[ Tuesday, May 16, 2006 ]
OK, I was wrong.
I've been blabbing on and on about how PHI is primarily only attractive for the identity-theft data it contains, such as social security information and other demographic data. My point has been that nobody cares about your gallstones or your hypertension, they just want your social security number so they can get bogus credit cards and ruin your credit.
But it turns out, there actually is a growing epidemic of real life medical identity theft
, where someone gets hold of your name and insurance information, poses as you, and gets medical care, all paid for by your insurance company. Obviously, these people are stealing from the insurance company that pays for the care, thinking it's you that's receiving it. But if they pay the copay and deductible, perhaps that would even help you in the end (you'd meet your deductible sooner). Certainly, unless the legitimate insured gets a bill in the end, there's not a big incentive to get the "victim" to seek out and expose the theft.
Or perhaps there is: the medical identity theif may use so much healthcare that you end up going over your annual or lifetime limit for insurance. And worse, if someone steals your medical identity and you end up with false information in your medical record, you could miss getting treatment you need, could get transfused with the wrong blood type, could be treated for ailments you don't have, and could be refused for life insurance if the medical identity thief had a disqualifying disease that got attributed to you.
It's still identity theft. But it's not what I was primarily concerned about, the ruin-your-credit kind. Instead, it could kill you.
UPDATE: Crap, who are these World Privacy Forum people? If you read the linked article and want to request an "accounting of disclosures" as recommended by those folks, you won't find out everyone who accessed your records, not by any stretch of the imagination. Instead, you won't get information on disclosures made for treatment or payment purposes, which is where the medical identity theft described in the article would be occuring. Instead, you'll just be tying up the providers and payors from whom you're asking for accountings. Sheesh.
Jeff [5:05 PM]
Blogger: HIPAA Blog - Edit your Template