First Aid for Medical Identity Theft: Tips for Consumers
When another person uses your personal information to get medical services or goods, or to gain financially, that is medical identity theft. The thief may use your identity to see a doctor. He or she may get prescription drugs or to file claims with your insurance company in your name. If the thief’s medical treatment or diagnosis mixes with your treatment or diagnosis, your health is at risk.
In this information sheet, we describe signs of medical identity theft. Then we give you tips for protecting yourself. At the end of the sheet, we have sample letters and more resources for tackling this crime head-on.
There are five key signs that you might have a medical identity theft problem.
Sign One: Receipt Of A Breach Notice
You get a letter from a health care organization. The letter tells you that your information was involved in a data breach, which means your information left the organization’s control for a period. The letter usually describes what happened. A burglar, for example, may have stolen an employee laptop, or a hacker may have reached into the organization’s computer system. The letter also shares what type of information was exposed. It could be health insurance numbers, Social Security numbers, or medical information. Some information types can put you at greater risk than others, so look closely at this part of the letter.
- If the letter says your Social Security number was involved, quickly go to our fact sheet What to Do If Your Personal Information Is Compromised (See Additional Resources section at end of this sheet.). Follow the four steps: a fraud alert or a security freeze on your credit records will stop someone else from using your Social Security number to open new credit accounts in your name.
- If the letter says your health insurance or health plan number was involved, contact your insurer or plan. Tell them about the breach and ask them to note the breach in their records and to flag your account number. Closely watch your Explanation of Benefits statements for any questionable items. If you find any, follow the steps in the next section.
- A breach that involves medical information, but not your Social Security or health insurance number, does not generally pose a risk of medical identity theft. Keep watching your Explanation of Benefit statements anyway.
Sign Two: Unknown Item in Explanation of Benefits
Your Explanation of Benefits statement from your health insurer arrives in the mail. This is that form than often says “THIS IS NOT A BILL.” You see a service you did not receive, an office visit you did not make, or medical equipment you did not request on the statement. (Remember that services for family members may be on your Explanation of Benefits too.)
- Call your insurer at the number listed on the Explanation of Benefits. Ask for more details about anything you suspect, and ask them to investigate. Ask for copies of records connected to the item. You may need to write this request: Sample Letter 1 at the end of this information sheet will help.
- Contact the doctor, pharmacy, laboratory, health plan, or other provider who submitted the information to the insurer. Ask to see your medical records about the item you are seeing in the Explanation of Benefits. Be confident in knowing that you have a right to inspect your medical records and to receive copies of them, with some exceptions. Be careful too - copies of medical records cost money. Try making your request more manageable by inspecting your records at the office first, then requesting copies of only items that seem to be part of the problem. To make a request in writing, see Sample Letter 2.
- Review all the information you receive from your insurer and your related medical records. If you still believe the item is incorrect, contact the health care provider’s medical records department or privacy office. Explain which information is not correct and have copies of the supporting documents ready to illustrate your point. Request to have your medical records corrected. You may need to get a police report of identity theft to go with your request. Sample Letter 3 is a request for correction.
Sign Three: Notice of Reaching Benefit Limit
You may receive a notice from your health insurer or health plan saying that you have reached your benefit limit. Or your request for a benefit is denied because it would be over your limit. If you believe you have not reached your limit, take steps to find out if you may be a victim of medical identity theft.
- Call your insurer, at the number on the notice. Ask for a listing of all the benefits paid in your name.
- Review the list and if you believe it contains inaccurate items, follow the steps above in the Explanation of Benefits section.
Sign Four: Call from Debt Collector
You get a bill or phone call from a hospital or other health care provider or from a collection agency about a bill for medical services that you did not receive.
- First, focus on the financial risks. Tell the creditor or collector that you did not receive the service and are not responsible for it. Ask for a copy of the bill and related documents. See our Identity Theft Victim Checklist for the steps to take on financial identity theft.
- Then, take action on the possible impact on your medical records. Call your health insurer or health plan. Tell them about the bill, explain that you did not receive the services and ask them to investigate it. You can use Sample Letter 1 for this.
- Contact the health care provider who provided the services. Tell them you received a bill or call about a service you did not get. Ask them to check their billing records. If they confirm the bill, ask them for a copy of your medical records related to the service. You can use Sample Letter 2 for this.
- Review the information you receive from your insurer and your medical records. See Step 3 in Explanation of Benefits.
Sign Five: Questions at Intake
You check in at your health provider. When the staff asks you to “verify” your information, you notice that something is wrong – your address or date of birth, for example. They may even ask you how you are doing after your surgery, and you never had a surgery in your life!
- Ask for the billing supervisor. Tell him or her that you may be the victim of medical iden-tity theft. Ask the supervisor to investigate the billing records and to flag your account as possible identity theft. Also ask the super-visor to have your medical records reviewed for possible errors related to identity theft.
- Depending on the results of the investiga-tion, take other steps described above.
Notice of Privacy Practices:
Federal law requires health care providers and health plans to give you a Notice of Privacy Practices. Ask your provider or look for it on the organization’s web site. In the Notice, you can find instructions on how to order copies of your medical records, how to request an amendment or correction, how to file a privacy complaint, and other helpful information.
Large health care organizations often mean complex processes. An organization’s privacy officer should be able to offer clear explanations and guidance in handling your medical identity theft situation. Contact information for the privacy officer should be in the Notice of Privacy Practices.
Office of Civil Rights:
Sometimes when you say you may be a victim of medical identity theft, a provider is unwilling to give you access to your medical records. Some providers have questioned whether the federal health privacy law permits showing you a record that may contain another person’s personal health infor-mation. In such a case, show the provider the guidance offered by the Office for Civil Rights, which enforces the health privacy law, on their web site at www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/. If your provider still resists, you can file a complaint with the Office of Civil Rights: www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.
Information Sheets from the California Attorney General:
A number of information sheets on privacy topics are available on the web site at www.oag.ca.gov/privacy/info-sheets. The ones listed below are helpful in dealing with medical identity theft.
- Identity Theft Victim Checklist: The steps to take in response to financial identity theft, including placing a fraud alert, or-dering credit reports, and getting a police report, with sample letters.
- Your Patient Privacy Rights: Overview of medical privacy rights in California and federal law.
- What to Do If Your Personal Informa-tion Is Compromised: Steps to take when your Social Security number is involved in a data breach.
More on Medical Identity Theft:
The World Privacy Forum has conducted research on medical identity theft and has a wealth of information on its web site at www.worldprivacyforum.org/medicalidentitytheft.html.