Webinar: Medical ID theft is often 'a family affair'
In today’s regulatory environment, there is no single regulatory rule or law that covers all types of sensitive personal information, said Tony Hadley, senior vice president, government affairs and public policy at Experian, which sponsored the webinar and a related survey. The HITECH Act expands the requirements stipulated in HIPAA, but these regulations only affect organizations that are regulated by the Department of Health and Human Services.
At the state level, California in 2003 became the first state to require companies to notify individuals if personal data have been compromised. Today, similar breach notification laws have been passed by 46 states, Washington D.C., Puerto Rico and the Virgin Islands. In addition, “we are beginning to see expansion of data under state laws,” said Hadley, based on rising concerns that non-HIPAA entities may not have measures to adequately protect consumer privacy. Six states and Puerto Rico have added health and insurance information to what is considered personal information for data security and breach purposes, he added.
By adding health data to personal information, identity protection and breach laws are not limited to healthcare providers, but apply to any organization with health data.
“There’s a growing consensus among policy makers at the federal level that businesses must do a better job of protecting consumer information. Organizations should be prepared to engage in best practices in order to protect themselves from increased regulatory oversight, Hadley said.
‘A Robin Hood crime’
Lawmakers and businesses are bracing for a future that may be fraught with medical identity theft. In general, however, the public sees things differently, said Larry Ponemon, PhD, chairman and founder of the Ponemon Institute.
In fact, the institute’s Second Annual Study on Medical Identity Theft, conducted in January and February, showed that many victims considered medical identity theft “sort of a Robin Hood crime,” said Ponemon. This is because the majority of respondents reportedly knew the person(s) who used their healthcare information to obtain care, he explained.
In the survey, medical identity theft was defined as the theft of a person’s name or sometimes other parts of their identity without that person’s knowledge or consent, to obtain medical services or goods or to make false claims.
The crime of medical identity theft is said to be on the rise; still the majority of medical identity theft today “is a family affair,” in which a family member who doesn't have insurance or can’t pay for care uses the identity of a relative who is insured, the survey found. Respondents in the 2011 survey reported that when medical identity was stolen by a family member, 91 percent of the “thieves” had no insurance; 87 percent could not afford to pay for care; and it was an emergency 81 percent of the time. “People see this in a different light than other crimes.”
But health information altruism is expensive—consequences can include insurance plan termination, increased premiums or lowered credit scores. It can cost a victim an estimated $20,663 to resolve medical identity theft and can take several months, said Ponemon. That’s up from an estimated $20,160 last year. In addition, erroneous entries in a patient’s medical record can affect their treatment in the future, he added.
Survey responses showed that consumers lack awareness about medical identity theft, Ponemon stated:
- 91 percent of respondents said they hadn't heard of medical identity theft before it happened to them.
- 46 percent of respondents didn't know medical identity theft could affect their credit score.
In addition, 46 percent said they realized their medical identification had been stolen only when they received collection letters; 30 percent discovered the theft when they found mistakes in their health records; and 16 percent when their credit score dropped.
When victims discovered medical identity theft had happened, only 50 percent immediately reported it. Of those who didn't report it quickly, most knew the thief and the attitude seemed to be, “If my relative needs medical treatment and they don’t have insurance, what’s the harm in using my credentials?” said Ponemon.
When asked what steps are being taken to prevent medical identity theft from happening again, 49 percent of respondents reported that they had taken no new steps, he said. However, victims wanted their providers to take precautions against future identity thefts: 71 percent wanted to ensure that only medical professionals have access to records. Sixty-nine percent wanted to allow individuals to control their records directly and 62 percent wanted stricter laws, the survey found.
Although the public seems to be "tuned in on the privacy issue," Ponemon concluded, “people need to be smarter about the idea that [medical identity theft] isn't a shared good, that there are consequences and it’s a serious crime.”