February 24th, 2009
Have you been turned down for a job or denied health insurance recently, and can’t figure out why?
The reason might be tucked away in your private medical records. And, thanks to an identity thief, the reason might be 100 percent false.
A dangerous twist on an old scam, medical identity theft happens when someone steals your identity to receive medical care or buy drugs in your name.
The victim winds up with a medical record full of false information, a bad credit rap when the bills go unpaid and sometimes all insurance benefits exhausted.
It can take years to detect medical identity theft and many more years to straighten out the mess, according to Pam Dixon, executive director of the World Privacy Forum, the organization that first brought this crime to the public’s attention in 2006.
“If it happens to you, it takes two to 10 years to unravel,” she said.
In a 2006 report, the World Privacy Forum found medical identity theft deeply entrenched in the health care system, with about 250,000 cases discovered.
But that was just the beginning. Dixon said an updated study her organization will release in a few months will show medical identity theft has grown, boosted by the dire economy and the growing use of electronic medical records.
Wondering if any of your medical records are stored electronically?
A good majority of the large medical providers have made the switch to electronic records and many of those who have not are in the process of converting.
An inside job
Not that long ago, doctors checked a patient’s medical history by flipping through a thick paper chart.
And when a patient needed medicine, the doctor pulled out a paper prescription pad and scribbled away.
Electronic medical records have done away with the paperwork, giving doctors the ability to access a patient’s records on the nearest computer.
Prescriptions are zipped off electronically, arriving at the pharmacy before the patient even leaves the doctor’s office.
But the convenience can come at a price: Electronic medical records are easier to access on a large scale than paper charts stored in a filing cabinet, and they’re often accessed for fraudulent purposes from inside a medical organization, Dixon said.
What’s more, the thefts are hard to detect because they’re hidden in large electronic payment systems and widely dispersed databases, the 2006 study found.
Local hospitals and clinics contend their patient records are secure, and the cases of medical identity theft they have dealt with have been confined to a handful of patients a year posing as someone else in a hospital emergency room.
Hospitals do catch some posers in the act, but those coming in with genuine emergencies get their medical care first and a visit from the police later,
Often, the identity thief is someone who took a family member’s medical card or other form of ID to try to get free care, said John Becker, a patient privacy law security expert.
Patients coming in with false IDs get caught largely because something about the person seeking treatment doesn’t match something in the records of the person whose name is being used, Becker said.
Or sometimes staff members recognize the patient from a previous visit.
When medical identity theft goes undetected, the victims are left in a dangerous situation the next time they need medical care themselves, because the imposter’s medical conditions, drug allergies, lab tests and treatments have become part of their records, Rinehart said.
“You have two people’s medical history merged,” said Julie Houska, a patient privacy security official.
The federal Health Insurance Portability and Accountability Act (commonly known as HIPAA) also works against a victim trying to untangle a medical identity theft mess, Dixon said.
HIPAA gives patients the right to see their medical records. But if false information has been inserted into those records, an institution may deny patients the right to their own records in order to protect the privacy of the identity thief’s medical conditions and care.
“The No. 1 complaint we get from victims is they’re not shown their records,” Dixon said. “They say they were impersonated. The hospital says, ‘Because it’s not you, we can’t give you the record.’ It’s this horrible Catch-22.”
Protecting yourself
A few steps to avoid medical identify theft:
1. Don’t share your personal data. Guard the privacy of your medical information – including explanations of benefits from insurers, insurance identification numbers, prescriptions and medical bills – just as carefully as you would guard your bank and credit card statements.
2. Read all medical bills and explanations of benefits carefully, and ask questions about what you don’t understand. Look carefully for dates of services and charges for services that look unfamiliar.
3. Some cases of medical identity theft go undetected until the victim is turned down for a job or insurance. If you have been rejected, ask for the reason.
4. Ask your medical providers for a copy of your records if you suspect discrepancies. It is your legal right to obtain a copy of your records from insurers and most health providers, and the charge per page must be reasonable, according to the World Privacy Forum.
5. If you have been the victim of medical identity theft, the World Privacy Forum advises:
– File a police report.
– Get a copy of the notice of privacy practices each medical provider covered by the HIPAA health privacy law are required to provide patients upon request. It will describe your right to inspect and get a copy of your record and the steps to follow.
– Ask each of your medical providers for your records, and if you are ultimately refused, file an appeal.
– Know that information in your record may have been shared with others. Under the HIPAA law, you have the right to ask your medical providers and insurers to provide for free an accounting of disclosure showing what personal information of yours has been disclosed and who received it. But be aware there are permitted gaps in the information you will receive.