Imagine someone else having access to your private health information – without your knowledge or permission. Imagine what they could do with this information. Fraud comes to mind, and is among the primary reasons why the HIPAA Privacy Rule was established. The Rule, according to the U.S. Department of Health and Human Services, “outlines national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.”
Despite the mandate to comply with HIPAA, many healthcare providers still don’t. Daniel Solove, Founder of TeachPrivacy, reckons that it is because practitioners experience compliance as tedious and inconvenient, primarily because they have not been properly educated on why HIPAA matters. The Wall Street Journal in 2015 highlighted the profound negative consequences of medical identity theft: “Unlike in financial identity theft, health identity-theft victims can remain on the hook for payment because there is no health-care equivalent of the Fair Credit Reporting Act, which limits consumers’ monetary losses if someone uses their credit information.” In 2014, medical identity theft affected 2.3 million people; a figure that continues to rise and which is cause for concern and action.
The Wall Street Journal further discussed how identity thieves make use of industrious means to get their greedy hands on numbers for Social Security, private insurance, Medicare, and Medicaid. “Some are stolen in data breaches and sold on the black market. Such data are especially valuable, sometimes selling for about $50 compared with $6 or $7 for a credit card number…[because] medical-identification information can’t be quickly canceled like credit cards.”
Below is a list of situations that may suggest that a person is a victim:
Upon receiving a call from any patient regarding a seemingly wrongly billed medical cost, instantly go over the hospital or clinic records to review this and the identity of the patient who received the said medical service. Should there be inconsistencies and should medical identity theft be suspected, contact and notify everyone who had worked or who had access to the patient’s medical records to correct the records.
Prior to directly reporting the incident, make sure that you know your scope of responsibility under the FCRA. As per the act, if a patient comes to you reporting identity theft, you are not allowed to report this to any credit reporting companies because this is the job of the police. A police report containing all the details regarding the medical identity theft is required before the credit reporting companies will accept it as a case.
As a responsible practitioner, it is highly advised that you periodically go over your data security practices and your obligations under Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules even if the fraud committed is not under your facility.
If you’ve discovered an employee mishandling health information for medical identity theft purposes or if any private health data is given to medical thief, assess the situation to identify whether a breach under the HIPAA Breach Notification Rule (45 CFR part 164 subpart D) or any state breach notification law that may apply.
The protection of healthcare information starts with educating professionals who deal with patients’ private data on the best measures to safeguard patients’ details, with an emphasis on why such protection has become increasingly important.
Here are some of Coggno’s top HIPAA courses:
• Course 1: HIPAA for Business Associates Course
• Course 2: HIPAA for Health Care Workers Course
• Course 5: HIPAA for Healthcare Professionals Course
• Course 7: HIPAA – What Employees Should Know Course