FTC cracks down on medical identity theft

The FTC plans to issue a new consumer protection rule that will take on the issue of medical identity theft, a growing concern now that identity thieves have recognized that medical records are rich sources of financial information that can be used to obtain credit with someone else's history. Alternate forms of medical identity theft, in which patients impersonate someone for the purpose of transferring their bill to that person, are also on the rise.

The FTC's Red Flag and Address Discrepancy Rule is written to address a wide range of financial institutions a creditors--including healthcare organizations--and requires such organizations to address identity theft risks and develop a mitigation plan. Healthcare providers, who are addressed expressly in the Red Flag Rules Guidelines, are required to identify "red flags" that help them determine when medical identity theft may be occurring, detect when a red flag event takes place, respond appropriately and update their red flag program periodically to reflect changes in potential risks.

While the FTC isn't requiring any specific red flags for healthcare providers, the World Privacy Forum has provided a detailed list of suggestions for such triggers for investigation, including a dispute of a bill by a patient who claims to be the victim of identity theft; patient's having gotten a bill for another individual or a bill for a product or service they deny receiving; records showing medical treatment that is inconsistent with a physical exam or medical history reported by the patient; a patient or insurance company report that coverage for a legitimate hospital stay is denied because insurance benefits have been depleted or a lifetime cap has been reached.

To learn more about this regulation:
- read this World Privacy Forum report (.PDF)

Related Articles:
Trend: Identity thieves get better at stealing medical records
The growing problem of medical identity theft
NY hospital worker charged with massive file theft
California expands health data breach rules