Medical Identity Theft: Discussion – Recourse and Recovery Issues for Victims
Victims of medical identity theft may need help with recovery in the area of correcting medical files and insurance records. They may also need help in the area of correcting financial information. In the area of financial recovery, multiple excellent resources exist for consumers. But in the area of medical and insurance information correction and recovery, victims will not find nearly the same resources or availability of recourse.
Financial Recovery Tools are Available for Victims
Multiple high-quality resources and pathways of recourse exist for victims of financial forms of identity theft. The Federal Trade Commission has dedicates resources to this area, and offers clear, effective tips for consumers. For example, the FTC maintains a consumer identity theft information page  < http://www.consumer.gov/idtheft/> which contains a four-step plan for recourse. Consumers have a statutory right to receive one free credit report from each of the three main credit reporting bureaus once per year.
Victims of medical identity theft may also experience in addition to the medical identity theft the full range of financial identity theft. In these cases, medical identity theft victims can use the available tools for financial identity theft victims and at the very least work to achieve recovery in that area.
Correcting and Recovering from the Medical and Insurance Aspects of Medical Identity Theft is Difficult
The high-quality tips and resources and the rights afforded to victims of financial forms of identity theft do not extend to the medical and insurance aspects of identity theft crimes. Victims of medical identity theft may generally experience multiple difficulties in attempting to recover.
The primary challenges include:
- Lack of enforceable rights to correct medical records in all instances.
- Lack of a government agency dedicated to help victims of medical identity theft.
- Lack of enforceable rights to delete misinformation from medical records.
- Lack of ability in most cases to find all instances of medical records.
- Lack of information resources about the unique needs of medical identity theft victims.
- Lack of a government agency dedicated to help victims of medical identity theft.
Why Can’t Victims Correct Their Medical Records?
The federal health privacy rule issued under the authority of the Health Insurance Portability and Accountability Act (HIPAA) gives an individual (e.g., a patient or an insured individual) the right to seek amendment of their medical records. However, that right has some significant limitations. The right to ask for an amendment does not apply to medical information that was not created by the provider or insurer currently maintaining or using the information. 
This means that any medical information sent by one provider or insurer to another provider or insurer does not have to be corrected by the recipient of the information, even though that recipient is using the information to make decisions about the record subject. HIPAA does not prevent an entity covered by the law from considering a request for amendment of a records provided by a third party, but an individual cannot even use the limited force of HIPAA to compel consideration of a request for amendment.
In medical identity theft, victims can get trapped in a maze of blame-shifting and circularity. If a doctor or hospital submitted an incorrect record, the insurance companies have no requirement to correct those medical files. The doctor in some cases may correct the file, but that does not ensure that all copies of the file (for example at labs) get corrected. And in cases where doctors have committed the identity theft or were part of the theft, it is nearly an impossibility to get the records corrected after the fact.
In short, anyone who is a victim of this crime may have an extremely challenging time trying to get medical files corrected, even if there are life-threatening changes on those files. The shift from paper files to electronic files has exacerbated this problem: victims of this crime may never be able to find each and every copy of their medical file, much less get it corrected. This can be especially problematic if the file was primarily an electronic file with no paper backup and did not have adequate audit and security controls. Hospitals or other providers may refuse to show the victim the medical file that was fraudulently created by the thief, even if the file has the victim’s name on it.
In some reported cases, an individual may not be able to see the record in the first place. Hospitals or other providers have in some cases refused to show the victim the medical file that was fraudulently created by the thief, even if the file has the victim’s name on it.  The HIPAA right of access may help, but if a patient argues that the information cannot be about himself, a hospital may be unwilling to disclose the records. A patient could be stuck in a Catch-22, where the patient cannot see the record in their file because the patient claims not to be the subject of the information.
The reason for the HIPAA limitation on amendment of information provided by a third party originated with legitimate a concern that the holder of information may not have the knowledge to make a decision about the correctness of the information. However, the HIPAA limitation provides no recognition of the problem faced by medical identity theft victims.
To illustrate the sweep of the HIPAA amendment limitation, consider how the same policy would work for financial identity theft. The Fair Credit Reporting Act as amended grants access and correction rights to subjects of credit reports held by credit bureaus (“consumer reporting agencies”). All of the information found in a typical credit report comes from third parties and does not originate with the credit bureau. Thus, if the HIPAA amendment limitation applies to credit reports, a financial identity theft victim would have no ability to change a credit report. Instead, however, the FCRA imposes on the credit bureau has to conduct a reasonable reinvestigation to determine if the disputed information is inaccurate.  The FCRA establishes a procedure that defines the role of the credit bureau (and of a furnisher of information  to a credit bureau) that seeks to find a reasonable balance among all of the interests involved. HIPAA essentially washes its hand of the problem with an overly broad exemption.
In an October 2005 press release HHS Secretary Mike Leavitt said:
“Given what we recently experienced with Hurricanes Katrina and Rita, the need for portable patient information that can follow the patient has never been more important.” 
From a perspective of a system with zero fraud and zero medical identity theft, this would make sense. But given the realities of these crimes, this “all records in any city” perspective means that medical errors introduced by criminals and unable to be corrected by victims will be endlessly perpetuated. Further, it is possible that a network will contain information for which no identifiable organization has responsibility to consider amendments. Everyone with access to the network may claim that someone else is responsible in order to avoid the expense and complication of handling amendments.
 45 C.F.R. §164.526(a)(2)(i). Some state laws may allow a right of amendment that does not include the HIPAA exclusion for third party records.
 The World Privacy Forum is aware of two instances where this has occurred. See Littleton Police Department Inclusive Case Report, March 25, 2004 (Case 2004001789) and “Medical identity theft:What’s the Deal?” March 21, 2003. NBC13, Birmingham, Alabama. <http://www.nbc13.com/nbc13investigators/2057120/detail.html>.
 15 U.S.C. § 1681i(a)(1)(A).
 15 U.S.C. § 1681s-2.
 “HHS Awards Contracts to Advance Nationwide Interoperable Health Information Technology – Strategic Partnerships with Public-Private Groups Will Spur Health IT Efforts.” 6 October 2005. U.S. Health & Human Services Documents. <http://www.hhs.gov/news/press/2005pres/20051006a.html>.
Roadmap: Medical Identity Theft – The Information Crime that Can Kill You: Part II Discussion – Recourse and Recovery Issues for Victims