Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents
Whenever I go to a doctor and am asked what I do for a living, I say that I focus on information privacy law.
"HIPAA?" the doctors will ask.
"Yes, HIPAA," I confess.
And then the doctor's face turns grim. At first, it looks like the face of a doctor about to tell you that you've got a fatal disease. Then, the doctor's face crinkles up slightly with disgust. This face is so distinctive and so common that I think it should be called "HIPAA face." It's about as bad as "stink eye."
"Oh, that's nice," the doctor says.
I often leave it at that, because if I say more, I might end up with a scalpel sticking out of my chest.
For so many healthcare providers, HIPAA is a source of great aggravation. It's difficult. It's boring. It seems to consist of a lot of inconvenient and costly requirements.
I believe that these attitudes about HIPAA are due to a failure to educate healthcare professionals about the reasons why HIPAA matters. HIPAA is not about doing all sorts of needless things for their own sake. It is about protecting patients.
A recent article in the Wall Street Journal describes the problem of medical identity theft, a problem that is rising dramatically. I blogged previously about the problem of medical identity theft, and I believe that significant attention must be devoted to this problem. According to the WSJ article: "Unlike in financial identity theft, health identity-theft victims can remain on the hook for payment because there is no health-care equivalent of the Fair Credit Reporting Act, which limits consumers’ monetary losses if someone uses their credit information."
Medical identity theft is on the rise. It affected 2.3 million people in 2014. This chart shows how rapidly it is growing.
Medical identity theft is quite costly. According to a Ponemon study, "65% of victims reported they spent an average of $13,500 to restore credit, pay health-care providers for fraudulent claims and correct inaccuracies in their health records."
The WSJ article explains why medical identity theft is so prevalent and why it is so damaging:
Thieves use many ways to acquire numbers for Social Security, private insurance, Medicare and Medicaid. Some are stolen in data breaches and sold on the black market. Such data are especially valuable, sometimes selling for about $50 compared with $6 or $7 for a credit-card number, law-enforcement officials estimate. A big reason is that medical-identification information can’t be quickly canceled like credit cards.
Another aspect of medical identity theft that causes great trouble is that the identity thief can pollute a person's medical records with false data. This can affect a person's treatment, and in some cases, it can be a life-or-death matter. In one case, described in the WSJ article, a woman was falsely listed on the birth certificate of an identity thief's baby. The baby was born addicted to meth, and the identity theft victim was wrongly pursued by child-protective services for a baby she never gave birth to.
This is the human side to HIPAA. For healthcare providers, HIPAA need not be overly complicated or boring or tedious. I believe that good education about HIPAA is key. Healthcare workers must understand HIPAA clearly and concretely, and they must understand why HIPAA has the requirements it does. They must understand the human side of HIPAA. When they do, their attitudes change, HIPAA is not as bad as they believed it to be.
So I propose the following motto for HIPAA: If you care about patients, you should care about their data.
I hope that one day, when I go to the doctor's office and start speaking about HIPAA, I can say: "I love HIPAA."
And the doctor will reply: "I love it too."
* * *
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy/data security training company. He is the author of 10 books and more than 50 articles.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum – Oct. 21-23 in Washington, DC.
150+ Speakers at the Privacy + Security Forum
The views here are the personal views of Professor Solove and not those of any organization with which he is affiliated.
Image Credits: Pond5
Professor Solove's HIPAA Training
Professor Solove's Social Media
Please join Professor Solove's LinkedIn groups:
TWITTER: Follow Professor Solove on Twitter @DanielSolove.
NEWSLETTER: Click below to sign up for Professor Solove's newsletter. It is free and is only sent out occasionally, so it will not clog your inbox.
Associate Financial Advisor @CIBC | TrentU Grad
4yHad a good laugh at the introduction. Very interesting read. Medical id theft is a serious issue and have been on the rise since the past few years. Many leading hospitals now prevent medical id theft with RightPatient®- leader in touchless biometric patient identification platform: https://lnkd.in/f24C27G
Retired Master Level Nurse at Retired Professional Nurs
9yWow... and I will share as well. Thanks
--
9ythanks for sharing
Adult Ministry Assistant
9yVery interesting Daniel. Thank you for sharing this.