HIPAA – Protecting Patients Against Medical Identity Theft


HIPAA – Protecting Patients Against Medical Identity Theft

Janine Ordman | Nov, 29 2017

Imagine someone else having access to your private health information – without your knowledge or permission. Imagine what they could do with this information. Fraud comes to mind, and is among the primary reasons why the HIPAA Privacy Rule was established. The Rule, according to the U.S. Department of Health and Human Services, “outlines national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.”

HIPAA non-compliance puts patients at risk

Despite the mandate to comply with HIPAA, many healthcare providers still don’t. Daniel Solove, Founder of TeachPrivacy, reckons that it is because practitioners experience compliance as tedious and inconvenient, primarily because they have not been properly educated on why HIPAA matters. The Wall Street Journal in 2015 highlighted the profound negative consequences of medical identity theft: “Unlike in financial identity theft, health identity-theft victims can remain on the hook for payment because there is no health-care equivalent of the Fair Credit Reporting Act, which limits consumers’ monetary losses if someone uses their credit information.” In 2014, medical identity theft affected 2.3 million people; a figure that continues to rise and which is cause for concern and action.

The Wall Street Journal further discussed how identity thieves make use of industrious means to get their greedy hands on numbers for Social Security, private insurance, Medicare, and Medicaid. “Some are stolen in data breaches and sold on the black market. Such data are especially valuable, sometimes selling for about $50 compared with $6 or $7 for a credit card number…[because] medical-identification information can’t be quickly canceled like credit cards.”

Medical identity theft victims

Below is a list of situations that may suggest that a person is a victim:

  • They may receive medical bills for services they did not avail.
  • They may be called by a debt collector despite not owing that specific medical debt.
  • They may find their credit report with a medical collection they know nothing about.
  • They may discover unrecognized listings of clinic visits and medical treatments in their explanation of benefits (EOB).
  • They may be advised that they have maximized their health plan benefits.
  • They may be denied coverage by their insurance company due to diseases they don’t have.

What is the best thing to do in cases of medical identity theft?

Thorough investigation

Upon receiving a call from any patient regarding a seemingly wrongly billed medical cost, instantly go over the hospital or clinic records to review this and the identity of the patient who received the said medical service. Should there be inconsistencies and should medical identity theft be suspected, contact and notify everyone who had worked or who had access to the patient’s medical records to correct the records.

Fair Credit Reporting Act (FCRA)

Prior to directly reporting the incident, make sure that you know your scope of responsibility under the FCRA. As per the act, if a patient comes to you reporting identity theft, you are not allowed to report this to any credit reporting companies because this is the job of the police. A police report containing all the details regarding the medical identity theft is required before the credit reporting companies will accept it as a case.

Data security practices

As a responsible practitioner, it is highly advised that you periodically go over your data security practices and your obligations under Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules even if the fraud committed is not under your facility.

Breach notifications

If you’ve discovered an employee mishandling health information for medical identity theft purposes or if any private health data is given to medical thief, assess the situation to identify whether a breach under the HIPAA Breach Notification Rule (45 CFR part 164 subpart D) or any state breach notification law that may apply.

HIPAA education

The protection of healthcare information starts with educating professionals who deal with patients’ private data on the best measures to safeguard patients’ details, with an emphasis on why such protection has become increasingly important.

Here are some of Coggno’s top HIPAA courses:

• Course 1: HIPAA for Business Associates Course

• Course 2: HIPAA for Health Care Workers Course

• Course 3: HIPAA Privacy and Security for Covered Entities (80 minutes)

• Course 4: HIPAA Privacy and Security for Business Associates (80 Minutes)

• Course 5: HIPAA for Healthcare Professionals Course

• Course 6: HIPAA – Your Obligations Under the Privacy Rule Course

• Course 7: HIPAA – What Employees Should Know Course


Training. Simplified.



Speak to one of our experts about Coggno Prime

Whether your goal is to buy industry specific training or get an integrated LMS, we have your back.

Also, learn how we helped organizations save $150,000 on their training budget last quarter. Fill out the form below and one of our experts will get in touch with you.

Learning Made Simple

online training courses Blog
Employee training

Boost Your Workforce's Skill

Fresh and relevant courses to elevate your team’s skills and competencies

Schedule Demo