Last month, the Federal Trade Commission’s Bureau of Consumer Protection posted FAQs on its website to guide health care providers and health plans when their patients and subscribers are affected by medical identity theft. 

When most people hear about an identity theft or a data breach, they typically think about credit card data or Social Security numbers being stolen and used by unauthorized parties, and the damage to one’s credit rating that sometimes follows. However, as reported by Businessweek, medical identity theft is one of the fastest growing types of identity theft. According to the article, the number of incidents of medical identity theft was approximately 275,000 in 2009; double the number in 2008. As the country implements the new health care reform law, assuming it gets past some significant obstacles, there likely will be periods of confusion and transition that may create the perfect conditions for even higher levels of medical identity theft.

The FTC’s FAQs point out that health care providers and health plans may have some obligations when they learn about medical identity theft affecting their patients or subscribers. For example, depending on the circumstances, the provider or plan may have to revisit its privacy and security policies and procedures under HIPAA and other federal and state laws. The theft also may have resulted from a data breach that requires the provider or plan to notify other affected persons. Providers and plans also need to be prepared to help victims get the information they need and exercise their rights under HIPAA and other laws to help mitigate the adverse effects of this unfortunate crime.

Providers and plans should be taking steps to be prepared to address medical identify theft situations.