As HIPAA Security Rule compliance slips, the number of medical identity thefts increases. Unlike financial identity theft, the theft of an individual’s medical identity can lead to serious health, employment, and insurability issues.
The HIPAA (Health Insurance Portability and Accountability Act of 1996) required that all covered entities (CE’s) be in compliance with the Security Rule by April 2005. Small CE’s were not required to meet compliance standards until April 2006. Although progress was made initially, it seems that CE’s are now moving in the wrong direction.
According to an April 2006 survey of healthcare privacy officers and other CE individuals responsible for HIPAA compliance (AHIMA, “The State of HIPAA Privacy and Security Compliance”), only 39% of hospitals and health systems consider themselves 100 percent compliant. The number of facilities that consider themselves 85 percent compliant dropped from 91 percent in 2005 to 85 percent in the 2006 survey. The main reason cited for not meeting compliance is the lack of resources. So why are CE executive managers not providing the necessary time and money to safeguard Protected Health Information (PHI)?
The cause appears to be related to the lack of effective enforcement—not levying fines as specified in the HIPAA and the lack of annual audits for compliance. As of June 2006, more than 19,000 grievances were filed with the Department of Health and Human Services. In excess of 14,000 of these cases were closed with a ruling that there was no violation or with the targeted CE being given the opportunity to correct the deficiencies identified (Rob Stein, “Medical Privacy Law Nets No Fines”, Washington Post, June 2006).
Unlike regulations such as Sarbanes-Oxley, the HIPAA requires no annual third party audit. CE’s are only in the line of fire when a patient or employee files a complaint. Further, Sarbanes-Oxley deficiencies can find their way into an organization’s annual report. This can potentially result in shareholder and customer distrust. The HIPAA has no such provision. In other words, most CE’s are “on their honor” to meet the standards and recommendations contained in the HIPAA Security Rule.
As HIPAA compliance languishes, medical identity thefts continue to plague patients. In a May 2006 report (“Medical Identity Theft: The Information Crime that Can Kill You”, The World Privacy Forum), Pam Dixon estimates that approximately 250,000 Americans have been victims of this crime since the FTC began tracking it in 1992. According to Dixon, medical identity theft not only poses a financial threat. It can also result in misuse of a victim’s medical records and insurance.
Dixon writes about a victim in Florida who went for medical treatment and found that her records had been altered, including a change to her blood type. It was later discovered that someone posed as the victim to receive health treatment. In other cases, victims find that their health insurance maximums have been reached or they are uninsurable due to medical conditions that pertain to an imposter. Finally, there have been cases in which victims of medical identity theft are denied employment because of non-existent health problems.
Victims of medical identity theft have little recourse. A person’s medical records might be dispersed across multiple locations making it all but impossible to identify occasional unauthorized use of medical services. Medical facilities are often resistant to providing copies of medical records. This makes it very difficult to review and correct errors.
Enforcement of the HIPAA standards is critical if we have any chance of stopping PHI leakage. Further, Dixon recommends the following:
- Individuals must be given the right to correct errors in their medical histories
- Each individual must be provided with one free copy of his medical records
- The rights of individuals to obtain an accounting of disclosures of PHI should be expanded
- Possible compromise of medical data should be communicated to consumers
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.