HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Senators Demand Answers from CMS and OCR About Medical Identity Theft and Fraud

Four senators have put their names to a letter sent to Jocelyn Samuels, Director of the Department of Health and Human Services’ Office for Civil Rights (OCR), and Centers for Medicare and Medicaid Services (CMS) Acting Administrator Andy Slavitt, requesting answers about the growing issue of medical identity theft.

Sen. Lamar Alexander, R-Tenn., Sen. Patty Murray, D-Wash.; Sen. Orrin Hatch, R-Utah, and Sen. Ron Wyden, D-Ore have signed the letter, which demands answers to nine questions relating to the role the HHS, OCR and CMS play in monitoring and addressing medical fraud and identity theft stemming from healthcare data breaches.

Healthcare data breaches have exposed the Protected Health Information of over 105,000,000 individuals so far this year, and there are still over six weeks of 2015 to go. That figure is certain to rise.

The problem is a growing concern. The total number of breach victims created over the past 6 years stands at 154 million, which equates to close to half the population of the United States. The senators point out that the situation is only likely to get worse.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The victims of these data breaches face an elevated risk of medical identity theft, and many have already suffered losses as a result of having their PHI exposed. In many cases, covered entities provide assistance and offer credit monitoring and identity theft resolution services to breach victims, but not always. That is largely left to the discretion of the covered entity. If assistance is not provided and the victims suffer losses as a result, where can they turn and what can they do to recover those losses?

Medical identity theft is not only an issue for data breach victims. The letter points out that the Medicare/Medicaid programs, which are funded by the taxpayer, have to budget for approximately $98 billion each year to cover the cost of medical identity theft. That figure corresponds to 10% of the programs’ annual budgets. All Americans are affected.

Given the huge number of victims of healthcare data breaches, and the cost of dealing with medical identity theft, the senators believe something must be done to address the risk and damage caused. It may not be possible to prevent all data breaches from occurring, but it is possible to provide the victims with support. They certainly need it, but the question is, where should that support be coming from?

The senators want to know what the CMS and HHS is doing to monitor medical identity fraud and whether the CMS and/or the OCR is actually doing anything to track cases of ID theft and fraud, specifically whether the OCR uses the data collected from covered-entities to monitor potential breach victims and find out if their data have in fact been used by criminals. Information has also been requested on the number of cases of medical fraud uncovered, and whether the massive data breaches that have already occurred this year have actually resulted in an increase in ID theft and fraud.

The HIPAA Breach Notification Rule requires covered entities to issue notifications to breach victims. In those letters the covered entity should outline the actions that can be taken to address the risk of ID theft and fraud. However, the senators want to know whether any education materials or help are offered to breach victims by the CMS and OCR in this regard.

With the OCR already stretched, should the responsibility of tracking and monitoring cases of identity theft come under its remit, or should it be concentrating on policing HIPAA Rules more rigorously? If the OCR or the CMS are not monitoring cases of identity theft, then which authorities are?

The answers to these questions should be provide later this month. The senators have requested a response by November 24.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.