ABA Health eSource
 February 2007 Volume 3 Number 6

Medical Identity Theft What It Is And Considerations For The Healthcare Provider
by William E. Hopkins, Thompson & Knight, Austin, TX

William E. HopkinsEveryone is familiar with the concept of financial identity theft. There are television programs about it, credit card companies run commercials bragging about their theft deterrence systems and zero liability programs, and notices are regularly provided to consumers providing tips on how to prevent it from happening. Medical identity theft, (MIT) on the other hand, is an equally significant problem with equally devastating potential results, yet it receives little or no public recognition or attention. Also unequal are the available remedies to victims. Victims of financial identity theft can depend on rights such as the ability to see and correct errors in their credit report, the ability to file fraud alerts, the right to obtain documents or information relating to transactions involving their personal information, and the right to prevent consumer reporting agencies (such as credit bureaus) from reporting information that has resulted from identity theft. 1 By contrast, victims of MIT do not have a similar complete set of rights or redresses. Victims of MIT do not have the blanket right to correct errors in their medical files. In some cases, victims have not been allowed to even review the compromised files, nor do they have the right to prevent healthcare providers, medical clearinghouses, or insurers from reporting and re-reporting information that has resulted from identity theft. Based on statistics acquired by the World Privacy Forum from the Federal Trade Commission (FTC) for their 2006 report, there have been 19,428 complaints regarding MIT from January 1, 1992 through April 12, 2006, received by the FTC through its Consumer Sentinel database. 2 Given these are only the reported numbers, and these numbers only run through 2006, it can only be imagined what the actual occurrence numbers must be and how many instances go unreported or undiscovered. In general, not only is the public is generally ignorant of this crime and its potential effects, the healthcare industry and the federal and state agencies responsible for protecting citizens against identity theft matters have failed to adequately recognized its enormity as well.

Unlike financial identity theft, MIT is a crime that can go well beyond financial difficulties; it can cause great physical harm as well. Often, MIT leaves a trail of falsified information in medical records that can plague a victim's medical and financial life for years. These fraudulent changes can result in financial losses, loss of reputation based on false diagnosis, patients not getting the treatment and care needed, receiving the wrong type of treatment or care or receiving insurance denials based on inaccurate medical histories. In its worst case scenario, the misinformation created by this type of fraud can cost someone his or her life.

Medical Identity Theft: What is It and How Does it Happen?

In this crime, a victim's medical identity, usually their name, address, social security number and health insurance information is stolen or appropriated through some form of access to the victim's medical file. Most often, this access is acquired through documentation found in the office of a healthcare provider, a medical records storage company, insurance company or other location. Often the information is appropriated by someone who has unique access to it, such as an employee, care provider or other type of records worker. Once acquired, the information is then used, without the victim's knowledge, to make false claims or fraudulently receive medical goods or services. Frequently, in order for the fraud to be effective, the victim's medical information, such as blood type, prescription history, allergies or chronic diseases, is changed as a part of the false care being rendered. These changes, made to the victim's actual medical records, are where the danger begins for the victim. Since changing the billing address and the contact phone numbers on the medical chart is necessary to hide discovery of the crime, the victim often has no idea that a crime has been committed or that changes have been made until long afterward. The usual signs of MIT are: overdue bills for services never received, receipt of explanation of benefits for services not received or when receiving care, recognizing that unauthorized changes have been made to the patient's health record.

Medical Identity Theft and HIPAA

With the implementation and protections of the federal health privacy rule issued under the authority of the Health Insurance Portability and Accountability Act (HIPAA) 3 , it would be expected that HIPAA would play a role in how MIT would be prevented and once it occurred, in how these frauds could be remedied. Unfortunately, HIPAA was put in place prior to MIT being recognized a significant problem. As a result, rather than assist victims of MIT, it may actually serve as an additional impediment to a victim seeking to correct their records. As a part of its role with regard to healthcare information, HIPAA gives an individual the right to review and seek amendment of their medical records. However, that right has some significant limitations that become particularly relevant in the MIT scenario. For example, the right to ask for an amendment does not apply to medical information that was not created by the provider or insurer currently maintaining or using the information. 4 In short, the medical information sent by one provider or insurer to another provider does not have to be corrected by the recipient, even if they have been put on notice that the information may be false. 5 Based on the shortcomings of HIPAA in this regard, a victim who discovers such errors has no ability to force the amendment of their records by a healthcare provider, if the records were created by a third party and merely transmitted to them. As a corollary to this point, even if a victim is successful in getting one provider to amend the records, there is no guarantee that this success will continue with regard to all of the other providers who have also received this false information. Without correcting all copies of a victim's medical record, the likelihood of the perpetuation of the false information, and therefore the risk of harm, is high.

Furthermore, based on the protections of healthcare information in HIPAA, a victim of MIT may not even be allowed to see their own records. As odd as it sounds, following the letter of the law of HIPAA, a healthcare provider or insurer, upon receiving proof that a fraud has occurred and establishing that the records in their possession represent the information of someone other than the victim, the provider can refuse to allow the victim to see the records since they are now the healthcare information records of someone else, and therefore protected by the provisions of HIPAA. Clearly, this type of result was not expected or intended, but it illustrates how ill-prepared the laws are in dealing with the aftermath of this type of crime.

All this being said, there may be some value to HIPAA in this regard. It is believed that one provision of HIPAA, called the Accounting of Disclosures, 6 could be helpful for some victims of MIT in some circumstances. Pursuant to this provision, all covered entities must maintain an accounting of who healthcare information is disclosed to over time. Since tracking down all of the erroneous records is essential to a victim, this accounting may provide a road map for the victim to use to begin to put their life back together. Unfortunately, based on the exceptions to this requirement, this accounting may have very limited benefits. Specifically, under the exceptions, a covered entity is not required to maintain any accounting of disclosures that occurred for treatment, payment or healthcare operations. Since the majority of disclosures in a MIT scenario will involve one of these three issues, entities may not record them and there may be little information for the victim to use.

Electronic Records, Health Networks, and the Challenges of Medical Identity Theft

Advances in technology in the area of electronic health records create some new challenges for how MIT will be dealt with in the future. It is clear that the healthcare industry is pushing to make patient medical records electronic and place patient information in a National Health Information Network (NHIN) 7 . Digitized patient records and the National Health Information Network, in particular, create two significant problems in the context of MIT, enumerated by the World Privacy Forum 8 :

First, the NHIN may make individuals more vulnerable to MIT by making personally identifiable health information more accessible to criminals who have already learned how to work inside the healthcare system. Digitized information is much more portable and lends itself to rapid transmission. These are usually seen as benefits. But in the hands of an identity thief, these benefits may become liabilities.

Second, the NHIN, as currently conceived may perpetuate and transmit medical errors in ways that have potentially negative consequences. Errors in medical charts and documents arising from MIT could, if left uncorrected as they are by and large today, percolate through a nationwide system. Without more attention, patients who have incorrect files in one city will find their same incorrect files available to all doctors and insurers that use the health network. The same errors may also affect the factual accuracy and quality of medical research and public health interventions based on that data.

Health Care Providers: Unwitting Role in Crime

Healthcare providers, primarily physicians, are increasingly becoming an unwitting participant in this type of crime. It has long been tradition that many physicians ask only for a patient's insurance card and no other form of identification when treating patients. Thus, criminals have found their perfect playground for abuse. Based on this lack of security, a criminal can directly utilize another individual's insurance information for unauthorized doctor's appointments and treatments without significant fear of getting caught. Of course, given the direct nature of this crime, the criminal does risk some exposure and an individual patient is limited in the amount of care that can be billed. Therefore, some criminals have recognized that they can receive even larger amounts of fraudulent care, treatments or medications by assuming the identity of the physician. Once a physician's unique identification number and DEA number is acquired, criminals are provided with an open door to falsely authorize medical services to whomever they wish. While it would appear that getting this information from a physician or physician's office would be difficult, government alerts have shown that it may be easier than anticipated. According to alerts provided by the Inspector General's Office 9 , fake companies will pose as insurance auditors, billing services or other third party billing companies in order to gain the physician's trust. Under this guise, they call the provider claiming to need additional information to ensure prompt payment of bills in their possession. Physicians and their office staff are often so anxious to ensure that bills get paid that these types of calls can yield access to all protected information. With the push to switch healthcare over to electronic health records, without heightened security, criminals may find even more resources to tap for their crime.

Healthcare Providers: Guardians of the Vault

Given the amount of confidential and sensitive information that healthcare professionals maintain in their offices, it is not surprising that they are one of the key sources of medical information stolen and used for the fraud. Closely linked with being the inadvertent source of unauthorized medical information are questions of security, foreseeability and liability regarding how the information was accessed. Fortunately, there are ways that healthcare providers can minimize their risk and ensure greater protection of patient information. 10 Since not all MIT can be prevented, healthcare providers must learn how to spot the red flags that may appear in a patient's medical records and indicate someone's records have been tampered with or used in a medical identity fraud. These red flags include, but are not limited to, the following:

  1. Records showing medical treatment or diagnoses that are inconsistent with physical examination or medical history as reported by the patient, including by not limited to incorrect blood type;
  2. Records showing substantial discrepancies in age, race, and other physical descriptions between the patient in the record and the patient in the office;
  3. Questions raised by a patient about an explanation of benefits for services the patient never received;
  4. Dispute of a bill by a patient who is claims to be the victim of financial or MIT.


MIT poses a significant threat to the security of patient information, as well as the health and safety of patients who are the victims of this crime. It also poses a serious threat of potential liability to healthcare providers who fail to provide sufficient protection for the sensitive patient information entrusted to them. If unchecked, healthcare providers may never have certainty that the medical records they are relying on to provide care belong to the person who is being treated and patients may be equally uncertain that the records being used to treat them or determine whether a certain type of care is appropriate is based on their medical information, or fraudulently based on the records of an identity thief. Patients may also be wrongfully be denied necessary health services by both providers and insurance companies because of false changes in their records. All healthcare providers should review their security measures and ensure they are adequate to protect both their patients and themselves.

1 The F.T.C. has a detailed page describing these rights and specific actions to take: Take Charge: Fighting Back Against Identity Theft. http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm. See also Government Accountability Office, Identity Theft Rights: Some Outreach Efforts to Promote Awareness of New Consumer Rights are Underway, (June 2005) (GAO-05-710).
2 "Medical Identity Theft: The Information Crime that Can Kill You," World Privacy Forum Report, Spring 2006, p. 12.
3 Pub. L. 104-191.
4 45 C.F.R. §164.526 (a)(2)(i).
5 The reason for the HIPAA limitation on amendment of information provided by a third party originated with legitimate concern that the holder of information may not have the knowledge to make a educated decision regarding the correctness of the questioned information. Clearly, this limitation did not contemplate Medical Identity Theft or the needs of the victims of that crime.
6 45 C.F.R. § 164.528.
7 The National Health Infornation Network (NHIN) is the plan proposed by the Federal Government that attempts to modernize and nationalize the storage, retention and transfer of electronic medical records. In short, the idea is to transition all paper medical files to electronic medical files and create a national network within which the information will be contained. Under the NHIN, hospitals, insurers, doctors, and other could access the information and utilize it to provide care on a nationwide basis.
8 "Medical Identity Theft: The Information Crime that Can Kill You," World Privacy Forum Report, Spring 2006, pp. 9-10.
9 Such alerts can be found at http://oig.hhs.gov/fraud.html.
10 Some suggestions include:

A. Implementation of Identity Theft Prevention Programs that contain reasonable policies and procedures to address the potential risks of identity theft to its customers and employees. As a part of this security, providers must be careful about how medical information is transferred and treatment is verified. (Several scams have been reported of fake insurance adjusters calling physician offices seeking verification of charges by obtaining all of physician's unique identification numbers and then using those numbers in future fraudulent billing).

B. The most common mechanisms for fraud need to be recognized and scrutiny must be placed on how to make these documents more secure in a provider atmosphere.

C. Given that most incidents of Medical Identity Theft are "insider" jobs, when hiring staff, run background checks and criminal history checks on employees that will be working in sensitive information areas that are ripe for exploitation. Also, limit employee access to healthcare information essential for job performance.