By Lisa Eramo
It’s a scenario that nobody wants to admit could happen to them: medical identity thieves stealing your personal health insurance information to obtain medical treatment, fill prescriptions, and even undergo surgery. However, the harsh reality is that medical identity theft is a growing problem nationwide.
Approximately 1.85 million Americans were affected by medical identity theft in 2012—up from 1.49 million in 2011, according to the Third Annual Survey on Medical Identity Theft published by the Ponemon Institute, LLC in June.
Medical identity theft often occurs long before victims even become aware that their personal and health information has been compromised. Roughly 34 percent of survey participants said they found out about the theft one year or later after it occurred.
Medicare beneficiaries are at high risk for medical identity theft because their health ID numbers are directly connected to their Social Security numbers. When the theft occurs, these beneficiaries have few remedies from which to choose. The Office of Inspector General (OIG) published a report in October titled CMS Response to Breaches and Medical Identity Theft that highlighted the fact that Medicare beneficiaries with compromised numbers are not routinely assigned new numbers and that the Centers for Medicare & Medicaid Services (CMS) won’t eliminate Social Security numbers from Medicare beneficiaries’ numbers. The CMS cites high costs and operational challenges as barriers. The OIG report also states that there is no standard procedure for ensuring that beneficiaries retain their access to services if their Medicare numbers have been misused by others.
Why should all consumers care about medical identity theft? If a thief uses your identity to get medical care, his or her medical information (e.g., blood type, test results, allergies, etc.) will be added to your record. This could adversely affect your own treatment, safety and outcomes. If thieves repeatedly use your health insurance information, you may quickly reach caps that limit the services and medical devices that you’re eligible to receive. When you try to make a legitimate health insurance claim, your health plan may deny coverage once the caps are met.
Medical identity theft is an invasion of privacy. Thieves who breach your data could expose your personal health information on publicly accessible websites that don’t require authentication, making your private details easy targets for search engines, insurance companies or prospective employers.
The good news is that there are several ways in which you can monitor your health records proactively to ensure that nobody else has used or abused your ID. Consider the following:
Closely monitor any Explanation of Benefits (EOB) or bills that your health insurer sends to you. Do your bills correspond with the services you received, or do any services look suspicious? Review your EOBs carefully instead of simply tossing them in the trash with the junk mail. Be on the lookout for any charges related to medical services, office visits or medical equipment that don’t apply to you.
Request and monitor your credit report. Does your report include medical collection notices you don’t recognize? If so, an identity thief may have used your name, SSN and insurance information to obtain these services.
Request an accounting of disclosures report from your providers and health plan. This report, which consumers should request annually when they ask for a copy of their free credit report, includes a record of what information your provider disclosed, when it was disclosed, why it was disclosed, and to whom it was disclosed. Consumers have a right to this information under HIPAA.
In it, you’ll find a summary of disclosures made for public health purposes, most law enforcement activities, and health oversight activities, says Chris Apgar, CISSP, CEO and president of Apgar & Associates, LLC. What you won’t find is a history of disclosures made for treatment, payment, health care operations, and any other authorized releases—areas where a lot of the fraudulent activity could be occurring, Apgar says. Proposed federal regulations may require providers who use electronic health records (EHR) to include all disclosures in the report—regardless of why the disclosures were made. However, the Office for Civil Rights hasn’t announced when or whether it will finalize the requirements.
If your provider uses an electronic health record (EHR), a better option may be to ask for a copy of the EHR access log. Although providers aren’t required to give this information, persistent patients may be able to obtain it. The access log provides a detailed record of access and modification to your records. “They may not be pretty, but they contain considerably more about how protected health information is used and disclosed,” says Apgar. “They’re a much better way to track what could be fraudulent activity.”
Monitor your health plan’s website. Many health plans offer websites that consumers can access to monitor claims payment activity. For example, Medicare beneficiaries can access their Medicare-related information 24/7 on MyMedicare.gov, a free, secure online service. Checking the site regularly helps arm you with up-to-date information so you can stop identity thieves in their tracks more quickly, says Apgar.
- Medical identity theft tips provided by the Federal Trade Commission
- Tips for proactive monitoring provided by the World Privacy Forum
- Booklet to protect consumers from Medicare fraud provided by the CMS
- Brochure with tips to avoid medical identity theft provided by the OIG
Lisa A. Eramo is a freelance writer and editor who specializes in healthcare regulatory topics, health information management, and medical coding. You may reach her at firstname.lastname@example.org.
Image: Lars P., via Flickr