Last week, the chairmen and ranking members of the Senate Committee on Health, Education, Labor, and Pensions and the Senate Committee on Finance sent a letter to Andy Slavitt, Acting Administrator for the Centers for Medicare & Medicaid Services (“CMS”), and Jocelyn Samuels, Director of the Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), requesting information on how HHS “is working to support and protect victims of medical identity theft” in order to “assess the adequacy of current efforts.”

As background for their questions, the senators cite OCR’s “breach portal” statistics, which indicate that nearly 154 million individuals were affected by 1,367 reported data breaches at healthcare organizations. The senators also express their concern “that data theft will continue to rise and will result in an increase in medical identity theft.”  They explain that medical identity theft can have “serious financial repercussions for victims,” can “lead to adulteration of victims’ medical records,” and can “lead to significant losses for the Medicare Trust Funds and taxpayers.”

The letter also highlights an area of confusion: how the Health Insurance Portability and Accountability Act (“HIPAA”) applies where a thief’s information is comingled with that of his or her victim’s. Citing a report from the Ponemon Institute, the letter notes that “nearly one in five victims of medical identity theft were refused access to their medical records ‘due to laws protecting the privacy of the identity thief.’” The senators posed a series of specific questions, including:

  1. What services does CMS offer to Medicare and Medicaid beneficiaries who suspect they are victims of medical identity theft?
  2. Does HHS track the financial and medical impact of identity theft on victims?
  3. How do OCR and CMS coordinate medical identity theft prevention and mitigation efforts?
  4. What support does HHS provide to federal, state, and local law enforcement officials to aid their response to medical identity theft?
  5. Does HHS believe that HIPAA gives a victim of medical identity theft the right to access his or her health record if it contains a thief’s health information? Has HHS encountered confusion on this matter previously?
  6. Does HHS monitor the effects of data breaches at non-covered entities, such as the Office of Personnel Management, on incidence of medical identity theft?

The senators requested a response by November 24, 2015.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Krysten Rosen Moller Krysten Rosen Moller

Krysten Rosen Moller focuses her practice on representing clients in internal investigations, government investigations, and follow-on civil litigation, with an emphasis on serving clients in the life sciences and healthcare industries.

Krysten assists companies with complex internal and government investigations covering a broad…

Krysten Rosen Moller focuses her practice on representing clients in internal investigations, government investigations, and follow-on civil litigation, with an emphasis on serving clients in the life sciences and healthcare industries.

Krysten assists companies with complex internal and government investigations covering a broad range of issues, including fraud and abuse, advertising and promotion, and bribery and corruption. Krysten has particular experience conducting targeted and efficient internal investigations and representing pharmaceutical and medical device companies against investigations from the Department of Justice or other government regulators. Krysten’s complementary litigation practice focuses on defending life sciences and healthcare companies in related litigation, including cases arising under the False Claims Act and other follow-on litigation arising from government investigations.

Krysten also counsels clients on compliance matters. She regularly represents companies negotiating HHS OIG Corporate Integrity Agreements (CIAs) and advises companies on implementing and operating under CIAs. She has also conducted False Claims Act risk assessments and advised on other fraud and abuse issues.