The chairs and ranking members of the Senate Committee on Health, Education, Labor and Pensions and the Committee...
on Finance recently asked the U.S. Department of Health and Human Services what it's doing to support and protect victims of medical ID theft after health information breaches, and the answer was a bit confusing. What are the rights of medical identity theft victims under HIPAA? And is it possible these Senate inquiries could lead to changes?
Medical ID theft is a scary issue that introduces some complex privacy and security concerns. When a criminal steals an individual's medical identity, it is normally to take advantage of that person's health insurance coverage. An uninsured individual might appropriate the identity of someone with an insurance plan to see a doctor, visit a hospital emergency room or obtain prescription medication. Make no mistake about it -- this is fraudulent and criminal activity.
In some cases, when medical ID theft occurred, health providers refused to provide information about the fraud to the victim of identity theft. They held the belief that HIPAA privacy rules prohibited them from sharing the information because it was protected health information belonging to another individual -- the criminal, in this case. In a recent letter to HHS officials, four U.S. senators questioned this practice and cited research showing that one in five victims of medical ID theft was denied access to records relating to the theft.
Fortunately for victims, this interpretation of the law is not correct. HIPAA provides individuals with the right to access their medical records, even if those records contain incorrect information inserted by someone else. The Federal Trade Commission released a FAQ for healthcare providers that states:
"Some medical providers and health plans believe they would be violating the identity thief's HIPAA privacy rights if they gave victims copies of their own records. That's not true. Even in this situation, patients have the right to get a copy of their records."
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out what organizations need to know about privacy in a HIPAA audit
Discover the technology that's most likely to cause a HIPAA breach
Learn what qualifies as a HIPAA business associate
Dig Deeper on Data privacy issues and compliance
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.