American Journal of Law & Medicine

But doctor, I still have both feet! Remedial problems faced by victims of medical identity theft.

I. INTRODUCTION

When Lind Weaver starting receiving collections demands for a foot amputation she never had, she assumed it was a clerical error. (1) Unfortunately, the operation had been performed on someone pretending to be Weaver, causing Weaver's medical history to become entangled in the thief's. (2) Media reports about identity theft show Weaver's experience is far from unique. For example, a Chicago man was arrested after using his friend's identity to obtain $350,000 worth of cardiovascular surgery at a local hospital. (3) Hackers broke into the medical records of thousands of University of California students. (4) A staff member left a laptop containing records of patients of a local AIDS clinic on Boston public transportation. (5)

Further opportunities for thieves lurk in every unshredded envelope, online transaction or credit card purchase. Breaches of financial data, often the result of hacking or theft or loss of sensitive computer equipment are routine fixtures of the news cycle. (6) Consumers are encouraged to check their credit scores and monitor their accounts for any suspicious activity. (7) In sum, we are being bombarded with warnings about the threat of identity theft. This media saturation focuses on the misuse of a data linked to a victim's identity to gain access to consumer credit tools such as credit cards and loans.

Yet, medical identity theft, what Lind Weaver experienced, lurks in the background. Medical identity theft consists of the misuse of personal information to gain access to healthcare. (8) A 2006 report by the Federal Trade Commission (FTC) estimated that there were at least 250,000 victims of medical identity theft for the period 2001-2006. (9) The actual number is likely even higher. (10) In a more recent survey of identity theft victims assisted in 2008 by the non-profit Identity Theft Resource Center, two thirds of the 100 victims surveyed reported being billed for medical services they did not receive. (11) To some extent the emergence of medical identity theft is not surprising. First, healthcare providers are the largest compilers of personal data (12) and are just as vulnerable to attack as the financial industry. (13) Second, the high cost of health care creates an incentive to steal the identity of someone with insurance in order to obtain needed health care services, to further drug-seeking behavior, or to defraud third-party payers. (14) In addition to financial harms such as being billed for services not rendered, medical identity theft can introduce inaccuracies into a victim's medical records, causing a cascade of clinical, insurance, and even reputational harms.

Unlike victims of financial identity theft who can use the credit reporting system to recover from financial identity theft, victims of medical identity theft lack similar statutory resources, and there are few available private remedies. Further, structural and regulatory features of the healthcare system, including those governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (15) make it extremely difficult for victims to discover and remedy the damage caused to their medical records by an identity thief. To put it simply, "[t]here is no single place individuals can go to locate and correct inaccurate medical information." (16)

Current regulatory focus on increasing privacy and security through technological improvement, such as the HITECH Act amendments to HIPAA and the push to develop electronic health records (EHRs) do nothing to address victims' access problems to their own medical records. Further there is no private incentive to develop resources for victims. Finally, new regulations requiring health care providers to prevent fraud and new data breach notification rules do not resolve the basic problem of access. This note will argue that, given the fragmented nature of the healthcare market, a new federal regulatory initiative modeled on what is available to victims of financial identity theft is necessary to give victims an effective means of protecting the integrity of their personal health records.

This note will examine the issues faced by victims of medical identity theft as follows. Part II explores the differences between medical and financial identity theft. Part III assesses the structural factors of the healthcare industry that make medical identity theft more difficult to detect and remedy than financial identity theft. Part IV evaluates the remedies available to victims of medical identity theft with those available to victims of financial identity theft. Part V examines potential avenues for better remedies for victims of medical identity theft and proposes a federal legislative solution modeled on extant remedies for victims of financial identity theft.

II. DEFINING THE PROBLEM: WHAT IS MEDICAL IDENTITY THEFT?

Medical identity theft is a crime that appeals to two groups of people--those that would not otherwise have access to the healthcare system, and those who seek to defraud third party payers for their own financial ends. Regardless of the motivation for medical identity theft, the consequences for individual victims are the same: inaccurate medical records and financial consequences similar to those of financial identity theft. This Part will discuss the how and why medical identity theft is committed and the consequences for both individual victims and for the healthcare industry as a whole.

A. SOURCES OF AND MOTIVATIONS FOR MEDICAL IDENTITY THEFT

Medical identity theft shares with financial identity theft the concept of a financially motivated appropriation of another person's identity information, but differs in that the theft is limited to healthcare services. Essentially, the thief seeks to either appropriate another's healthcare benefits for their own use or to bill the victim's third party payer for services never rendered to anyone but attributed to the victim. In either case medical identity theft requires taking advantage of third party payers rather than defrauding merchants and financial institutions, as is the case with financial identity theft. Thus, while an identity thief with a stolen credit card number could use the credit card number to pay for medical services, this is not financial identity theft if the medical services rendered are attributed to the thief's own identity (or an assumed identity).

Medical identity theft generally takes two forms--individual medical identity theft and medical identity fraud. Both forms of medical identity theft corrupt the victim's medical records by causing entries unrelated to the victim to be associated with the victim's medical records. (17) Individual medical identity theft involves the compromise of an individual's medical records by a thief and is often assisted by social engineering techniques, (18) such as the lack of procedures in individual hospitals or clinics to adequately verify a patient's identity. This lack of verification, of course, can also harm the identity thief, since the victim's medical records may indicate a different blood type, drug allergies, or medical history than that of the thief, leading to incorrect care for either the thief or, subsequently, the victim, if the victim's medical history is altered to match that of the thief. (19)

The second form of medical identity theft is the theft of multiple medical identities in order to defraud third-party payers. This can be accomplished by billing a victim's insurance plan for services and procedures that were neither needed nor received by the victim. For example, a former administrator at Cedars Sinai Hospital in Los Angeles used hundreds of patient records to file false insurance claims. (20) Medical identity fraud can result in prosecutions for theft, criminal conspiracy, and even substantive violations of HIPAA. (21) Like individual medical identity theft, medical identity fraud causes incorrect information to become associated with the victim's medical records, and can result in adverse medical treatment for the victim going forward. (22) In contrast to individual medical identity theft, medical identity fraud can impact a large number of victims due to the actions of a single thief. It is generally the result of coordinated fraudulent access to medical health records, rather than the actions of an individual desperate for medical treatment or access to prescription medication. (23) Often, medical identity fraud is the result of theft by an employee of a medical service provider who then sells the identity information to others seeking to commit the fraud. (24) Third party benefits providers--companies that handle various aspects of medical claims processing, such as pharmaceutical benefits, are also vulnerable to medical identity fraud. (25) What individual medical identity theft and medical identity fraud have in common are the systemic, regulatory and legal roadblocks currently in place that prevent victims of medical identity theft from remedying their situation. Thus, given the similar impact on victims, both types of identity theft will be referred to as "medical identity theft" for purposes of this analysis.

B. CONSEQUENCES OF MEDICAL IDENTITY THEFT

There are two types of victims in medical identity theft--primary and secondary victims. Primary victims are individuals who suffer from incorrect medical records, improper denial of insurance due to non-existent health conditions, and billing for services not received. (26) Secondary victims are institutional parties and businesses that are parties to healthcare transactions, such as healthcare providers, insurance companies, and local and national agencies and organizations that rely on the accuracy of medical records. (27)

For primary victims, medical identity theft can have impact that goes far beyond that of financial identity theft. First, the identity thief can cause incorrect information to be associated with the victim's health history. (28) Since health care providers rely on medical histories in diagnosing and treating patients, incorrect information can impair a provider's ability to treat the victim. (29) Association with some medical problems, if incorrect, could have serious patient safety repercussions for a victim. For example, an incorrect blood type or drug allergy entered into a victim's chart during the thief's treatment can have disastrous subsequent consequences for the victim, particularly in emergencies. (30) Likewise, treatment for conditions that the victim does not have, such as heart disease or diabetes, can impact subsequent rendering of medical care to the victim.

Adverse medical history associated with the identity thief can also impact the cost and availability of health and life insurance by making a victim appear to be more high-risk than he or she actually is. (31) Further, insurance companies may refuse to pay for medical care needed by the victim if the victim's records show that it has already been rendered to the thief, and services rendered to an identity thief can impact a victim's lifetime benefits cap or pre-existing conditions if they go undetected. (32) Additionally, time and effort spent by the victim to correct their records constitutes an additional cost of the theft beyond that of the value of the services rendered. There may also be repercussions for a victim's reputation if incorrect information regarding a victim's health status becomes public knowledge due to the theft. (33)

Finally, as in regular identity theft, the victim will be billed for services that were not received by the victim. In many instances, bills and collection notices for medical services may be a victim's first indication that their identity has been compromised. If a medical identity thief has also changed the address to which the bills are sent, however, a victim of medical identity theft often may not become aware that there is a problem unless unpaid bills show up on a credit report--and the victim has been diligent enough to monitor his or her credit reports. (34) Financial identity theft and medical identity theft thus converge in their potential impact on a victim's credit report, and the financial ramifications of medical identity theft are similar to the more common forms of identity theft.

For secondary victims of medical identity theft, the consequences are primarily financial and administrative. Fraudulent medical claims cost public and private insurers millions of dollars every year (35) due to the fact that an allegation of fraudulent medical charges by a victim will result in additional administrative costs on the part of the provider or third party payer. If the fraud is proven, the cost of the services rendered will have to be absorbed by the healthcare provider or by the insurer, and the cost may be passed on to consumers in the form of higher healthcare prices. Additionally, the inclusion of false information can change the loss history of a given data sample of insureds, increasing the premium prices of experience-rated insurance products. Inaccurate data could also result in incorrect epidemiological data, undermining research quality. Ultimately, the costs associated with all types of medical fraud are likely to be passed on to consumers.

Thus, even though an identity thief may be an individual desperate for access to the healthcare system or an individual with insider knowledge of medical billing procedures, the consequences of medical identity theft on victims, third party payers and the healthcare system as a whole are the same regardless of the thief's original motivation. By taking advantage of systemic inefficiencies within the healthcare system, a medical identity thief gains financial and health advantages and the costs are ultimately recouped in the form of more expensive healthcare for everyone else. The following Part will discuss the structural difficulties that prevent efficient remedy of inaccuracies introduced into a victim's medical record.

III. HEALTHCARE INDUSTRY PRACTICES MAKE IT DIFFICULT TO REMEDY MEDICAL IDENTITY THEFT

One of the major reasons why medical identity theft is more pernicious than financial identity theft is due to common payment and record-keeping payment and record-keeping practices in the healthcare industry. Unlike the financial services industry, which has historically taken advantage of improvements in billing and processing technology in order to increase profits, the incentives for uniform and efficient data transmission within the healthcare industry have been lacking. Health care stakeholders with enough influence to push for uniformity, such as third party payers, do not have a financial incentive to do so. This is because third party payers do not have an incentive to push for faster claims processing, since insurance premiums have already been paid. On the provider side, industry-wide uniformity does not result in a benefit to any individual provider, thus incentives to invest in streamlined processing are capped by the marginal cost of those improvements. Because there are no incentives to standardize industry practices, healthcare provider billing has developed organically, with each provider's system tailored to that provider's needs. Thus, the billing methodologies used in any given healthcare encounter will be unpredictable from a patient standpoint. As a result, healthcare providers tend to engage in discrete billing and record-keeping procedures that are not widely understood or accessible to healthcare consumers. This Part will explore how industry practices often frustrate victims in their attempts to recover from medical identity theft.

A. THE CREATION AND HANDLING OF MEDICAL RECORDS

Unlike a fraudulent loan or credit card transaction, a single fraudulent medical transaction can result in the creation of records from many different parties beyond that of the actual healthcare provider. As health care diagnostic technology has gotten more complicated, medical records have become disseminated beyond the physician-patient relationship. (36) For example, laboratory work, specialists, pharmacists and third-party diagnostic services all keep record of services rendered to an individual. In a simple transaction, such as a visit to a physician's office may generate a single record at the provider's office and a record with the patient's insurance provider. Additional records may be generated if diagnostic tests are performed or a prescription is written. However, even in this simple scenario, dozens of people may be involved as a claim for health benefits makes its way through the system. (37)

For a more complex health care encounter, such as a hospital stay, the number of people who may view a file multiplies substantially, since additional specialists and diagnostic services will likely be required. (38) The number of disclosures made of a victim's medical record in the normal course of business contributes to the difficulty in resolving medical identity theft claims. Multiple providers, for example, treating physicians and nurses, specialists, and administrative personnel such as billing and claims administrators, all receive access to a patient's health record in the normal course of providing care and may keep their own records of the encounter. (39)

If a claim is processed through third party benefits payer, it may be transmitted through numerous administrative contractors, all of which keep records of what services were provided. (40) Some private insurers also place health records obtained during underwriting in a central database called a medical information bureau (MIB) to which other insurance companies are allowed access, with the purpose of combating insurance fraud. (41) Ironically, this anti-fraud measure could potentially result in fraudulent claims associated with a victim's medical record impacting the availability of coverage with other insurance providers.

The extent of the damage to a victim's medical records caused by an identity thief can often depend on the way in which the victim's medical records were kept. For health care providers that choose to keep non-electronic records, a fraudulent service or diagnosis may not affect a large portion of an individual's medical files. Even electronic records may be difficult to track down, however, since they may be stored "be in multiple locations, poorly aggregated and identified by a different number or identification scheme in each place ..." (42) Thus, due to the way in which data is stored throughout the health care industry, a victim of medical identity theft may not be able to track down all of the erroneous records generated by an identity thief.

B. FINANCIAL TRANSACTION PROCESSING VS. MEDICAL CLAIMS BILLING

In terms of payment processing, consumers of financial services enjoy a faster, more-standardized billing and processing arrangement. (430 Examining a purely financial transaction involving a consumer payment card transaction and one that involves billing for a routine medical claim (44) covered by medical insurance illustrates the differences in timing and traceability between financial transactions and health care transactions. The most important difference is that a credit transaction is completed within a matter of days, and the consumer receives notice of the transaction (via a bill from the card issuer) within a month, whereas it can be months before a consumer receives a notice of a medical claim, either as an explanation of benefits or a bill from a healthcare provider. …

Log in to your account to read this article – and millions more.