Are you doing enough to prevent identify theft in your medical practice? According to the Bureau of Justice Statistics (BJS), identity theft costs Americans an estimated $24.7 billion annually – a number that's expected to increase in the years to come. When a patient has his or her identify stolen, it can wreck havoc on their credit, and subsequently, their life.
So, how does the Health Insurance Portability and Accountability Act (HIPAA) of 1996 pertain to medical identify (ID) theft? Medical ID theft occurs when a healthcare patient uses another person's name and/or insurance information to receive treatment or other medical attention. For instance, a patient may attempt to receive healthcare treatment by using the personal information and health insurance of another person. Rather than billing the patient, the medical practice would likely bill the ID theft victim.
HIPAA was passed back in the mid 1990s for the purpose of protecting the privacy of healthcare patients in the U.S. Before this time, patient privacy was somewhat of a gray area, as healthcare providers were given more freedom to use and distribute patients' information. But HIPAA placed regulations on the way in which Protected Health Information (PHI) could be used and shared, protecting the privacy of healthcare patients.
You might be wondering if medical ID theft is a HIPAA violation. Well, it really depends on the circumstance. If a patient's information was stolen due to a lack of HIPAA safeguards, the respective practice could be found in violation of HIPAA. But if the patient's information was stolen outside the practice – or in a manner that couldn't be prevented through normal means – the practice would likely be off the hook for any violations.
As noted by the Federal Trade Commission, if a healthcare provider believes that one or more patients has been the victim of medical ID theft, the provider should encourage those patients to contact their insurance company to dispute any erroneous/falsified information.
“Encourage patients to write to their health plan or provider to dispute the inaccurate information. Tell them to include copies (they should keep the originals) of any documents that support their position. Their letter should identify each disputed item, the reasons for disputing it, and a request that each error be corrected or deleted,” wrote the Federal Trade Commission (FTC) in a document about medical ID theft. “Patients may want to include a copy of their medical or billing record with the items in question circled.
In addition, HIPAA gives all healthcare patients the right to receive copies of their medical records stored and/or maintained by health providers and plans. If a patient asks for a copy of his or her medical records, the covered entity must oblige by providing him or her with this information.