Medical identity theft is on the increase. The Identity Theft Resource Center (ITRC) reports that as of March 30, 2015, there have been a total of 68 breaches involving 99,335,375 records reported in the medical/healthcare industry. See Identify Theft Resource Center 2015 Data Breach Stats, Report Date: 3/30/2015, pages 5-7, on their website. A “breach” is defined to include an event in which an individual’s name plus Social Security Number, driver’s license number, medical record, or financial record (including credit/debit card) is potentially at risk either in electronic or paper format. Id. at page 2.
Medical identity theft usually occurs when a person’s name and part of the person’s identity, such as insurance information, are utilized by a criminal to acquire medical goods or services without the person’s consent. Typically, the criminal is uninsured but in need of medical goods and/or services. Medical identity theft frequently results in incorrect entries in the victim’s existing medical records, or it may result in the creation of a false medical record in the victim’s name.
Gary Cantrell, Deputy Inspector General of the Office of Inspector General (OIG) recently testified before the Subcommittee on Oversight of the House Ways and Means Committee regarding the OIG’s efforts to combat Medicare fraud. He stated that medical identity theft plays a key role in many of the Medicare health care fraud schemes investigated by the OIG. Often medical identity theft occurs with the use of recruiters or marketers. They entice Medicare beneficiaries to provide their identifying information including their Medicare numbers or Health Insurance Claim Numbers by promising them something of value in return such as money, services, equipment, prescriptions, or narcotics. Other times insiders may work in the health care profession which gives them access to beneficiaries’ personally identifiable information. These insiders acquire this information which they then sell to co-conspirators who have the ability to bill Medicare using the information.
In a sample survey of 49,266 respondents who were victims of identity theft in the United States, many reported a lack of confidence in their health care providers’ privacy and security measures to protect medical records. Seventy-nine percent of the respondents stated it is important for health care providers to ensure the privacy of their medical records; 48 percent stated they would consider changing health care providers if their medical records were lost or stolen; and 40 percent stated it is important for health care providers to provide prompt notification of a breach. Ponemon Institute, Fifth Annual Study on Medical Identity Theft, February 2015, pages 3 and 4.
What Steps Can Health Care Providers Take to Prevent or Mitigate Medical Identity Theft?
While health care providers may have implemented HIPAA policies and procedures to protect against the unauthorized use or disclosure of protected health information (which may result in identify theft), many health care providers may not have implemented a Red Flags Rule Program. Whether a health care provider is required to implement a Red Flags Rule Program depends on whether it falls within the definition of “creditor” under the Red Flags Rule. There are a series of questions, the answers to which determine whether a health care provider falls within the definition of a creditor.
Does the health care provider regularly:
Defer payment for goods and services or bill customers? or Grant or arrange credit? or Participate in the decision to extend, renew, or set the terms of credit?
If the answer to any of the above three questions is “yes”, then does it regularly or in the ordinary course of business:
Obtain or use consumer reports in connection with a credit transaction? or Give information to credit reporting companies in connection with a credit transaction? or Advance funds to or for someone who must repay them, either with funds or pledged property (excluding incidental expenses in connection with the services provided?
If the answer to one or more of the above three questions is “yes”, the health care provider is a creditor covered by the Red Flags Rule. Even it the answer is “no” implementing a Red Flags Rule Program can be beneficial. A Red Flags Rule Program will assist health care providers in identifying identity theft by looking for the “red flags” or patterns, practices, or activities that indicate the possible existence of identity theft. A Red Flags Rule Program will also assist providers in taking steps to prevent or mitigate identify theft.
If you have any questions concerning medical identity theft or the privacy and security of medical records or would like assistance in developing a Red Flags Rule Program, please contact Rochelle H. Zapol, a partner in Prince Lobel’s Health Care Practice and the author of this alert. You can reach Rochelle at 617 456 8036 or rzapol@PrinceLobel.com.