Warakorn - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What are the rights of medical ID theft victims under HIPAA?

The rights of medical identity theft victims have been confused by health providers, but the rules under HIPAA are actually quite clear. Expert Mike Chapple explains.

The chairs and ranking members of the Senate Committee on Health, Education, Labor and Pensions and the Committee on Finance recently asked the U.S. Department of Health and Human Services what it's doing to support and protect victims of medical ID theft after health information breaches, and the answer was a bit confusing. What are the rights of medical identity theft victims under HIPAA? And is it possible these Senate inquiries could lead to changes?

Medical ID theft is a scary issue that introduces some complex privacy and security concerns. When a criminal steals an individual's medical identity, it is normally to take advantage of that person's health insurance coverage. An uninsured individual might appropriate the identity of someone with an insurance plan to see a doctor, visit a hospital emergency room or obtain prescription medication. Make no mistake about it -- this is fraudulent and criminal activity.

In some cases, when medical ID theft occurred, health providers refused to provide information about the fraud to the victim of identity theft. They held the belief that HIPAA privacy rules prohibited them from sharing the information because it was protected health information belonging to another individual -- the criminal, in this case. In a recent letter to HHS officials, four U.S. senators questioned this practice and cited research showing that one in five victims of medical ID theft was denied access to records relating to the theft.

Fortunately for victims, this interpretation of the law is not correct. HIPAA provides individuals with the right to access their medical records, even if those records contain incorrect information inserted by someone else. The Federal Trade Commission released a FAQ for healthcare providers that states:

"Some medical providers and health plans believe they would be violating the identity thief's HIPAA privacy rights if they gave victims copies of their own records. That's not true. Even in this situation, patients have the right to get a copy of their records."

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out what organizations need to know about privacy in a HIPAA audit

Discover the technology that's most likely to cause a HIPAA breach

Learn what qualifies as a HIPAA business associate

This was last published in April 2016

Dig Deeper on Data privacy issues and compliance