Confusion Continues Over Medical Identity Theft Victim Rights under HIPAA

In a Nov. 10, 2015 letter, the Chairs and Ranking Members of the Senate Committee on Health, Education, Labor, and Pensions and the Committee on Finance raised concerns with the U.S. Department of Health and Human Services (“HHS”) regarding what HHS is doing to support and protect victims of medical identity theft in the wake of large health information breaches. While HIPAA provides a patient with a right to access and correct their medical information, the Senators indicate that there is widespread confusion regarding how this right applies when the patient’s record includes information belonging to a medical thief. Some health care providers believe that they cannot provide the victim access to the victim’s medical record because doing so would violate the HIPAA privacy rights of the identity thief. HHS actually worked with the Federal Trade Commission (“FTC”) years ago to try to correct this misunderstanding of HIPAA, but the Senate’s letter makes clear that confusion remains.

The Senators’ letter describes medical identity theft as “the appropriation or misuse of a patient’s or a provider’s medical identifying information (such as Medicare identification number) to fraudulently obtain or bill or medical care.” The activity can include use of medical identifiers to bill insurers millions for health care services that were never furnished, or it can include cases where an identity thief obtains actual health care services under someone else’s identity. The crime can have far more severe repercussions than typical identity theft because the victim may not realize that false medical information (such as the wrong blood type) is in the medical record, leading to potentially fatal results when the victim later obtains treatment.

Making the matter worst, some health care providers have refused to provide medical identity theft victims with access to their medical records, since doing so would disclose protected health information of the identity thieves. The health care providers may believe that the victim has no right under HIPAA to access information about the identity thief, while the provider would violate HIPAA by disclosing to the victim information about the health care services provided to the thief.

The Senators’ letter describes the issue further: "While patients have the right to view and request corrections to their medical records under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, there is widespread confusion about how this rule applies in the case of a thief's information being comingled with that of his or her victim's. The Ponemon Institute reported that nearly one in five victims of medical identity theft were refused access to their medical records "due to laws protecting the privacy of the identity thief."

The letter asks HHS a number of questions related to medical identity theft, including:

Does HHS believe that HIPAA Privacy Rule gives a victim of medical identity theft the right to access his or her health record if it contains a thief's health information? Has HHS encountered confusion on this matter previously? If so, what steps has HHS taken to address the confusion over the meaning of the Privacy Rule on this matter?

The FTC, working with HHS, actually addressed this question almost five years ago, issuing FAQs for health care providers and health plans clarifying that HIPAA provides a patient the right to access and correct his or her medical record, even if it includes the information of an identity thief:

The HIPAA Privacy Rule gives people the right to copies of their records maintained by covered health plans and medical providers....

Some medical providers and health plans believe they would be violating the identity thief’s HIPAA privacy rights if they gave victims copies of their own records. That’s not true. Even in this situation, patients have the right to get a copy of their records.

HHS includes a link to the FTC FAQs on its website, oddly enough among resources for the Security Rule. Nevertheless, the Senators’ letter and Ponemon statistics appear to demonstrate that more education is needed on this issue.