Medical identity theft: Sorry--you can't look at your own record, Mr. Jones

Medical identity theft could pose a HIPAA-style Catch-22 for victims who want to investigate the crime, according to a recent report from the American HealthInformation Management Association.

Let’s say someone pilfers your name, Social Security number, and health plan ID and then uses that information to get a knee replacement at a local hospital where you’ve also received treatment. If you get wind of the scam, you may not be able to determine exactly how your medical record has been falsified, says attorney Laurie Rinehart-Thompson, an assistant professor of clinical allied medicine at Ohio State University in Columbus. She discusses this predicament in an AHIMA report titled “Online, on Message, on Duty: Privacy Experts Share Their Challenges.”

“When the victim reports the fraud, existing laws are such that providers are required to protect all the information in the record, even though part of it belongs to the thief,” says Rinehart-Thompson. “So the victim is effectively prohibited from seeing his or her own record because it contains protected information on two people. Beyond having good procedures to verify identity at the time of service, I’m not sure what the answer is to this, but it’s something the industry needs to be thinking about.”

The magnitude of medical identify theft underlines the importance of having sanelaws.  The Federal Trade Commission reports that of the 8.3 million peoplein 2005 who were victimized by identity thieves, 250,000 said the culprit hadobtained medical treatment, services, or supplies in their name.