Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents

By Daniel J. Solove

Posted on September 11, 2015


Whenever I go to a doctor and am asked what I do for a living, I say that I focus on information privacy law.

"HIPAA?" the doctors will ask.

"Yes, HIPAA," I confess.

And then the doctor's face turns grim. At first, it looks like the face of a doctor about to tell you that you've got a fatal disease. Then, the doctor's face crinkles up slightly with disgust. This face is so distinctive and so common that I think it should be called "HIPAA face." It's about as bad as "stink eye."

Image: A doctor

"Oh, that's nice," the doctor says.

I often leave it at that, because if I say more, I might end up with a scalpel sticking out of my chest.

Image: Syringe

For so many healthcare providers, HIPAA is a source of great aggravation. It's difficult. It's boring. It seems to consist of a lot of inconvenient and costly requirements.

I believe that these attitudes about HIPAA are due to a failure to educate healthcare professionals about the reasons why HIPAA matters. HIPAA is not about doing all sorts of needless things for their own sake. It is about protecting patients.

A recent article in the Wall Street Journal describes the problem of medical identity theft, a problem that is rising dramatically. I blogged previously about the problem of medical identity theft, and I believe that significant attention must be devoted to this problem. According to the WSJ article: "Unlike in financial identity theft, health identity-theft victims can remain on the hook for payment because there is no health-care equivalent of the Fair Credit Reporting Act, which limits consumers’ monetary losses if someone uses their credit information."

Medical identity theft is on the rise. It affected 2.3 million people in 2014. This chart shows how rapidly it is growing.

Image: Chart

Medical identity theft is quite costly. According to a Ponemon study, "65% of victims reported they spent an average of $13,500 to restore credit, pay health-care providers for fraudulent claims and correct inaccuracies in their health records."

The WSJ article explains why medical identity theft is so prevalent and why it is so damaging:

Thieves use many ways to acquire numbers for Social Security, private insurance, Medicare and Medicaid. Some are stolen in data breaches and sold on the black market. Such data are especially valuable, sometimes selling for about $50 compared with $6 or $7 for a credit-card number, law-enforcement officials estimate. A big reason is that medical-identification information can’t be quickly canceled like credit cards.

Image: Chart

Another aspect of medical identity theft that causes great trouble is that the identity thief can pollute a person's medical records with false data. This can affect a person's treatment, and in some cases, it can be a life-or-death matter. In one case, described in the WSJ article, a woman was falsely listed on the birth certificate of an identity thief's baby. The baby was born addicted to meth, and the identity theft victim was wrongly pursued by child-protective services for a baby she never gave birth to.

This is the human side to HIPAA. For healthcare providers, HIPAA need not be overly complicated or boring or tedious. I believe that good education about HIPAA is key. Healthcare workers must understand HIPAA clearly and concretely, and they must understand why HIPAA has the requirements it does. They must understand the human side of HIPAA. When they do, their attitudes change, HIPAA is not as bad as they believed it to be.

So I propose the following motto for HIPAA: If you care about patients, you should care about their data.

Image: HIPAA slogan

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy/data security training company. He is the author of 10 books and more than 50 articles.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum – Oct. 21-23 in Washington, DC.

Image Credits: Pond5

The preceding is republished on TAP with permission by its author, Professor Daniel Solove. “Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents” was originally published August 31, 2015 on Professor Solove’s LinkedIn Commentary page. Professor Solove is among LinkedIn’s 150 top influential thought leaders.