American Gastroenterological Association - Advancing the Science and Practice of Gastroenterology

Red Flag or Not: What You Should Do to Respond to Identity Theft

Though it appears that medical practices have been excluded from the red flag requirements for preventing and responding to identity theft, medical identity theft is still a problem that impacts practices, and should be taken seriously. The following information has been published by The Federal Trade Commission (FTC), the nation’s consumer protection agency, to assist patients and medical practices in this area:

How would people know if they are victims of medical identity theft? They could be billed for medical services they did not receive, contacted by a debt collector about a medical debt they do not owe, see medical collection notices on their credit report that they do not recognize, be told by their health plan that they have reached their limit on benefits, or be denied insurance because their medical records show a condition they do not have.

What should health-care providers and insurers do if they learn that a patient may be the victim of medical identity theft? They should conduct an investigation, understand their obligations under the Fair Credit Reporting Act, review their data security practices and provide any necessary notifications that a data breach has occurred.

What should health-care providers and insurers tell a patient who is the victim of medical identity theft?

• Advise victims to take advantage of their rights under the HIPAA privacy rule.
• Encourage victims or potential victims to notify their health plans.
• Tell victims to file a complaint with the FTC at www.ftccomplaintassistant.gov or by phone at 877-438-4338 (TTY: 866-653-4261) and to read the information at www.ftc.gov/idtheft.
• Encourage victims to file a report with local police and send copies of the report to their health plan’s fraud department, their health-care provider(s) and the three nationwide credit reporting companies — Equifax, Experian and TransUnion. Information on how to file a police report and reach the credit reporting companies is at www.ftc.gov/idtheft/consumers/defend.html.
• Encourage patients to look for signs of other misuses of their personal information by reviewing their credit reports. The law requires each of the three major nationwide credit reporting companies to give people a free copy of their credit report each year if they ask for it at www.AnnualCreditReport.com or 877-322-8228. If they find inaccurate or fraudulent information, they can visit www.ftc.gov/idtheft to learn how to get it corrected or removed.

How can health-care providers and insurers help patients deter, detect and defend against medical identity theft? They can order copies of the FTC’s consumer brochure, Medical Identity Theft, in English or Spanish, and make them available to patients. Bulk copies are available at http://bulkorder.ftc.gov. Health-care providers and insurers can link to it, copy it or adapt it for their websites or newsletters.