In this week's issue of BNA's Privacy and Security Law Report, it is reported that a California advisory group is struggling to develop recommendations for combating the growing crime of medical identity theft. As a member of that advisory group, I can attest that the issues are indeed difficult and highlight why the health care industry is likely to be plagued by this new form of crime in coming years.
As noted in one of my earlier postings, California passed a new law, A.B. 1298, that took effect on January 1 of this year, expanding the state's security breach notification law to apply to "medical information" and "health insurance information." One of the primary objectives of this new law was to fight medical identity theft. Medical ID theft occurs when someone uses a person's name, along with other pieces of information, such as insurance ID number, to obtain medical services or goods, or uses the person's identity to submit false claims for medical services. One of the most damaging aspects of medical identity theft is that it can result in erroneous entries in a person's medical record.
The California Office of Privacy Protection ("COPP") convened a 16-member advisory group to update the document "Recommended Practices on Notice of Security Breach Involving Personal Information," most recently updated in February 2007. The update was to reflect recommended practices to deal with medical ID theft in the wake of A.B. 1298. The problem is that it's difficult to identify practices that will actually prevent this insidious new crime.
For example, a victim of financial identity theft can place a security freeze on their credit report through the three major consumer reporting agencies. There is no such centralized method for blocking medical identity theft when your medical information is disclosed in a security breach. Some have suggested that health plans should somehow flag the files of a possible victim of medical ID theft. Health plans respond that there is no available mechanism for placing such an alert or "red flag" on an individual's file. Moreover, even if such a mechanism existed, it would only be effective when a claim for services is submitted to the plan, long after the medical theft has already been committed in a hospital or physician's office. Medical ID theft is a growing crime, with the Federal Trade Commission reporting approximately 250,000 cases in 2005 alone. For now, though, it appears to be a crime without a cure. Given the difficulty of these issues, it should be no surprise it is taking a few drafts for the COPP advisory group to develop its recommended practices document.