Medical identity theft and its impact on healthcare

Medical identity theft can have profound and far-reaching impacts on healthcare organizations. This impacts the financial stability of healthcare organizations and challenges their ability to maintain patient confidentiality and trust in the healthcare system.

What is medical identity theft?

Medical identity theft refers to the fraudulent and unauthorized use of an individual's or healthcare provider's unique medical identifying information, such as personal details, insurance information, and medical records, to obtain or bill for medical goods or services. This type of identity theft involves the misuse of healthcare-related information for financial gain or to access medical services, often without the victim's knowledge or consent. Medical identity theft can take various forms, including:

1. Fraudulent medical billing: Perpetrators use stolen medical identifiers to bill insurance providers for fictitious or unnecessary medical services, equipment, or prescriptions.
2. False referrals: Stolen healthcare provider identifiers are used to make it appear as though they referred patients for additional healthcare services.
3. Fictitious healthcare services: Perpetrators may use stolen identifiers to create false records of medical treatments or services that never occurred.
4. Exceeding benefit limits: Identity thieves may use the victim's information to access healthcare services, potentially reaching benefit limits and affecting the victim's insurance coverage.

See also: What hackers really do with stolen patient data

Who does it affect?

Patients and beneficiaries: Individuals who are victims of medical identity theft may face financial consequences, damage to their healthcare records, and disruptions in their medical care. They can also experience challenges in resolving fraudulent activities and clearing their names.

Healthcare providers: Healthcare providers, including doctors, nurses, and clinics, can be targeted by identity thieves who use their credentials to bill for fraudulent services or prescriptions. Providers may face legal consequences and damage to their reputations as a result of medical identity theft.

Health insurance companies: Health insurance companies are at risk of paying fraudulent claims due to medical identity theft, which can lead to increased costs and premiums for policyholders.

Government healthcare programs: Public healthcare programs like Medicare and Medicaid are vulnerable to fraudulent claims, which can result in the loss of taxpayer dollars and the diversion of funds away from legitimate healthcare needs.

Creditors and debt collectors: Medical identity theft can lead to unpaid medical debts that may end up in the hands of creditors and debt collectors, impacting the victim's credit history and financial stability.

Law enforcement and regulatory authorities: Law enforcement agencies and regulatory bodies may become involved in investigating and prosecuting cases of medical identity theft.

Credit reporting agencies: Credit reporting agencies may receive reports of medical collection notices and other fraudulent activities related to medical identity theft, which can affect an individual's credit report.

See also: Can healthcare organizations purchase email lists?

What are the risks to HIPAA compliance?

Unauthorized access to Protected Health Information (PHI)

When an identity thief gains access to a healthcare provider's credentials, they may use these credentials to access PHI without authorization. This unauthorized access can lead to violations of HIPAA's privacy and security rules.

Data breaches

If a medical identity thief uses stolen credentials to access PHI and then breaches this data, it can result in a significant data breach. HIPAA mandates that healthcare organizations have robust safeguards in place to protect against data breaches, and a breach can lead to severe penalties and fines.

Inaccurate patient records

Medical identity theft can result in fraudulent information being added to a patient's medical records, including inaccurate diagnoses, treatments, or prescriptions. These discrepancies can compromise the integrity of the patient's medical history, which is protected under HIPAA.

Compliance obligations

HIPAA mandates that healthcare providers and organizations have policies and procedures to promptly detect and respond to security incidents and breaches. When medical identity theft occurs, organizations must navigate these compliance obligations, including notifying affected patients and reporting breaches to the Department of Health and Human Services (HHS).

What to do if you experience medical identity theft

1. Conduct an investigation: If the person receives suspicious bills or notices, they should review their records, including any supporting documentation, to verify the identity of the person who received the services. They should also check their medical records for inconsistencies.
2. Notify parties: If medical identity theft is confirmed, they should notify all relevant parties who accessed their medical or billing records, informing them of inaccurate information and requesting corrections.
3. Understand legal obligations: Be aware of obligations under the Fair Credit Reporting Act (FCRA), especially if debts are being reported to credit reporting companies. Depending on the circumstances, reporting certain debts related to the theft might not be allowed under the FCRA.
4. Review data security practices: Regularly review data security practices and compliance with HIPAA Privacy and Security Rules, even if the information used in the fraud did not originate from the organization.
5. Provide necessary breach notifications: If an investigation reveals that protected health information was improperly used or shared, ensure compliance with the HIPAA Breach Notification Rule or applicable state breach notification laws.

How to prevent medical identity theft

1. Identity verification: Establish robust identity verification processes for patients and healthcare providers to prevent fraudulent access and identity theft attempts.
2. Record keeping: Maintain accurate records of who accesses patient data and when, as well as any modifications made to patient records.
3. Employee background checks: Conduct thorough background checks on employees and contractors with access to patient information.
4. Secure disposal: Ensure the secure disposal of old patient records, prescription pads, and other sensitive documents to prevent unauthorized access or retrieval.
5. Regular updates: Keep software and systems up-to-date with security patches and updates to address vulnerabilities that could be exploited.
6. Data backups: Regularly back up patient data to ensure data recovery in case of a security incident or data breach.
7. Security audits: Conduct regular security audits and assessments to identify vulnerabilities and weaknesses in your organization's security posture.

See also: HIPAA Compliant Email: The Definitive Guide