance that you will be given the records.

If records are withheld, you should pursue your appeal rights if you think that you need the records. But if you don’t think that the records are needed, then there may be no reason to appeal.

You can also complain to the Secretary of the federal Department of Health and Human Services about how your request was handled. You can find information about the process at <http://www.hhs.gov/ocr/privacyhowtofile.htm>. Whether the Secretary will actually investigate your problem is uncertain.

 

7. Do I have greater rights under state laws, other federal laws, or hospital policies?

Maybe. Some states have health privacy laws that provide greater rights of access, fewer grounds for withholding records, and lower costs for copies. If your records are held by the federal government (e.g., Medicare or VA), your rights to have a copy of records under the Privacy Act of 1974 or the Freedom of Information Act may be greater than under HIPAA. When these laws have overlapping provisions, and you are entitled to the most favorable parts of each of the laws.

You may want to include the following language in any access request that you make. This may be especially important if a health care institution provides you with a form to fill out. Any pre-printed form may be designed to limit your request to the minimum HIPAA requirements, and you should ask for more just in case more is available.

Sample Letter

Add language like this to the form or to a cover letter:

This request for access covers all medical records that are required to be made available under the federal HIPAA rule. In addition, if other federal or state laws provide greater rights of access to records, I also request that you provide a copy of all records within the scope of my request to which I have a legal right. If any records are being withheld, please reconsider the withholding because of my status as a possible victim of medical identity theft. If this request will result in any charges to me, please contact me first to discuss it. I will not pay any charges unless you inform me of the charges in advance and I specifically agree to pay them.

 

8. What’s the best strategy for making a request?

When making a request, try to talk to a person in the office that maintains your records. There may be a privacy officer at larger institutions who will help you. Tell that person that you think you are a victim of medical identity theft and that you are looking for records that will document what happened.

The institution may also be a victim. If someone obtained services from a hospital in your name, the hospital may ultimately be stuck with the bill. It is in the hospital’s interest to learn about the crime too. The same is true for your health insurer. Everyone in the health care world is aware that fraud is a major and costly problem. With a little diligence and luck, you may be able to find someone who will pay attention to the problem that you have, help you get the records that you need, and ultimately solve your problem.

Remember that the wrong information in your health record can harm you. If your health records show the blood type of an identity thief rather than your own blood type, the wrong information can kill you. The same is true for prescription drugs issued in your name to an identity thief. Consider reminding people that you talk to that the wrong information may not only harm you, but it could make the record keeper legally liable for damages. However, don’t make idle threats about lawsuits. You want people to help you. Health care providers should already be sensitive to the possibility of incorrect information in medical files without much pressure from you.

If you are harmed by medical identity theft, it is possible that you may be able to sue someone for damages. That may include a hospital or insurance company that maintains and discloses incorrect information about you. However, your primary goal should be to resolve the problems resulting from medical identity theft and to correct your records. Nevertheless, you may also want to think about the possibility that you have a legal claim for damages. Keep records of everything that you do to resolve your medical identity theft case. Keep records of everyone you talk to as well. These records may be valuable in the event of legal action and will be useful otherwise.

You may also want to keep records so that you can file an administrative complaint about a health care institution that did not comply with the HIPAA privacy rule. You can learn more about filing an administrative complaint with the Department of Health and Human Services at <http://www.hhs.gov/ocr/privacyhowtofile.htm>. It is uncertain whether HHS will be much help to medical identity theft victims. However, if a covered entity is not following the health privacy rule, you may want to report that entity to HHS.

Finally, the accounting of disclosures – a list of disclosures made by the institution when it shares your medical records with some others – is another source of information. Under HIPAA, you have a right to have a copy of the accounting of disclosures for your medical records. See the separate FAQ about requests for accounting of disclosure records.

III. Amending Medical Records

 

1. Can I amend my medical records?

Yes, but amending medical records can be complex, difficult, and controversial. Later FAQs will cover details. If you are a victim of medical identity theft, your highest priority should be to remove information from your medical records that may affect your medical treatment. A second priority should be to remove information from insurance records that will affect payment for future treatment.

 

2. How do I make a request for amendment?

Start by obtaining a copy of the notice of privacy practices that the HIPAA health privacy rule requires each hospital and insurer to publish. You may already have a copy. If not, each HIPAA covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

The notice of privacy practices describes your rights, including your right to ask for an amendment. You will likely be asked to fill out a form in order to make your request for access. You will have to tell the record keeper what information is wrong or not about you and explain why you want the amendment.

When you make a request, the covered entity must act on your request within 60 days. It can take an additional 30 days to act if it provides you with a written explanation of the delay.

 

3. Can I ask that wrong information be removed from my file?

Yes, but it may not be that easy. A HIPAA covered entity does not necessarily have to remove incorrect information. It can mark the information as incorrect and add information that shows the correct information.

There is a reason for this policy. Suppose that your doctor suspects that you have an infection. Before the test results come back, the doctor prescribes an antibiotic. When the test later shows that you didn’t have the infection, the doctor tells you to stop taking the antibiotic. Now suppose that you ask the doctor to remove the initial diagnosis of an infection.

If the information is totally removed, it will be impossible for the doctor to explain or justify the prescription for an antibiotic. It may not be appropriate to remove the entire incident from the record because the doctor will be unable to explain the treatment provided or the bill. The doctor also needs to keep the record in the event that there are complications from the drug. The need for a history of the treatment that the doctor provided is understandable for legal and medical reasons.

For a medical identity theft victim, the remedy of marking and supplementing information may not be sufficient. Suppose that an identity thief goes to your hospital claiming to be you. The record of the treatment will become part of your record. The information about the thief could be hundreds of pages long. However, none of the information is actually about you. If, for example, the hospital determined the thief’s blood type and that information remains in your record – even if marked as incorrect – it might still affect your care if a subsequent provider did not see or pay attention to the correction.

Health care providers are typically nervous about removing information from health records. For the most part, they have a reasonable concern. However, when the information in a health record is not about the subject of the record, the provider’s concern is weaker. When the information in your record is not about you and the presence of the information did not affect your subsequent care, the argument for removal is stronger. However, if the incorrect information did affect your treatment – even if that treatment was inappropriate – then retaining some or all of the incorrect information (suitably marked as incorrect and including a full explanation) may be legally and medically justifiable. You may be able to negotiate with the provider about how the information should be marked or otherwise segregated from your medical record.

Whether you can justify total removal from your record of information about the thief will depend on the facts of your case. You can ask for total removal. Another remedy that might work is to ask the record keeper to put the information about the thief in a wholly separate record that is not directly associated with your medical record. The two records might contain references to each other, but the substantive medical information about the thief will not be in the normal file that a doctor would review when treating you.

 

  • WPF Policy Note: The World Privacy Forum believes that the HIPAA amendment rule is inadequate to meet the needs of victims of medical identity theft. The rule should be revised to require covered entities to consider the removal of information that does not belong in the record of a medical identity thief victim. The problem of incorrect information will only become more acute as more medical information is routinely stored in and shared through health information networks.

 

4. What other limits are there on amendments?

A covered entity does not have to amend a record that it considers to be accurate and complete. It does not have to amend a record that is not available for inspection by you under the access provision.

More importantly, a covered entity is not required to amend a record that was not created by the covered entity. An exception to this rule exists if the record subject provides a reasonable basis to believe that the originator of the information is no longer available to act on the requested amendment.

 

  • WPF Policy Note: The World Privacy Forum believes that the exception is too narrow to protect the interests of all patients, including victims of medical identity theft. Providing evidence that the originator of the information is unavailable may be difficult for many patients. Proving a negative is often impossible. Further, if the originator is available but does not act on a request for amendment, the information in the subsequent covered entity’s record may be just as wrong and could have a continuing detrimental effect on the patient’s treatment or payment. It is uncertain how serious of a problem exists because of the HIPAA provision allowing a covered entity to reject an amendment request about information provided by a third party.

In many circumstances, a health care provider will act reasonably to verify information that may affect patient care. For example, if you tell your surgeon that you think that your blood type is A, the surgeon is not likely to cavalierly accept contrary information just because it came from a third party. Health care providers are likely to be suitably concerned about the possibility of wrong information and medical errors.

However, there may be real problems in some circumstances, and health insurers may not be as worried about errors, especially if the errors provide an excuse to deny a claim. Consider an identity thief who has an appendectomy while masquerading as John Doe. When the real John Doe has an appendectomy a year later and submits the bill to his insurance company, the insurance company is likely to reject the bill because no one has two appendectomies. If John Doe asks the insurer to amend or delete the record of the first payment, the insurer can refuse the request under the HIPAA rule because the information came from a third party, namely the surgeon who operated on the identity thief. If John Doe asks the surgeon to correct the record, the surgeon will reject the request because he will say that the request came from a John Doe who has the same name as his patient but who is not the actual patient.

For a patient stuck in this type of Catch-22 situation – , where no one is willing to or is required to take responsibility for errors that were not the patient’s doing – it may be very difficult for the patient. The HIPAA health privacy rule provides no real assistance or remedy. The patient may only be able to ask for the good will, understanding, and cooperation of all concerned. For providers and insurers who operate in good faith, that may be sufficient notwithstanding the deficiencies of formal legal remedies. Otherwise, the next step may be litigation, and that is often an expensive and unattractive alternative for everyone concerned, even when litigation is possible.

 

  • WPF Policy Note: The World Privacy Forum believes that the third party amendment exception in the HIPAA rule is unfair to all patients and especially to medical identity theft victims. If a provider or insurer has information on a patient that it is using to make determinations about that patient, then the provider or insurer must take some responsibility to determine if that information is correct when asked by the patient. There may be circumstances in which a record keeper holds information (e.g., an insurer that receives a diagnosis from a health care provider) that the record keeper cannot properly evaluate or change.

    However, the current HIPAA rule fails to protect some patient needs. The rule should require more flexibility by record keepers and more attention to the legitimate concerns of patients.

Sample Letter

For medical identity theft victims, here is some language that may be useful in making a case for amendment or removal of incorrect information from a health provider’s record:

I may be a victim of medical identity theft. Some one may have obtained medical services using my name or my health insurance. The medical records that your institution maintains about me may include information that is actually about some one else. That information could be used to adversely affect my personal health care or to deny me insurance benefits that I am entitled to receive. I am working to identity the effects of the medical identity theft and to remove incorrect information from my files. Your institution not only has a responsibility to maintain accurate records, but it too may have been a victim of the same identity theft. We have a joint interest in resolving this problem. You may want to report my request to the part of your organization responsible for health care fraud.

 

5. Do I have greater rights under state laws, other federal laws, or hospital policies?

Maybe. Some states have health privacy laws that provide greater rights of amendment. If your records are held by the federal government (e.g., Medicare or VA), your rights to ask for amendment of records under the Privacy Act of 1974 may be greater than under HIPAA. These two sets of privacy rules overlap, and you are entitled to the best parts of both laws.

Sample Letter

You may want to include the following language in any amendment request that you make. This may be especially important if a health care institution provides you with a form to fill out. Add language like this to the form or to a cover letter:

I am requesting amendment of records because I believe that I am a victim of identity theft. My request is made pursuant to the federal HIPAA rule. In addition, if other federal or state laws provide greater rights of amendment, I also request that you provide any remedies available under those other laws.

 

6. What happens when a covered entity agrees to make an amendment?

The covered entity must:

  1. Make the amendment;
  2. Tell the requester what it did; and
  3. Make reasonable efforts to inform others about the amendment within a reasonable time.

The third requirement is most noteworthy. If you convince a covered entity to amend your record, the covered entity must tell any persons that you identity who received the original incorrect information and who need the amendment. In addition, the covered entity must notify any persons who have the information that was the subject of the amendment and who may have relied or could foreseeably rely on the information.

To make sure that amendments have been appropriately distributed, you may want to ask for an accounting of disclosures. See the next part of this FAQ for more information about rights to accounting. What is important is that amendments be provided to those who may rely on the original incorrect information. Each patient has the right to tell a covered entity to send the amendment to anyone who received the original information and needs the information.

Be sure that any information that bears on your future medical treatment is shared with other medical providers. Information that bears on insurance and payment matters may need to be shared with insurers and, possibly, with employers. The goal is to find and eliminate any information that others have that is incorrect.

This may take considerable effort, to make sure that every appropriate person has the information and that those with the information correct their own records. Every covered entity is required to take action when it receives a notice of amendment, but that doesn’t mean that it will be done quickly or properly. It may be appropriate to ask each appropriate covered entity to confirm that it actually made the amendment.

 

6. Can I appeal if a covered entity refuses to make an amendment?

Maybe. An institution must accept complaints about its health privacy policies and practices. Filing a complaint with an institution may not be the equivalent of filing an appeal of a denial of a request for amendment, but it may help if it forces someone new at the covered entity to review your request. However, some institutions may accept formal appeals. Consult the institution’s notice of privacy practices to see if there is an appeal method for a denial of a request for amendment.

You can also complain to the Secretary of the federal Department of Health and Human Services about how your request was handled. You can find information about the process at <http://www.hhs.gov/ocr/privacyhowtofile.htm>. Whether the Secretary will actually investigate your problem is uncertain.

There is an additional alternative. When a covered entity denies your request for amendment, it must tell you that you can request that the covered entity provide a copy of your request for amendment with any subsequent disclosure of the disputed information. In most cases, this is an advisable step to take.

Sample Letter

You should write to the covered entity with this request:

I ask that my request for amendment be included with any subsequent disclosure of the information for which I requested an amendment. This is a right guaranteed by the HIPAA health privacy rule at 45 C.F.R. § 164.526(d)(1)(iii).

 

7. Are there other remedies if my request for amendment is denied?

Yes. You have the right to file a written statement of disagreement, and that is a very important right. When a covered entity denies your request for amendment, it must tell you about this right.

The statement of disagreement gives you the opportunity to explain your side of the story. The covered entity can reasonably limit the length of the statement of disagreement, so don’t plan on writing a novel-length document. We also suggest that your statement should be factual and should refrain from making personal attacks on anyone involved in the process.

Sample Letter

Here is a sample of a statement of disagreement that might serve as a model:

I am a victim of medical identity theft. Someone impersonated me and obtained medical treatment (or medical payment) using my name and health insurance. The information about the identity thief has been included in my record, and the [insert name of covered entity] has refused to remove it. The specific information that is wrong is about treatment for [insert description] that occurred on these dates: [insert dates].

Because this information is not about me, it does not belong in my medical record. I want this information removed entirely because I am concerned that someone may mistakenly assume that the information is about me. If the information is wrongly used to affect my medical treatment, then I could be harmed or killed by inappropriate treatment. I want everyone who has access to my medical record to be aware of the error and to take great care not to rely on wrong information when treating me or paying for my care.

The covered entity can write and circulate a rebuttal to your statement of disagreement. If it does so, it must provide you with a copy of its rebuttal.

HIPAA offers another protection even if you don’t file a statement of disagreement. The rule requires a covered entity that has received and denied a request for amendment to append or link the record in question with the request for amendment. The purpose here is to make sure that whoever sees the disputed record will also see the request for amendment.

 

8. Can the covered entity still disclose the information that I disputed?

Yes, but HIPAA offers additional rights. First, if you have submitted a statement of disagreement, the covered entity must disclose it when it discloses the disputed information.

Second, if you choose not to submit a statement of disagreement, the covered entity must include your request for amendment (and its denial) along with any subsequent disclosure only if you have requested that the covered entity do so. In most cases, this is an advisable step to take.

Sample Letter

You should write to the covered entity with this request:

I ask that my request for amendment be included with any subsequent disclosure of the information for which I requested an amendment. This is a right guaranteed by the HIPAA health privacy rule at 45 C.F.R. § 164.526(d)(5)(ii).

IV. Accounting for Disclosures

 

1. What’s an accounting of disclosures?

For a disclosure of medical information about an individual, an accounting is a record of:

  • The date of the disclosure
  • The name of the person or entity who received the information
  • A brief description of the information disclosed
  • A brief statement of the purpose of the disclosure (or, as an alternative, a copy of the request for a disclosure) An accounting is sometimes called a disclosure history. The requirement for health care institutions to maintain an account of disclosures comes from the federal HIPAA health privacy rule.

 

2. Why should I care about accounting of disclosures?

If you think that you may be a victim of medical identity theft, obtaining a copy of the accounting of disclosures for your medical record will help you follow the trail of your information and identify those who have incorrect information about you. In some instances, you may not care about correcting records that were disclosed to a researcher or a public health agency. These disclosures may not have any immediate consequences for you.

However, if you learn that your records were disclosed to law enforcement or health oversight agencies, you might have reason to worry that the information disclosed will be used against you in some manner. By learning the purpose of each disclosure, you will be better able to make judgments.

 

3. How do I make a request for an accounting?

Start by obtaining a copy of the notice of privacy practices that the HIPAA health privacy rule requires each hospital and insurer to publish. You may already have a copy. If not, each HIPAA covered entity must provide a copy of its notice to anyone who asks for one. In addition, a copy should be available on the website of each covered entity (if the covered entity has a website).

The notice of privacy practices describes your rights, including your right to inspect and obtain a copy of your record. You will likely be asked to fill out a form in order to make your request for an accounting. The covered entity must act on a request for accounting within 60 days, but it can extend the time limit for another 30 days if it provides a written explanation of the delay.

 

4. Who has to provide me with an accounting of disclosures?

Any HIPAA covered entity must provide a copy of an accounting of disclosures. For most individuals, your health care providers (doctors, hospitals, laboratories, pharmacies, etc.) and health insurers (HMOs, health plans, Medicare, etc.) will have the records that you want. You may also want to ask your Pharmacy Benefit Manager or PBM. A PBM is a company that contracts with managed care organizations, self-insured companies, and government programs to manage pharmacy network management, drug utilization review, and other activities. A PBM is likely to be the organization that fills your drug prescriptions by mail.

 

5. What does it cost to obtain an accounting?

You are entitled to receive at no charge one copy of the accounting of your medical record in any 12-month period. If you make more than one request, the institution may impose a reasonable, cost-based fee. The institution must tell you the cost in advance so you have a chance to modify or withdraw your request.

 

  • WPF Policy Note: The World Privacy Forum believes that victims of medical identity theft should have the right to obtain a copy of the accounting of disclosures without charge as often as necessary until the problems resulting from identity theft have been resolved.

 

6. What are the limitations of an accounting of disclosures?

There are many limitations in the federal health privacy rule. These limitations make the accounting of disclosures less valuable than it should be. First, health care institutions do not have to account for all disclosures. They don’t have to keep an accounting of disclosures for treatment, payment, or health care operations. They don’t have to keep an accounting of disclosures if you authorized the disclosure. There are other exceptions too.

Second, health care institutions do not have to account for uses. A use of information occurs when a record is made available to someone within the institution that maintains the record. A disclosure occurs when a record is shared with someone outside the institution. The accounting requirement only covers some disclosures and no uses.

Third, sometimes an accounting that is required to be maintained can nevertheless be withheld from an individual who requests a copy of the accounting. Some disclosures to law enforcement, for example, can be made without telling the record subject for a limited time.

Fourth, the HIPAA requirement for an accounting started on April 14, 2003. A health care institution covered by HIPAA did not have to maintain accounting records before that date. Perhaps the biggest limitation is that the federal health privacy rule does not require an accounting of disclosures for treatment and payment. This means that a lot of information that you would want to find in an accounting will not be available.

For example, if a hospital gave care to someone in your name and billed your insurance company, you would want to know the details. You may not be able to obtain that information from the accounting of disclosures. Even worse, if a hospital told a credit bureau or collection agency that you did not pay your bill (i.e., a bill run up by an identity thief), the accounting may not reveal the disclosures. These disclosures may be exempt from the accounting requirement because they fall within the exception for disclosures for payment and health care operations.

 

  • WPF Policy Note: The World Privacy Forum believes that many of the limitations on accounting of disclosures in the HIPAA health privacy rule are a bad policy. Health care providers and insurers should be required to keep track of all disclosures and all uses. The World Privacy Forum observes that modern computer systems can readily keep track of uses and disclosures at very little cost. Many institutions already do so.

    The HIPAA rule should be amended to broaden accounting requirements, especially for computerized record keeping systems. The HIPAA rule should also be amended so that health care institutions maintaining accounting of uses and disclosures that exceed federal requirements should be obliged to share all accounting records with a requester.

 

7. The accounting of disclosures doesn’t appear to be very useful.

Why bother going through the process of getting an accounting of disclosures? First, obtaining a copy of the accounting is free. All you have to do is fill out a form or write a simple letter. It may not do everything you would like, but it may have some useful information.

Second, the accounting may help some. You should be able to learn something about how your records were disclosed from the accounting. It may point you to some record keepers you didn’t realize had records about you.

Third, obtaining an accounting is just one part of the process for learning about and recovering from medical identity theft. Also, if there has been a data breach of your medical information, this should come out in the accounting of disclosures.

Keep reading for other ideas about how to respond to and recover from medical identity theft. Also, see the WPF consumer tips on how to recover from medical identity theft: <http://www.worldprivacyforum.org/medidtheft_consumertips.html>.

 

8. Do I have greater rights under state laws, other federal laws, or hospital policies?

Maybe. A few states may have health privacy laws that require health care institutions to maintain better accounting records or to disclose more accounting records to you. If your records are held by the federal government (e.g., Medicare or VA), your rights to have a copy of an accounting under the Privacy Act of 1974 will be greater than under HIPAA. These two sets of privacy rules overlap.

You can find more information about your health privacy rights at the website of the Health Privacy Project <http://www.healthprivacy.org/>. The website of the Georgetown University Center on Medical Record Rights and Privacy at http://hpi.georgetown.edu/privacy/records.html has information on state laws about access and correction of medical information.

Sample Letter

You may want to include the following language in any accounting request that you make. This may be especially important if a health care institution provides you with a form to fill out. The form may be designed to limit your request to the minimum HIPAA requirements, and you should ask for more just in case more is available. Add language like this to the form or to a cover letter:

I request a copy of all accounting records that are required to be made available under the federal HIPAA rule. In addition, if other federal or state laws provide greater rights of access to accounting records, I also request that you provide a copy of all accounting records to which I have a legal right. If your institution maintains accounting records for disclosures or uses that are not covered by HIPAA requirements, I also request that you provide a copy of all accounting records that you maintain, whether or not you are legally required to do so. If this request will result in any charges to me, please contact me first to discuss it. I will not pay any charges unless I am told of the charges in advance and specifically agree to pay them.

 

9. What’s the best strategy for making a request?

You only are entitled to one free request in any 12 month period. Think about when to make that request. If you learn that you were a medical identity theft victim two years ago, you probably should make the request right now. But if the medical identity theft is ongoing, you should realize that it can take time for your records to be updated to reflect current activities. Today’s record may not show events that happened in the last few weeks. However, even if you decide to wait to make the request, you should still notify the health care institution that you believe that there may be incorrect information in your file and criminal activity by an identity thief.

The accounting of disclosures is just one source of information about medical identity theft. You may learn more by requesting a copy of your medical record. The medical record is likely to tell you about uses and disclosures of your medical information that are not covered by accounting rules.

If you have reason to believe that you are a victim of medical identity theft, tell the institution when you make your request. The institution may also be a victim. If someone obtained services from a hospital in your name, the hospital may ultimately be stuck with the bill. It is in the hospital’s interest to learn about the crime too. The same is true for your health insurer. Everyone in the health care world is aware that fraud is a major and costly problem. With a little diligence, you may be able to find someone who will pay attention to the problem that you have.

Remember that the wrong information in your health record can harm you. If your health records show the blood type of an identity thief rather than your own blood type, the wrong information can kill you. The same is true for prescription drugs issued in your name to an identity thief. Consider reminding people that you talk to that the wrong information may not only harm you, but it could make the record keeper legally liable for damages. However, don’t make idle threats about lawsuits. You want people to help you.

If you are harmed by medical identity theft, it is possible that you will be able to sue someone for damages. That may include a hospital or insurance company that maintains and discloses incorrect information about you. Your primary goal should be to resolve the problems resulting from medical identity theft and to correct your records. However, you may also want to think about the possibility that you have a legal claim for damages. Keep records of everything that you do to resolve your medical identity theft case. These records may be valuable in the event of legal action. You may also want the records so that you can file an administrative complaint about a health care institution that did not comply with the HIPAA privacy rule. You can learn more about filing an administrative complaint at <http://www.hhs.gov/ocr/privacyhowtofile.htm>.

Be friendly and be determined. In general, health care institutions that have records about you are not criminals and share a common interest in solving medical identity theft problems. Those institutions may be victims too.

Sample Letter

Here is some language that you may want to use in your letters to alert institutions of the problem:

I may be a victim of medical identity theft. Some one may have obtained medical services using my name or my health insurance. The medical records that your institution maintains about me may include information that is wrong or actually about some one else. That information could be used to adversely affect my personal health care or to deny me insurance benefits that I am entitled to receive. I am working to identity the effects of the medical identity theft and to remove incorrect information from my files. Your institution not only has a responsibility to maintain accurate records, but it too may have been a victim of the same identity theft. We have a joint interest in resolving this problem. You may want to report my request to the part of your organization responsible for health care fraud.

V. Other FAQs for Medical Identity Theft Victims

 

1. I got a call from a bill collector about a medical bill for a doctor that I never saw.

Now what? If you hear from a bill collector, you should immediately pursue your rights under the Fair Credit Billing Act. Place a dispute on the collection notice right away. You can learn more about your rights under the Fair Credit Billing Act at the website of the Federal Trade Commission at <http://www.ftc.gov/bcp/conline/pubs/credit/fcb.htm>. It is important to follow the proper procedures under that Act in order to preserve your rights.

Remember that it will take a while to obtain your medical records and trace the scope of the identity theft so be sure to pursue your rights under other laws right away. Then start the process to find out what the bill was for by asking for your records from the doctor, hospital, and/or insurance company involved.

 

2. Where else can I find useful information?

You can find more information about your health privacy rights at the website of the Health Privacy Project <http://www.healthprivacy.org>. The website of the Georgetown University Center on Medical Record Rights and Privacy at <http://hpi.georgetown.edu/privacy/records.html> has information on state laws about access and correction of medical information.

 

3. Are credit reports important in cases of medical identity theft?

Yes. A victim of medical identity theft is a victim of identity theft just as if someone used your name and Social Security Number to open a credit card in your name. You have the same rights as any victim of identity theft. The problem is that those rights are geared toward victims of financial identity theft. However, if your credit report reflects a collection for a medical bill, this is a useful tip-off that you may be a victim. You have the right to get these items removed from your credit report when they are not accurate. The process of doing so, however, can take time.

 

4. I am dealing with a federal agency. How can I learn more about my rights under the Privacy Act of 1974 or the Freedom of Information Act?

A good resource is A Citizen's Guide on Using the Freedom of Information Act and the Privacy Act of 1974 to Request Government Records published by the House Committee on Government Reform. You can find the report at <http://www.fas.org/sgp/foia/citizen.html> and <http://fas.org/sgp/foia/citizen.pdf>.

 

5. Should I file a police report?

Yes. If you are a victim of medical identity theft, a police report can help you in a number of ways. You may be asked frequently for a copy of the police report after you have filed it.

 

FAQ history

Author: Robert Gellman <http://www.bobgellman.com>

Contributor: Pam Dixon

Publication history:

Version 1.4 March 18, 2008 most recent update.

Version 1.3 January 4 2008

Version 1.2 June 21, 2006

Version 1.3 June 30, 2006. First posting.