Medical Identity Theft/Privacy Laws & Electronic Records May Worsen Problem

PATIENT MONEY
Medical Problems Could Include Identity Theft
By WALECIA KONRAD
Published: June 12, 2009
New York Times

Brandon Sharp, a 37-year-old manager at an oil and gas company in Houston, has never had any real health problems and, luckily, he has never stepped foot in an emergency room. So imagine his surprise a few years ago when he learned he owed thousands of dollars worth of emergency-service medical bills.

Brandon Sharp, of Spring, Tex., learned he was a victim of medical I.D. theft only when he applied for a mortgage and discovered debts on his credit report for emergency room visits at places in the country he had never been.

Mr. Sharp, as it turned out, was a victim of a fast-growing crime known as medical identity theft.

At the time, Mr. Sharp was about to get married and buy his first home. Before applying for a mortgage he requested a copy of his credit report. That is when he found he had several collection notices under his name for emergency room visits throughout the country.

“There was even a $19,000 bill for a Life Flight air ambulance service in some remote location I’d never heard of,” said Mr. Sharp, who made this unhappy discovery in 2003. “I had emergency room bills from places like Bowling Green, Kan., where I’ve never even visited. I’m still cleaning up the mess.”

The last time federal data on the crime was collected, for a 2007 report, more than 250,000 Americans a year were victims of medical identity theft. That number has almost certainly increased since then, because of the increased use of electronic medical records systems built without extensive safeguards, said Pam Dixon, executive director of the nonprofit World Privacy Forum and author of a report on medical identity theft.

And uncountable, Ms. Dixon said, are the people who do not yet know they are victims. They may not know that their medical information has been tampered with for months or even years until, as in Mr. Sharp’s case, it shows up in collections on a credit report.

Medical identity theft takes many guises. In Mr. Sharp’s case, someone got hold of his name and Social Security number and used them to receive emergency medical services, which many hospitals are obliged to provide whether or not a person has insurance. Mr. Sharp still does not know whether he fell victim to one calamitous perp who ended up in several emergency rooms or a ring of accident-prone conspirators.

In another variant of the crime, someone can use stolen insurance information, like the basic member ID and group policy number found on insurance cards, to impersonate you — and receive everything from a routine physical to major surgery under your coverage. This is surprisingly easy to do, because many doctors and hospitals do not ask for identification beyond insurance information.

Even more common, however, are cases where medical information is stolen by insiders at a medical office. Thieves download vital personal insurance data and related information from the operation’s computerized medical records, then sell it on the black market or use it themselves to make fraudulent billing claims.

In a widely reported case in 2006, a clerk at a Cleveland Clinic branch office in Weston, Fla., downloaded the records of more than 1,100 Medicare patients and gave the information to her cousin, who in turn, made $2.8 million in bogus claims.

When people are not aware their medical identities have been stolen, insurance companies may simply continue to pay the fraudulent claims without the victim’s knowledge. The person might learn of the fraud only when trying to make a legitimate claim, and the insurance company informs them they have reached their lifetime cap on benefits.

Or victims may eventually discover erroneous information in their medical files during a doctor or hospital visit. And that may pose a bigger danger than the financial risks. The medical records may now contain vital information like blood type, allergies, prescription drug use or a history of disease that is just plain wrong. In an emergency, doctors could treat you based on this erroneous information.

And there are none of the consumer protections for medical identity theft victims that exist for traditional identity theft. Under the Fair Credit Reporting Act you can get a free copy of your credit report each year, put a fraud alert on your account and get erroneous charges deleted from your record. If your credit card is stolen and the thief goes on a spending spree, you’re not liable for more than $50 worth of the charges.

With medical identity theft, though, the fraudulent charges can remain unpaid and unresolved for years, permanently damaging your credit rating. Under the federal law known as Hipaa — the Health Insurance Portability and Accountability Act — you are entitled to a copy of your medical records, but you may have to pay a hefty fee for them.

Worse, Hipaa privacy rules can actually work against you. Once your medical information is intermingled with someone else’s, you may have trouble accessing your files. Privacy laws dictate that the thief’s medical information now contained in your records must be kept confidential, too.

Even when you are able to correct a record, say in your doctor’s office, the erroneous information may have been passed on to dozens of other health care providers and insurers. Victims must track down and resolve these errors largely on a case-by-case basis, Ms. Dixon says.

Medical providers contend that they are taking precautions against identity theft. At Cleveland Clinic, for example, security personnel routinely audit electronic medical record systems and all records are password-protected. Many Blue Cross Blue Shield insurers use software to screen for spikes in claims from providers that look suspicious. They also work with providers on encrypting medical files and carrying out data access restrictions, said Calvin Sneed, senior antifraud consultant at the Blue Cross and Blue Shield Association.

And some medical centers and doctors’ offices now require patients to show photo ID and attach photos to patient charts.

But privacy advocates worry that these steps do not go nearly far enough, especially in light of President Obama’s plans to spend $20 billion to increase the use of electronic medical records nationwide as part of the stimulus package. “Without aggressive safeguards, we could be building an infrastructure for massive medical fraud,” said Ms. Dixon.