Medicare Compliance & Reimbursement

HIPAA:

Senators Want HHS to Clear Up Confusion Over Medical Identity Theft and HIPAA

You and your patients may soon see more support from the federal government when it comes to preventing and mitigating the effects of medical identity theft — especially with new pressure to do so coming from Congress.

In a Nov. 10, 2015 letter to the Centers for Medicare & Medicaid Services (CMS) and the HHS Office for Civil Rights (OCR), the Chairs and Ranking Members of the Senate Committee on Health, Education, Labor, and Pensions and the Committee on Finance expressed their concerns with what HHS is doing to support and protect victims of medical identity theft.

Citing many large health information breaches lately, the senators raised fears regarding the surge in major cyberattacks on large insurers like Anthem BlueCross BlueShield and healthcare providers like the UCLA Health System.

“We are concerned that data theft will continue to rise and will result in an increase in medical identity theft,” the senators wrote.

Medical identity theft can have serious financial repercussions for victims, as well as adulteration of victim’s medical records, which can have dangerous health consequences, the senators pointed out. And although the HIPAA Privacy Rule grants patients the right to view and request corrections to their medical records, “there is widespread confusion about how this rule applies in the case of a thief’s information being comingled with that of his or her victim’s.”

Truth: In fact, both the U.S. Department of Human and Health Services (HHS) and the Federal Trade Commission (FTC) have addressed this very issue, noted partner attorney Adam Greene in a Dec. 1, 2015 analysis for the law firm Davis Wright Tremaine LLP. The HIPAA Privacy Rule grants individuals the right to copies of their medical records maintained by covered healthcare providers and health plans. If you give victims of medical identity theft copies of their own records, you’re not violating the thief’s HIPAA privacy rights even if the thief’s information is mixed with the victim’s.

The senators posed a list of specific questions regarding medical identity theft to CMS and OCR, including (for example):

  • What support does HHS provide to federal, state, and local law enforcement officials to aid their response to medical identity theft?
  • What services does CMS offer to Medicare and Medicaid beneficiaries who suspect they are victims of medical identity theft?
  • How do OCR and CMS coordinate medical identity theft prevention and mitigation efforts?
  • Does HHS believe that the HIPAA Privacy Rule gives a victim of medical identity theft the right to access his or her health record if it contains a thief’s health information? Has HHS encountered confusion on this matter previously? If so, what steps has HHS taken to address the confusion over the meaning of the Privacy Rule on this matter?

Link: To read the senators’ letter to CMS and OCR, go to www.help.senate.gov/imo/media/doc/Medical Identity Theft Letter--final.pdf.