What is Medical Identity Theft?
Medical identity theft is the theft or misuse of an individual’s health information to fraudulently obtain treatment, prescription drugs, or medical equipment. Despite significant penalties for those who obtain or disclose health information without authorization, medical identity theft continues to be an issue for individuals, healthcare providers, and health insurance companies.
Nobody knows the true scale of medical identity theft. Some sources have tried to compile medical identity theft statistics using a combination of FTC data, reported HIPAA data breaches, and data from the DoJ’s Bureau of Justice Statistics; but, due to underreporting (estimated to be as high as 92%), it is impossible to accurately calculate the prevalence and cost of impermissible uses of PHI by third parties who have acquired an individual’s data without authorization.
Additionally, these sources can give a false impression of how medical identity theft occurs. According to a survey conducted by the Ponemon Institute in 2015, only 16% of medical identity theft is attributable to HIPAA data breaches and other reportable events (i.e., malicious insiders), whereas almost half of all healthcare identity theft is attributable to the misuse of an individual’s health information by the individual (23%) or by a member of the individual’s family (24%).
While these statistics may seem incredible, they closely align with a survey conducted the following year. This survey found 9% of identity theft events were attributable to criminal attacks, while 11% were due to the actions of malicious insiders. However, 48% of respondents attributed an event to an “unintentional employee action”. If you substitute “unintentional employee action” with “failure to verify identity of patient”, there is little doubt about the primary cause of medical identity theft.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Consequences of Healthcare Identity Theft
The consequences of healthcare identity theft can be far more serious than financial identity theft inasmuch as, if a third party gets treatment in an individual’s name, the third party’s health problems become part of the individual’s health record. This could affect the individual’s ability to get medical care and insurance benefits at a later date and affect decisions made by doctors who take the third party’s health problems into account when subsequently diagnosing the individual.
Returning to the 2015 Ponemon Institute survey, 10% of healthcare identity theft victims said they experienced a misdiagnosis and 11% of victims experienced treatment delays due to fraud-related errors in their medical records. Additionally, 45% of respondents reported that the theft of sensitive medical information had affected their personal or professional reputations – 19% claimed that, due to the theft of medical information, they were excluded from a career opportunity.
The consequences of healthcare identity theft do not only affect victims. Healthcare providers and health insurance companies have to deal with upset individuals, fraudulent claims, unpaid bills, and corrupt medical data. Additionally, due to the HIPAA Privacy Rule, it is not always possible to resolve issues resulting from healthcare identity theft without the consent of the victims – half of which may be unwilling to support an investigation due to the consequences for family members and friends.
How to Prevent Medical Identity Theft
There are three ways in which Covered Entities can prevent medical identity theft – or at least reduce its prevalence. The first is to alert individuals to the penalty for misusing health information and inform them via the Notice of Privacy Practices that cases of medical fraud will be reported. According to §1177 of the Social Security Act, the penalty for using individually identifiable health information under false pretenses is a fine of up to $100,000 and up to five years in jail.
The second way Covered Entities could prevent medical identity theft is to extend the verification requirements of the Privacy Rule §164.514 to apply to patients seeking treatment, prescription drugs, or medical equipment. While this may initially slow down patient processing procedures, a well-publicized verification campaign would soon spread the word that it is much harder to commit medical fraud at providers that implement verification measures.
Finally, although only 16%-20% of reported medical identity theft is attributable to criminal activity and malicious insiders, it is important Covered Entities and Business Associates implement best data security practices to prevent data from being accessed and acquired by both external and internal bad actors. Organizations unsure about which data security practices to implement to comply with HIPAA and prevent healthcare identity theft should review our HIPAA compliance guide – which includes a comprehensive section on Security Rule compliance.
