Medical identity theft—defined as use of a patient’s personally identifiable information to obtain medical treatment, services, or goods—has the potential to be life-threatening to its victims. When someone records incorrect information in a patient’s medical records or creates fictitious records in a patient’s name, the patient can suffer real harm (1, 2). Yet despite significant health and financial risks to patients, medical identity theft is the least studied and least documented among identity theft crimes (3). Uncorrected errors are difficult if not impossible to uncover, and they propagate through digital and paper medical systems (3). Recovering from this type of crime is especially challenging for both patients and institutions, as individuals’ rights to correct errors in their medical files often do not allow them to successfully remove false information (3).
Medical Identity Theft Trends in the U.S.
The most recent independent study of medical identity theft reported a 21.7% increase in 1 year (approximately 481,657 new cases in 2004) (2). The medical identity theft map (Figure 1) represents about 1 year of U.S. medical identity theft activity in the U.S.(3). This map is based on consumer complaints to the Federal Trade Commission (FTC) from the Consumer Sentinel Network reports from 2008 to 2009. Red dots represent incidents of medical identity theft, and the dot size reflects the number of reported incidents. The data relies on reporting, and therefore represents only a part of total activity. Geographic clustering is evident in Florida, California, New York, Arizona, and Texas.
Common Fraud Scenarios
Medical identity theft usually occurs under several common scenarios. Frequent consumer reports of fraud include: an offer of free medical equipment or services followed by a request for a Medicare number; a request from a friend, relative, or stranger to borrow or pay to use a Medicare card or other identity card; telemarketing or telephone surveys that ask for a Medicare number; and use of a lost or stolen Medicare or Social Security identity card to buy medicines, obtain medical services, or submit fraudulent billings to Medicare (1, 2, 3, 4).
Data breaches at institutions are another important source of identity theft. In some cases, healthcare providers are the criminals, using patients’ identities to falsely bill and defraud insurers and government payers.
A Hard Fraud to Find
People often discover medical identity theft serendipitously. Examples include receiving someone else’s bill; having insurance coverage denied, or receiving notification that insurance has reached lifetime limits; experiencing problems at an emergency room visit; being notified by law enforcement; or seeing unfamiliar explanations of medical benefit notices. Less commonly, a healthcare provider may recognize discrepancies in a patient’s file (4).
In addition, double billing, unfamiliar charges for medical equipment or medical care, or bills for dates of services that are not recognized may represent billing error or possible medical fraud. Other clues that suggest fraud include notices from collection bureaus for medical care or equipment that was not received or ordered, and unpaid bills for unfamiliar medical services or equipment on a credit report. Often consumers can resolve errors or confirm fraud by investigating these charges. Financial consequences can be severe—fraud can damage a patient’s credit rating and result in financial loss for both individuals and payers.
Tips for Consumers
The Health and Human Services Office of Inspector General recommends that individuals adopt a “Deter, Detect, Defend” approach to reduce risk of medical identity theft. For consumers, good practices include maintaining control of medical identity cards, and periodically reviewing credit reports, medical benefit explanations, medical bills, and prescription invoices. Lost or stolen Medicare and Social Security cards should be reported right away to the Social Security Administration. Consumers widely understand the requirement to report credit cards after loss or theft but may be unaware of the need to report missing medical identity cards.
Barriers to Correcting False Entries in Medical Records
Under the Health Insurance Portability and Accountability Act (HIPAA), patients have limited rights to seek amendments to their medical records. There is no patient right to delete misinformation or correct records, only a right to request that this be done. “The right to request an amendment does not apply to medical information not created by the provider or insurer currently maintaining or using the information,” according to the regulation (5). This is known as the third- party amendment exception, which allows a covered entity (e.g. a hospital) to reject a record amendment request if the false information came from a third party—for example, from a surgeon who operated on an individual who stole the defrauded patient’s medical identity. An exception to this rule applies when the patient/appellant has proof that the originator of the incorrect information (“third party”) is no longer available to appeal to. In such a circumstance, the organization the patient is petitioning may override the third-party exemption.
HIPAA limitations aside, patients also find barriers in locating records, both insurance and medical. Furthermore, no single governmental agency administers these cases. Although the FTC encourages consumers to report medical identity theft, this agency is not empowered to act in the healthcare realm, which is under the purview of the Department of Health and Human Services (4).
How Institutions Can Combat Fraud and Help With Recovery
Healthcare institutions should promptly notify authorities and consumers about medical data breaches. Speedy notification helps prevent or limit consumer financial loss and may be life-saving (Figure 2).
Privacy advocates argue that the government should expand patients’ rights to correct their health records by amending the HIPAA health privacy rule. Specifically, they contend that the third-party amendment exception rule is not adequate justification for rejecting amendment requests. Disavowal of responsibility for false information in records, regardless of origin, is considered indefensible. Additionally, advocates have called for all iterations of a patient’s record to be locatable and corrected (6).
Few would disagree that there is considerable room for improvement in the current system for amending medical records arising from fraud and medical identity theft. The particular difficulty in detecting this type of fraud and potentially grave consequences for its victims absolutely demands more vigilance and proactive measures.
How to Report Medical Identity Theft Crimes
Medicare fraud: OIG.HHS.gov/fraud/hotline. Misuse of personal information is reportable to the Federal Trade Commission’s Identity Theft hotline: FTC.gov/idtheft.
- U.S. Department of Health and Human Services Office of Inspector General. Medical ID theft/fraud information. https://oig.hhs.gov/fraud/medical-id-theft/ (Accessed February 20, 2017).
- Ponemon Institute. Fifth annual study on medical identity theft. http://medidfraud.org/wp-content/uploads/2015/02/2014_Medical_ID_Theft_Study1.pdf (Accessed February 25, 2017).
- World Privacy Forum. WPF resource page: The medical theft information page. https://www.worldprivacyforum.org/resource-page-medical-identity-theft-information/. (Accessed February 20, 2017).
- World Privacy Forum. Medical identity theft—The information crime that may kill you. http://www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf (Accessed February 20, 2017).
- U.S. Department of Human and Health Services. 45 C.F.R. §164.526(a)(2)(i). Amendment of protected health information. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations (Accessed February 25, 2017).
- World Privacy Forum III. FAQ: Medical ID theft: How to recover if you’re a victim and what to do if you are worried about becoming a victim. https://www.worldprivacyforum.org (Accessed February 25, 2017).
Sharon M. Geaghan, MD, is professor emerita at Stanford University School of Medicine. +Email: email@example.com
CLN's Patient Safety Focus is sponsored by ARUP Laboratories