The Scourge of Medical Identity Theft

Medical identity theft can make you sick. When I was asked by the reporter on the CBS Early Show, “If medical identity theft happens to you”…and I eloquently responded “You’re screwed”, and amazingly it made the edits to air. Because in sum, it’s true.

Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity—such as insurance information—without the person’s knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name. (I authored/entered this on Wikipedia as is)

A rule requiring healthcare providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals of a breach of their unsecured protected health information will become effective September 23, 2009.

The “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009 (ARRA). HIPAA covered-entities include health plans, healthcare clearinghouses, and healthcare providers.

The regulations define breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted [by the HIPAA Privacy Rule] that compromises the security or privacy of the protected health information.”

Most states require corporations to disclose data breaches in effect for a few years now. Ever since the ChiocePoint breach reported in 2005, states attorneys general and their legislatures have implemented laws to notify citizens of that state. ChoicePoint at the time only notified citizens of the state of California because they were only required by California law. Then word got out that many other citizens of others states where breached and ChoicePoint became the poster-child for what not to do in a breach exercising bad corporate citizenry.

Because healthcare facilities often handle some of the same personally identifiable information as corporations, they are now falling under similar regulations.

Once your medical identity is stolen, the affects can show up in your medical records. Anyone posing as you can have allergies or other medical issues and it may end up as a notation in your medical records. This in some instances can affect your own health if medications are issued as a result of misinformation by an identity thief.

Protecting yourself from medical identity theft isn’t as easily explained as protecting yourself from financial identity theft.

1. Medical ID cards, insurance cards and medical statements that come in the mail can all be used to steal your medical identity. Install a locking mailbox to prevent your mail from being stolen.
2. Don’t carry cards in your wallet unless absolutely necessary like when you have an actual appointment.
3. Protect medical information documents. Shred all throw away documentation and lock it up when it’s in your home or office.
4. Treat your medical identity similarly as you treat your financial identity by getting similar protections. If the thief can’t steal your financial identity then your medical identity may be less attractive. Protecting yourself from new account fraud requires more effort. You can attempt to protect your own identity, by getting yourself a credit freeze, or setting up your own fraud alerts. There are pros and cons to each.