Identity theft is a frequent news topic nowadays. While most horror stories center around banking transactions and credit card fraud, the health care industry isn’t immune from the problem, either. Protecting your patients from identity theft will help instill trust in your practice and show that you take their privacy concerns seriously. It’s an important part of doing business in this day and age.

How does medical identity theft occur?

The Federal Trade Commission (FTC) says medical identity theft occurs most frequently when an individual uses another person’s insurance information to obtain and/or pay for medical treatment, prescription drugs or surgery. Alternatively, employees in a medical practice might submit false claims using a patient’s information in order to receive payment. Identity theft is a concern not just for patients but for health care providers and insurers, as well, especially in an era where HIPAA privacy protections are so rigidly enforced.

How does a patient know when they have been the victim of medical identity theft? Some of the telltale signs include:

  • Bills for medical services or procedures they did not receive
  • Contact by a collection agency for payment of medical debt they do not owe
  • Unfamiliar office visits or procedures on their explanation of benefits (EOB)
  • Maxing out on insurance benefits
  • Denial for insurance due to a nonexistent condition

Patients who experience one or more of these things should contact their insurance provider immediately, as well as your practice. Once you receive a complaint of possible medical identity theft, there are steps you should take to help resolve the issue and ensure no further breaches of security occur.

What should my practice do to help a victim of medical identity theft?

Once you have been notified by a patient about possible medical identity theft, you should take steps right away to help combat the problem.

First off, launch an investigation. This begins with a review of your patient’s records in order to determine whether they have, in fact, been billed erroneously for services never received. If the information is substantiated, notify all parties with access to the patient’s medical or billing records, and ask those responsible to correct the inconsistencies. If your investigation reveals that the theft originated in your practice, consult the HIPAA Breach Notification Rule (45 CFR part 164 subpart D) to determine whether a breach occurred, and provide any notifications that are required. Finally, conduct a thorough review of your practice’s security protocol, even if your clinic is not responsible. Experts recommend periodic reviews of your security measures in order to minimize the risk of a future breach.

There is no 100 percent surefire way to prevent medical identity theft from occurring. But careful scrutiny of your practice’s security policies, stringent employee screening and training, and providing educational materials for your patients – the FTC’s Medical Identity Theft brochure is an excellent informational guide – will go a long way toward minimizing your risk and keeping your patients’ information safe.


Leave a Reply

Your email address will not be published. Required fields are marked *


The Association of Otolaryngology Administrators has more than 1 thousand members and continues to be the leader in otolaryngology practice management. AOA serves their membership through successful resources and services offered while striving to keep pace with future opportunities.

Related Articles