Leaders and stakeholders gathered this week to discuss medical identity theft and how the federal government could lead a campaign to prevent it.
In a town hall meeting sponsored by the Department of Health and Human Services' Office of the National Coordinator for Health IT (ONC), experts explained how statistics are scarce on the extent of the problem –in part because most often the crime is committed by company insiders and goes unreported.
Others explained how medical identity theft can have devastating effects on victims.
According to Linda Foley, founder of Identity Theft Resource Center, victims of medical identity theft want a clean record, but there aren't many answers for how to help them. Sometimes the thief mixes their information with another patient's, making the clean-up particularly difficult.
Some doctors have begun taking photos to include in patient records, Foley said.
Pam Dixon, executive director of the World Privacy Forum, said the loss to a patient from a single incident of medical identity theft can range from $2,000 to $250,000.
Dixon urged any federal campaigns to prevent medical theft to include input from victims who understand the complexities of the damage and what it takes to help victims through the process.
Gary Cantrell, from the HHS Office of the Inspector General, said victims can pay $800 to $5,000 out-of-pocket on bills racked up via medical identity theft to prevent further damage to their credit ratings. They report the crime to several agencies, but wonder if the case has been dropped through the cracks.
"We need to help the consumer and have a plan of action to reassure them that something is being done," Cantrell said.
Lisa Gallagher, the Healthcare Information & Management Systems Society's senior director of privacy and security, said healthcare organizations may find a breach, but the incident isn't investigated until the organization gets a report from a patient. When healthcare organizations respond to a case of medical identity theft, they need to focus on gaining an awareness of where the breach originated and what motivation was behind it.
Many experts at the meeting advocated new technology to help prevent breaches, including smart cards and biometrics. Dixon warned, however, that sometimes these can hurt victims more than help them if the authentication is mistakenly "hardened" to the criminal, effectively making the victim the criminal.
Health information exchange brings benefits, Dixon said, but with transparency comes responsibility.
Dixon said that when she asks organizations about preventing medical identity theft, she often hears, "We're thinking about it." She said she wants to hear that an organization has a process in place to help victims that crosses state lines and includes all the organizations in the health information exchange.
Dixon and others at this week's meeting described the troubles victims face in getting copies of their own medical records from providers, as well as getting police reports and other general assistance for clearing up their case. Ideally, there should be a national protocol for assisting victims, Dixon said.
Jodi Daniel, the ONC's director of the Office of Policy and Research, said this week's discussion was energizing, but added that he has concerns about how ONC could take on all the aspects of medical identity theft discussed at the meeting.
Attendees recommended developing a community to assess what could be done, and possibly establishing a clearinghouse for best practices.
They also said more education is needed, and many felt the healthcare sector could take lessons from the financial industry on how to safeguard identities.
Some stakeholders called for guiding principles for preventing medical identity theft while the federal government builds the National Health Information Network, expected to be showcased this December with a live interoperability demonstration.