Examining the $234 Billion World of Medical ID Theft

What is medical identity theft? How can it put a patient in jeopardy? How are data breaches involved, and three things you can do to protect patient data.

1.42 million Americans were victims of medical identity theft in 2010, according to a 2011 study on patient data privacy and security by the Ponemon Institute. The report estimates the annual economic impact of medical identity theft to be $30.9 billion.

The harm of medical identity theft causes patients is often overlooked.
With its serious health risks, medical identity theft can be far more dangerous than other forms of identity theft. When a victim’s records are merged with a thief using the same identity, for instance, that record becomes “polluted,” and the victim may be denied treatment or be misdiagnosed based on this inaccurate information.

Data breaches — A major source of medical I.D. theft
Whether caused by theft, loss, human error, or hacking, data breaches put patient data at risk for medical identity theft.

Three tips for protecting patient data
Preparation is the best defense for mitigating the chances of a data breach and the costly consequences of medical identity theft. We recommend that healthcare organizations:

1. Take an inventory of PHI/PII. An inventory provides a complete accounting of every element of personally identifiable information (PII) and PHI that an organization holds, in either paper or electronic format.
2. Develop an Incident Response Plan (IRP). An IRP is an effective, cost-efficient means for helping organizations meet HIPAA and HITECH requirements and develop guidelines related to data breach incidents.
3. Review contracts and agreements with business associates. Business associates are a growing cause of data breaches. These contracts authorize and define business associates' use of the PHI they share with healthcare providers.