Editorial: Still an Uphill Battle

How new laws can help the health care sector

June 2009

Finally. That’s the word that keeps coming to mind whenever I read the news lately concerning medical identity theft. Finally, health care providers may be required to be on alert against identity theft. Finally, the patient privacy regulations mandated by HIPAA will be enforced. Finally, doctors, hospitals and insurance companies will be required to notify people whose medical records have been jeopardized by a data breach.

And finally, we have some cases of medical identity theft large enough to shock the public into awareness. The recent incident in Virginia, in which 8.3 million people had their medical records seized and held for a $10-million ransom by a bellicose, grammatically-impaired hacker, gained headlines around the country. Finally, journalists and readers were exposed to the menace of medical identity theft in all its ugliness.

Of course, all this news means we are at the very beginning of the fight, not the end. Because when it comes to medical identity theft, we’re not ready yet to fight the crime itself. We don’t understand enough about it. We don’t have the data we need to know how it occurs, which types of medical identity theft are more common, or which methods are most effective at preventing it. The fight now is for more information, and that is the fight we may—finally!—be winning.

The first achievements for patients and consumers come from Congress. This is surprising, since in all other aspects of identity theft, state legislatures have led the way, as the federal government blithely meandered along. But in this respect, at least, the renewed debate about how to fix our broken health care system has already begun to pay dividends. First comes the HITECH Act, a complicated smorgasbord of regulations that includes steps forward and back for patient privacy.

One step back concerns reimbursing doctors for the cost to transfer paper medical records into electronic files. At best this is premature, since the law does not include sufficient guidelines for how electronic records should be encrypted or password-protected to prevent theft. At worst it is dangerous. Medical files are already plentiful and poorly secured – how often have you walked into a doctor’s office and seen a drawer full of files gaping open behind the receptionist’s desk? Now imagine that same lax security applied to documents stored on computers that are likely to be out- of-date, given the high overhead costs faced by most medical practices. 

Despite these concerns, the HITECH Act has provisions that could help prevent medical identity theft. Perhaps most importantly, it requires doctors, insurers and hospitals to notify patients whose private medical information is compromised by a data breach. This is a huge step forward. It will help patients take steps to ensure that their medical records are not misused. It also will give us more information about the frequency of different types of medical identity theft, which will help advocates and legislators craft better legislation to fight it. 

The other major benefit of HITECH is that it gives regulatory teeth to HIPAA (thirteen years later, since HIPAA was passed in 1996, but who’s counting?). No one expects state attorneys general newly empowered by HITECH to prosecute a great number of medical identity thieves. But as has been the case with investigations of the financial industry, aggressive and politically astute state attorneys generals can use their new authority to usurp federal law enforcement and go after the biggest fish, raising the stakes for medical identity thieves and winning the admiration of voters in the process. These investigations will give the public an unprecedented mother lode of documents detailing the inner workings of large-scale medical identity theft crime rings, which will help enormously in our understanding of the problem. 

Another boon for consumers, and hopefully for patients, is the Red Flags regulation. The new Red Flags rules, included in the 2003 Fair and Accurate Credit Transactions Act (FACTA), require all companies that extend credit to be on the lookout for signs of identity theft, and to have a plan in place for how to respond when the crime is discovered.

I say that patients will “hopefully” benefit because there is a remote chance that the American Medical Association will succeed in its dangerous, hyperbolic lobbying effort to create a loophole in the Red Flags rules for the entire health care industry. The AMA claims that doctors and hospitals should not have to abide by the rules because they are not creditors. This is a rather tortured logic given that, like cell phone companies, utilities and all other corporations that must abide by the Red Flags rules, doctors accept deferred payment for services. 

In reality, doctors and hospitals stand to gain as much from the Red Flags rules as do patients, if not more, since they are the ones forced to eat the bill when an insurance company discovers it has been cheated by an identity thief. The Red Flags rules simply make mandatory what all businesses should be doing voluntarily to improve the bottom line: Protecting themselves from fraud. In the process, patients will be protected from incorrect, possibly dangerous health care caused by erroneous information being inserted into their medical files.

Despite two postponements in the enforcement deadline, the U.S. Department of Health and Human Services has given every indication that it will not allow the AMA to make an end-run around the Red Flags rules. This is cause for medical identity thieves to worry, and for patients to rejoice.

I wish I could say that I was surprised when the news broke that 8.3 million patients in Virginia were having their medical identities held for ransom. Sadly, I can’t. What little we know about medical identity theft indicates that it is a growing threat, that in the absence of public awareness or legal consequences the thieves are growing more audacious and more dangerous. The only way to stop the threat is to learn more about it, as soon as possible.    

Now, finally, that time has come.