WPF urges HHS to clarify the harms of medical identity theft for victims

WPF has urged HHS to clarify the intersection between HIPAA compliance and harms resulting from medical identity theft in its response to the Request for Information from the Office of Civil Rights of the Department of Health and Human Services regarding implementation of the HITECH Act. WPF has a long history of work regarding this form of identity fraud.

Beginning in 2005, WPF coined the term medical identity theft in testimony before the National Committee on Vital and Health Statistics, and then in 2006, WPF wrote the first report about the issue, following it up with FAQs for victims, and eventually, a methodology for resolving errors introduced into electronic health records as a result of the crime. After now 17 years of work, the crime is now well-documented and is no longer a novel threat. Many of the problems associated with the crime have been ameliorated. Nevertheless, the crime still exists, and victims still suffer a range of harms that can be quite significant, both medically and financially. WPF has urged HHS to do more to clarify various aspects of all stages of the lifecycle of the crime so that questions regarding whether or not HIPAA compliance was a factor can be addressed more clearly.

Another issue WPF addressed with HHS is the potential for conflict of interest regarding implementation of redress to individuals who have been harmed by HIPAA non-compliance. WPF suggested procedural and administrative controls as a way to work around complex issues regarding adjudication of monetary pay-outs for harms resulting from HIPAA non-compliance.

Read the Comments: