by Amy Buttell Crane
What it is
There are two aspects to medical identity theft: medical and financial. The medical consequences involve the medical information and records of the thief becoming intermingled with your own records. So, your medical record could reflect a major surgery that you never had, and these records would include details relating to the health history of the thief rather than your own. Relying on those false records, future health care providers might easily make inaccurate diagnoses, resulting in medical errors or delaying proper treatment.
The financial aspects are the same that any consumers victimized by identity theft face: unpaid bills, serious blemishes on credit reports and harassing phone calls from collections agencies.
The health care system is much more able to deal with the financial aspects than it is with the medical consequences for patients.
Dealing with the medical consequences is much more difficult, not only because of the loopholes in federal medical privacy laws -- the chief one being the Health Insurance Portability and Accountability Act, or HIPAA, of 1996 -- but also because the federal government isn't enforcing HIPAA, including those provisions that might help the victims of medical identity theft.
Victims find it difficult not only to uncover the fraud, but also to get their health care and insurance records corrected. As a result, victims with inaccurate claims on their insurance may bump up against lifetime care insurance caps and find it more difficult or impossible to get future medical, life, long-term care and supplemental insurance.
How it happens
A 2006 report published by the World Privacy Forum found that most medical identity theft begins at health care providers' offices, where insiders -- usually employees -- are paid by criminals or criminal organizations to obtain medical identification information in bulk.
"Our research found that there is a huge black market for medical records. Police tell us such records go for $50 each on the street, compared to Social Security numbers that go for a dollar or two," Dixon says.
The stolen records are sold to individuals without insurance who are in need of elective surgeries or other expensive treatments.
"As more people are not getting the health care they need, we're seeing an increasing incidence of medical identity fraud," says Norbert Kugele, an attorney specializing in health privacy laws with Warner, Norcross and Judd in Grand Rapids, Mich. "Someone will show up at a hospital with someone else's insurance information and will seek treatment under their name."
In many cases, the thief will take steps to prevent detection, including changing the address where insurance and hospital information is sent. This is one reason why it takes victims so long to discover the fraud. If they aren't getting their insurance statements or seeking medical treatment, they are usually in the dark.
Because HIPAA protections are riddled with loopholes, there is only so much you can do to protect yourself.
Experts recommend that you:
1. View your medical records.
2. Shred documents.
3. Protect your mail.
4. Restrict access to your ID.
5. Confidential communications.
6. Access records online.
7. Disclosure limitations.
1. View your medical records. Request a copy of your medical records or go to your health providers and ask to see them, says Cindy Smith, a managing director at PriceWaterhouseCoopers. HIPAA requires health care providers to either supply you with the requested records within 30 days or ask for more time. If they deny your request, they must state the reason in writing.
2. Shred documents. These days, shredding junk mail is merely common sense. If you're concerned about medical identity theft, shred any health care and/or insurance documentation that you aren't retaining.
3. Protect your mail. Putting your mail out for the neighborhood letter carrier to pick up is "an invitation to identity thieves," says Steve Weisman, author of "50 Ways to Protect Your Identity and Your Credit: Everything You Need to Know About ID Theft, Credit Cards, Credit Repair and Credit Reports." At the very least, deposit your outgoing mail directly in mailboxes. Better yet, get a post office box and pick up all your mail there. "It isn't completely secure -- postal employees have been involved in identity theft -- but it's more secure than getting your mail at home," he says.
4. Restrict access to your ID. Consumers accede to requests to view their driver license or other IDs far too readily, says Judd Rousseau, chief operating officer of Identity Theft 911, a company that offers identity theft resources for consumers and businesses. "If someone wants to see your driver's license or needs your Social Security number, question them," he says. "Don't give potential thieves access to your identity."
5. Confidential communications. Health privacy laws allow consumers to request that their providers limit communications about their health care and health care records to third parties. Unfortunately, HIPAA doesn't require health care providers to comply with such a request, but "it's worth a try," Kugele says.
6. Access records online. If your insurance allows it, opt to get insurance billing statements and other notifications online and discontinue paper mailings, says Eduard Goodman, chief privacy officer of Identity Theft 911. "Many people think that doing things online is riskier than the mail or whatever, but it's not," he says. "Encryption and security protocols make it much safer to do business online." If you can't eliminate paper statements, periodically check online to see what's been going on with your account.
7. Disclosure limitations. One possible way around HIPAA loopholes is requesting confidential communications by alternative means, Kugele says. "This is primarily designed to protect battered spouses and other victims of abuse, but perhaps it could be used to limit someone's ability to change your mailing address."
The World Privacy Forum has an FAQ section for victims of medical identity theft at www.worldprivacyforum.org.
Experts recommend that you get copies of medical, pharmaceutical, dental and other health insurance records so that you can reconstruct the steps the medical identity thief took while using your benefits. Once you're aware of where the thief received health care in your name, you can request copies of medical records and get them corrected.
The World Privacy Forum's FAQ contains several sample letters you can use to request copies of your medical records and the steps you can take to try to get your records corrected and amended.
In terms of the financial consequences, fact sheets at the Privacy Rights Clearinghouse provide tips on getting your credit report corrected and following up with bill collectors and other creditors: Identity Theft: A Guide for Victims and Criminal Identity Theft: What to Do If It Happens to You.