Tuesday, January 02, 2007

Medical Identity Theft is Growing

On my flight home from Ft. Lauderdale yesterday (I was down there visiting my brother, sister and two neices for the holidays), I was reading a copy of this week's BusinessWeek magazine, and an article on identity theft really caught my eye. In part, it caught my eye because my efforts to challenge the New York City Hemoglobin A1c Registry have been met, even by others with diabetes, with seeminly little interest and I cannot help but wonder if people really understand what having our medical records on electronic files really means. For example, if that information is stolen on a laptop computer as the Veteran's Administration data on some 2.5 million veterans recently was, the laws on notification for data security breaches do not specifically address medical information; mainly they address financial information, so protection and notification is not assured. While NYC has some safeguards and its own security breach notification laws, I cannot help but wonder if we would ever hear about our test results being lost or stolen. Similarly, legislation to modernize our medical records sound nice, but until we address patient privacy, we should not rush into anything.

A majority of identity thefts are financial in nature, usually involving people opening credit cards in another person's name and then having a grand old time at the mall or spending in far-off locations like Nigeria. While these incidents are inconvenient and can be messy to clean up, federal law (specifically, the Fair Credit Reporting Act, or FCRA) guarantees how credit reporting agencies must remove incorrect information from your credit report and provides specific timeframes by which disputes must be resolved, as well as outlining procedures for how disputes must be handled. But with medical records, there are very few protections provided by Federal law, and cleaning up your medical records can be anything but straightforward.

But consider the example from BusinessWeek about a 57-year-old owner of a horse farm in Palm Coast, FL named Lind Weaver. In early 2004, she was surprised to find a bill from a local hospital for the amputation of her right foot, even though she had never had worse than an ingrown toenail. After weeks of wrangling with the hospital's collections and billing reps, Weaver finally stormed into the facility and kicked her heels up on the desk of the chief administrator. "Obviously, I have both of my feet," she told him.

Ms. Weaver eventually persuaded the hospital to drop the charges, but she soon discovered the hard way that this was not a simple billing error. Weaver's medical identity had been stolen by a fraudster who had used her personal information — her address, Social Security number, and even her insurance ID number — to have the expensive surgical procedure performed. Her nightmare didn't end when the hospital stopped billing her for an amputation she never had. She was hospitalized a year later for a hysterectomy, but the fraudster/amputee's medical information was now mixed in with her own information after a nurse reviewed her chart and said, "I see you have diabetes." (She doesn't), but it was not only inconvenient to have to argue that point while recovering from surgery, but she also could have received improper care, such as a transfusion with the wrong type of blood, or a medicine to which she's allergic. "I now live in fear that if something ever happened to me, I could get the wrong kind of medical treatment," she told BusinessWeek.

At the present time, Federal legislators have bills pending which are designed to standardize our electronic medical records, with the idea that this will somehow reduce costs (in spite of no evidence to support such claims). The sponsors of these bills, including my own Senator Hillary Rodham Clinton, claim that the "Health Technology to Enhance Quality (TEQ) Act of 2005" (S. 1262) will reduce healthcare costs, improve efficiency, and improve healthcare quality through the development of a nationwide interoperable health information technology system, but I oppose this legislation until a comprehensive review of data security for medical records is also addressed. According to a recent study, most Americans want electronic health data, but they fear for privacy. Lots of relevant statistics on this subject are outlined in this article. I have two primary concerns about this type of legislation:

Concern #1: The legislation does not include any legal or ethical measures to protect patients' medical privacy, i.e. restore the right of consent. Patients cannot "opt out" of having their records accessed through this network. Consider the New York City Hemoglobin A1c Registry as an example of how medical data can be used -- and unfortunately, abused. As a resident of New York City who has immune-mediated (type 1) diabetes, the results of my glycosated hemoglobin tests are now being submitted without my informed consent to the New York City Department of Health and Mental Hygiene's "Hemoglobin A1C Registry," or even with disclosure that my test results are being seized by the Department. This is being enabled by New York State's ECLRS (electronic clinical laboratory reporting) system, which is similar to what is now being proposed by our legislators on a nationwide basis. While the objective of the diabetes registry is to address the growing issue of type 2 diabetes, requiring my participation and not providing a provision for me to "opt out" of having my test results included in the registry does not endanger or harm the registry's goal of helping to better manage diabetes across the city. I spoke in opposition to the plan at the public hearing in 2005, but my concerns were not heeded, therefore I am now working with the ACLU to challenge the registry in a court of law for failure to provide informed patient consent or notice, which appears to be in violation of New York State law, not to mention the U.S. Bill of Rights (specifically the Fourth Amendment, which provides protection from unreasonable government search and seizure, which applies to personal medical records, too!)

If my numbers fall outside of a range the Health Department deems appropriate, they will notify my physician, and if I do not advise them that I want no communications from the NYC Health Department, I may also receive communications from the NYC Health Department. But the these communications consist of recommendations and tips for losing weight, diet recommendations, as well as reminders to have blood pressure and cholesterol regularly checked (I do when I see my endo quarterly), and an offer for assistance on how to quit smoking (I don't even smoke) -- therefore all of the Health Department's "tips" are completely irrelevant to me. Material like this not only personally offensive (especially the weight loss stuff), but it is really government abuse of electronic medical records in the name of "public health" by automatically assuming that I have type 2 diabetes and the related comorbities of the metabolic syndrome (hypertension, irregular blood lipids), which I do not. This type of intervention was facilitated by the adoption of electronic reporting standards without properly addressing patient privacy concerns, and before we undertake any efforts to facilitate this on a national basis, serious consideration must be made to address patient privacy.

Concern #2: Patients cannot segregate any sensitive medical records from access by all "covered entities." The only privacy standards cited in this bill are those outlined in HIPAA. However, since HIPAA was amended in 2003, the Privacy Rule was eliminated. Yet this bill would institutionalize and facilitate open access to every American's cradle-to-grave medical records. Aside from the dangers of enabling access to fall into the wrong hands, the protections offered via HIPAA are relatively few and are not even being enforced, yet we would have NO recourse for data violations. A 2003 federal report estimated that at least 200,000 instances involved medical identity fraud. Unfortunately, many people are unaware they have become victims of medical identity fraud until they start receiving collections calls on hospital bills, or queries from their insurer.

The first "Priority" in this bill is to provide grants to "harmonize" state and federal laws, which means to eliminate longstanding state, common law, and ethical principles that have assured the privacy of our medical records. It provides grants to establish local and regional health networks with unfettered access by all "covered entities." Notification of privacy breaches is NOT required, and if this bill passes, tougher laws on data security breach notification in states like California would be made null and void. There is no recourse for security violations, and the recent VA incident is evidence that even U.S. Government agencies are not immune to this issue. Patients do not have a right of action. The only right we have is to complain to a government agency. But according to The Washington Post, since gaining so-called "federal protection" for our private medical information via HIPAA, as of June 2006, the Bush administration had received 19,420 complaints alleging HIPAA violations, yet had not imposed a single civil fine, and had prosecuted a mere 2 criminal cases. In order for existing laws to have any meaning or value, our laws must be enforced, which is certainly NOT the case today.

I do not support this legislation as it is currently written. I believe the few protections we have now would be damaged further, therefore a comprehensive addendum to address these issues must be made first. This is not something that Congress can address at a later time, it must be done now before this becomes law. The good news is that with a Democratic majority in both the House and Senate, there is an increased liklihood that more serious consideration will be given to the issue of privacy, and I URGE you contact your own legislators and ask them to become active participants in these discussions.

For your reference, I have listed several resources you might wish to consider regarding medical identity issues:

Patient Privacy Rights

HIPAA Privacy Information
Original Rule
Amended Rule

Institute for Health Freedom


Scott K. Johnson said...

Hey Scott,

That is crazy stuff right there.

I often times don't understand where all the common sense went in situations like this.

Again, I appreciate all that you do to fight this type of stuff, and to keep people like me informed of the issues and why they are so important.

Anonymous said...


It is really very pathetic! Your comments on this blog clearly defines how vulnerable is anyone’s identity which can easily be stolen. You really had sent out a very good message. This issue needs be address as earliest as possible.