"The soil

says, 'Don't
bring me your
need, bring
me your
seed.'" —Jim
Rohn

February 11,
2008

In Oct. 2006, CBS's Early Show told the harrowing story of Anndorie Sachs, a 28-year-old
mother from Salt Lake City who nearly had her four children taken away from her after her
newborn baby tested positive for illegal drugs.
The problem was Sachs hadn't delivered a baby in 2 years.
It turned out a woman by the name of Dorothy Moran stole Sachs' license, walked into the
hospital high on methamphetamine, delivered a baby and then left--the hospital, the baby and
Sachs with $10,000 bill.
That's just one of the hundred of medical identity theft stories that broke out after Pam Dixon,
executive director of the World Privacy Forum, published her ground-breaking 56-page report,
"Medical Identity Theft: The Information Crime That Can Kill You," in 2006.
The report not only proved medical identity theft existed, it found the number of Americans
identifying themselves as victims had tripled in just 4 years, to more than a quarter-million in
2005.
So where did this new crime come from? It's likely the crime existed in some capacity for
years, Dixon said, but blame the digitization of medical records for allowing the crime to reach
new and greater proportions only recently. While it would have been nearly impossible for a
criminal to walk out of a hospital with a stack of 1,000 paper files between their arms, criminals
can now easily download 1,000 names onto a jump drive and slip it into their pocket.
"It's a growing problem. It's taken us almost 2 years to find out the answer to that one
question," Dixon said. "We'll go through a period where it looks like its growing simply as people
become more aware it's going on, but that's happening in concurrence with the fact that we are
getting more cases."
How It's Different
Medical identity theft, like financial identity theft, occurs when a criminal uses a victim's personal
information (name, social security number, driver's license) to go on a shopping spree; only
instead of a mall, they'd go to a hospital, racking up thousands of dollars in surgeries, treatment
or prescription drugs.
What makes medical identity theft distinctly more harmful than its financial counterpart is that
the damages stretch far beyond monetary loss: often, the criminal's blood type, allergies,
medication or diseases can become entrenched in the victim's medical record, creating
potentially deadly results. Sachs had a blood-clotting disorder, for example, that would prove
fatal if the other woman's blood type was used.
When victims set out to untangle the mess, the story somehow gets worse. Because HIPAA
denies people the legal right to correct medical information in a record that's essentially not
theirs, victims get stuck in a Catch-22 that's enough to drive them insane: the patient is denied
the right to correct, or even see their own medical record precisely because it contains the
private health information of someone else, even though that someone else is the criminal.
"We're looking at a new crime set up in an old system not built to look at this crime," Dixon said.
"HIPAA doesn't translate well to the digital world. The victim will go to the provider and say: 'This
file has information not made by me!' [and] the institution then responds by saying: 'We can't
give you a file if it's not about you.'"
Without the ability to get the damaging information removed, victims may suffer further damage,
such as the inability to pass pre-employment exams, bankruptcy because of bad credit and
insurance denials because of diseases on their records that aren't theirs, Dixon's report found.
HIM professionals--here's where you come in. Because the crime's core harm is damage done
to victim's medical records, experts like Dixon aren't turning to lawyers or government officials,
but HIM professionals to find solutions and help victims recover.
"You are the professionals trained to handle the complexities of the health care
records," Dixon said at the American Health Information Management Association (AHIMA)
conference in Philadelphia last October. "You are in the unenviable position of being on the front
line when a patient figures out something is wrong with a record."

No Help for Victims

After Dixon published her report in 2006, the phones rang off the hook, she said, "and there
were some really disturbing commonalities between the victims."
Victims most strikingly reported being caught in a maze of blame-shifting with no laws, no
government agency and truly no one at all to get them out.
Take this for comparison: have you ever had your wallet stolen? Ever had to cancel a credit
card? Aside from a headache, you probably didn't suffer much damage thanks to a law that
limits your liability to fraudulent charges--the Fair Credit Reporting Act (FCRA) and its recent
update the Fair and Accurate Credit Transactions Act (FACTA).
The problem is, there is absolutely no law that's equivalent to this in the medical world. Victims
get bounced from the institution to the bill collector, with no one knowing what course of action
to take, who should soak up the monetary responsibility.
"Victims want to hire an attorney, but it shouldn't have to go there," Dixon said. "It should be a
simple matter to have the provider say, 'OK what problems are you having, how can we help
you, and here's what you need to do.' That just doesn't exist."
That's exactly why one of Dixon's first responses is to establish a national-level set of
procedures to standardize how providers and insurers handle medical identity theft and offer
victims a clear and effective pathway of recourse. "We are where financial identity theft was 15
years ago," she said. "We have some really basic things to get done."
Dixon is calling on HIM professionals and AHIMA specifically to gather all of the key
stakeholders together, from the health information, financial, insurance, public health and
privacy sectors, to come to a consensus agreement on how to respond to the day-to-day issues
of the crime. "It's better to do it with the experts than to let it be done to you by legislation, she
said. "Even the best legislation is a compromise."
Dixon offers many recommendations on what types of rights patients should receive in her
report www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf, including that patients have
the right to receive one free copy of their medical file to spot changes and the right to be notified
of any medical data breaches (stolen laptops, break-ins, etc).
Some states have already taken action. On Jan. 1, California's data breach law was amended to
encompass medical information, a suggestion made by California Assembly member Dave
Jones in direct response to Dixon's report.
"I'm really pleased we have that because it's a really fabulous protection," Dixon said.
"Especially in the commercial personal health record (PHR) world with Microsoft and companies
outside the health care sector who are not covered by HIPAA handling health care files, this is a
really good law to protect consumers."
Dixon is hopeful that this law will filter across the country. Delaware and Arkansas have added
medical information to their data breach law and Florida and Nevada are considering similar
laws. "That's always a good sign, but where it will take the longest is the federal level and that's
where we need it the fastest," Dixon said.
Red Flag Alerts
To help with early detection of the crime Dixon suggests adopting red flag alerts, an idea taken
from the financial sector where, if a patient tells a provider his or her ID had been stolen, the
patient's medical record is flagged to keep employees on alert for fraudulent activity.
"Software already allows for flagging of health care files, for example when two people with the
same last name are on the same floor," she said, "so there is no reason the health care sector
cannot, on its own, create red flag guidelines."
This is one example where the digital age can be part of the solution. Dixon urges HIM
professionals to join Health and Human Services (HHS) Healthcare Information Technology
Standards Panel (HITSP) to make sure technology standards are created to incorporate the
reality of medical identity theft. "HITSP is open to everyone," Dixon said. "There should be as
many HIM people on that as possible."
Jane Doe Extractions
That's just about where borrowing from the financial sector ends, primarily because of reasons
only HIM professionals truly understand. "In the financial sector you can truncate, you can't
truncate someone's health care file and think that's going to be OK," Dixon said. "A lot of people
ask, why can't you just delete it if it's bad?"
Not having to explain is exactly the reason Dixon has turned to HIM professionals for help.
To allow victims the ability to erase fraudulent information from their file and still satisfy the
complex rules of the medical record, Dixon proposes using the Jane Doe file extraction method.
With this, a victim's file is purged of all fraudulent information and the Jane Doe file containing
the criminal's info is held separately to retrace or cross-reference. "It's an elegant solution," she
said. "You satisfy attorneys who want cross-references, you satisfy victims because the
fraudulent info isn't in file to harm them, and you satisfy HIM professionals who want a clean
audit trail."
The act of picking through a patient's file and separating who's who is something only HIM
professionals are qualified to do, Dixon said. And, since you'll likely be on the front line when a
victim discovers fraud, Dixon is calling on HIM professionals to give victims something they don't
have: a voice.
Because the crime touches so many things--insurance, accounting, bill collectors, required
public reporting, law enforcement and the health care file--Dixon suggests that every hospital
assign a "patient advocate" to help victims navigate the complex laws, coordinate all the experts
involved, and shuttle information from them to the victim. "This should be a person with really
good people skills, not a lawyer who might intimidate them," Dixon said. "HIM professionals
either need to do this or coordinate how this is set up."
From the Inside Out
Hospitals working on their own solutions absolutely have to focus on the right approach, or they
may end up making the crime worse, Dixon said. And that means confronting a grim reality.
Medical identity theft, it turns out, isn't committed most often by criminals posing as other
patients. It is primarily an insider crime deeply entrenched in the health care system. It can be
committed by doctors, hospital employees or highly sophisticated crime rings, Dixon 's report
found.
These "criminals" often start as good-natured health care professionals, who are at some point
lured over to the wrong side by outside criminals or organized crime rings, Dixon said. Criminals
may pay doctors to prescribe them expensive drugs to sell on the black market or, as in the
2006 Cleveland Clinic case, convince someone as non-threatening as the 22-year old front desk
clerk named Isis Machado to sell them the private information of 1,100 patients to fraudulently
bill Medicare for $2.5 million.
This nuance is crucial because solutions made without the insider threat scenario in mind might
actually make the crime easier for the criminals to commit. Hospitals, for example, planning to
scan patients' driver's licenses or insurance cards to deter a criminal from posing as someone
else are in fact offering "the most fabulous way of stealing a person's ID fully," Dixon said. "The
more you collect on a patient, the more you allow an insider to steal it."
The scanning, screening and monitoring should instead be turned toward the counter, on
hospital employees, using things like browser controls and software audit trails, regulating how
much can be downloaded and paying real attention to who's looking at what, Dixon said. Risk
assessments should also be expanded to