If you're a victim of medical identity theft, the information can spread quickly - meaning you might have your hands full trying to get it all corrected. And fixing medical identity theft is both difficult, and extremely important, since you don't want your doctor deciding what you need based on someone else's health information that just happens to be in your health file. The World Health Organization has a valuable series of FAQ's to help with understanding and fixing medical identity theft, but here's the Cliff's Notes.
Watching for Medical Identity Theft
An Explanation of Benefits (EOB) will give you an idea if you have an issue or not. Get this from your insurance company. If they paid for procedures you never had, dig deeper. Talk to the hospital or medical office that received the funds. Chances are, if you talk with your insurance agency's fraud department, they'll do this for you. After all, they were the ones who lost money. They might even be clever and look into other payments made to that service provider.
You may also be tipped off by getting strange questions from a new doctor, receiving bills from doctors you don't visit, collection calls under similar circumstances, or getting a notice from your insurance company that your benefits are being cut-off due to hitting your "spending cap".
These are important steps to take, because you may someday decide to change insurance companies. When you apply, the company will perform an "underwriting investigation", meaning they may talk with your healthcare provider and find that there are conditions on your record you haven't mentioned. This could result in you being denied for the new insurance.
Your Right to Access Your Records
HIPAA requires medical service providers to notify you of their privacy practices. That will include access to your medical record. It's so important, in fact, that doctors require their patients to sign a form saying you received that information. Their process for obtaining a copy of your medical record will be on that form. (If you don't have the form, they'll give you a copy, if they have a website, it will be there too.)
- Plan on filling out a form.
- If they send you a written notice of delay, plan on waiting 60 days.
- Plan on waiting 30 days.
- Plan on paying as much as $1.00 per page.
The Medical Information Bureau (MIB) is used by insurance companies to share proprietary codes that represent medical information. This is chiefly to verify the accuracy of a new insurance application, but the MIB file only reflects the information their "Members" have given them, and may have inaccuracies. (Based on the number of disclosures they have already provided, the general counsel for the MIB says only 1.5% of their records have had to be amended due to inaccuracies.) If you are dealing with medical identity theft, be sure to check your MIB file. Although the chance of there being errors here are slim, if there are errors in your MIB file, it will almost certainly result in difficulties with getting insurance down the road.
The Medical Information Bureau is regulated by the same laws as the credit reporting agencies, including FACTA and HIPAA. This means they will provide you a copy of the consumer file they have on hand for you once a year. They respond to requests within 10 business days, and there is no charge for your copy.
What Records? Where?
Not every record is important to your identity theft, but it is important to get the ones that are. When you're talking with the service provider, they may be sympathetic and help you figure out what records to request.
Make sure to request an Accounting of Disclosures, as well. This is a list of other medical providers that have requested something out of your medical record. Don't be surprised if the list matches some of the EOB list.
The World Health Organization mentioned Pharmacy Benefit Mangers (PBMs) as well. They keep track of pharmacy "network" management, and may have information relevant to your case. If you have insurance and get your medications by mail, that's usually a PBM.
Some records may not be available to you. For example, a psychiatric professional probably won't give you notes they took in session, and those wouldn't help much anyway. But some medical professionals are so scared of HIPAA that they are overly cautious (like not notifying a life-partner of their mate's condition after a surgery.) You may have a fight on your hands. Stand your ground, they can be found liable for errors in your medical record, so it's in their best interest to get it cleared up, too.
Cleaning It Up
You can amend your medical record. This must be your first priority when dealing with medical identity theft, especially information that will impact your medical treatment. But it's easier said than done. The WHO used the exact phrase "…complex, difficult, and controversial…." The process will be in the HIPAA document we discussed above.
- Plan on filling out a form.
- Plan on writing out what is incorrect, and why you believe it is.
- Plan on a thorough review with the doctor.
- Plan on waiting 60 days.
- If they send you a written notice of delay, plan on waiting 90 days.
You probably won't get incorrect information removed. This is a big concern to medical identity theft victims, because the corrected information may not be seen by future care-givers. The WHO said of this, "… the HIPAA amendment rule is inadequate to meet the needs of victims of medical identity theft. The rule should be revised to require covered entities to consider the removal of information that does not belong in the record of a medical identity thief victim. The problem of incorrect information will only become more acute as more medical information is routinely stored in and shared through health information networks."
Just because you ask the information be amended doesn't mean it will happen, for many different reasons. You may still disagree with the doctor. You may have the right to appeal their decision. You can complain to the Secretary of the Dept. of Health and Human Services, but they may not investigate. You can make a written statement of disagreement, but the service provider can issue a rebuttal. You can insist they send your statement of disagreement with all future requests for your medical record, but they will include their rebuttal as well. Here's a suggested disagreement:
I ask that my request for amendment be included with any subsequent disclosure of the information for which I requested an amendment. This is a right guaranteed by the HIPAA health privacy rule at 45 C.F.R. § 164.526(d)(5)(ii).
Pull your credit. It's not unusual for one form of identity theft to lead to another. Knowing where it can creep up is a help. But if you've had an issue with medical identity theft, it's common to discover your credit history shows it's been going on for a while. This will give you more doctors to call to set up these review sessions.