Health Information Compliance Alert

Published on Mon Jul 17, 2017 PDF

Identity mix-ups not only ruin lives, but put patients in harm’s way.

Identity theft continues to be a source of consternation in the medical industry despite federal and state efforts to assist providers with HIPAA privacy compliance. Consider this expert data for determining how this perennial issue could impact your practice.

Medical ID theft can wreak financial havoc for providers and facilities. It can be considered a violation of provisions of the HIPAA Security Rule and may lead to complaints to the HHS Office for Civil Rights (OCR) which, in turn, can lead to proceedings for civil monetary penalties, warns attorney Kenneth Rashbaum, Esq. of Barton LLP in New York, New York. These penalties can reach hundreds of thousands of dollars or more. State attorneys general may bring HIPAA proceedings, and they can also bring actions to enforce state privacy and anti-identity-theft laws.

Warning: “In addition, there are criminal sanction provisions in HIPAA, and these have been used in the past to prosecute identity theft from hospital patients,” Rashbaum points out. “No hospital wants to be in the news for a criminal prosecution of an employee,” he adds.

All of this adds up to “the likelihood of a very real negative impact on the provider or facility’s goodwill,” says Jim Sheldon-Dean, director of compliance services with Lewis Creek Systems, LLC in Charlotte, Vermont.

Penalties: If it’s a reportable breach under HIPAA, the costs of notification can be significant, both in dollars and in public trust, because the fines can be assessed on a daily basis, up to $1.5 million in a year for any one provision violated, Sheldon-Dean goes on to say. There are also likely to be ramifications under state breach notification laws, and for some institutions the Federal Trade Commission’s Red Flag Rule applies, he adds.

The Loss of Identity Impacts More Than Just Privacy

“The biggest problem with medical ID theft is not only the cost to all of the stakeholders that lose money, which cannot be recouped,” but the patient, whose identity has been stolen pays a price as well, says Ester Horowitz, MBA, CMC, CITRMS. Patients may have two records in their name — the real one and the fake one used to get drugs or treatments, she adds.

Health hazard: Confusion over identities can seriously jeopardize patients’ care. Identity theft poses “a danger to the patient’s wellbeing when the medical system is contaminated with wrong information making it difficult to treat the patient in emergent situations,” Horowitz warns.

Resource: To look at the Federal Trade Commission’s Red Flag rule, visit https://www.ftc.gov/tips-advice/business-center/privacy-and-security/red-flags-rule.