Someone asked me (unbelievably!!) “…what’s the big deal about disclosing someone’s Protected Health Information (PHI)?” After coming down off the “surprise” ceiling, I first responded with “Hellllloooooo!!”, followed by “Duuuhhhh!”, followed by a brief discussion about Medical Identity Theft. Just last week, a federal judge in Birmingham sentenced a Pleasant Grove man to six years in prison for his part in a prescription fraud scheme that started with the theft of PHI. Of course, I could have discussed lost job opportunity, lost business opportunity, denial of medical benefits, discrimination, etc, etc. I stuck with Medical Identity Theft…
Medical Identity Theft is a criminal act that occurs when a person uses someone else’s personal information, such as name and insurance card number, without that individual’s knowledge to obtain or make false claims for medical services or goods. Unlike financial identity theft, medical identity theft can harm its victims by creating false entries in their medical records at hospitals, doctors’ offices, insurance companies, and pharmacies. These false changes made to victims’ medical files and histories can remain on record for years without discovery or correction.
Victims of medical identity theft can result in receipt of inappropriate medical treatment including potentially harmful medication, exhausting someone’s health insurance benefits, and subsequently loss of both life and health insurance coverage. Victoms can even fail screening exams for employment due to the presence of diseases and other conditions in their health records that are not theirs but rather belong to the individuals who stole the identities.
To compound the problem, health care systems are increasingly moving away from paper-based charts to computer-based or electronic medical records (EMR/EHR). This may make it more difficult to recover from medical identity theft as these incorrect medical entries and/or fictitious medical records are transmitted and stored for legitimate reasons throughout the computerized patient record networks of various providers, payers, and others involved in health care. Of course, the financial consequences of this crime remain the same as financial identity theft: serious blemishes on credit reports, unpaid bills, harassing phone calls from collections agencies, etc. You’ve seen those ads.
If you create, receive, maintain or transmit PHI, safeguard it as if it were you own.
The complete HIPAA Privacy and Security regulations are here.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016