For the patient, there are equally negative consequences, such as medical identity theft, financial loss and potential damage to their health. Medical identity theft can result in erroneous entries to the patient's health care records, which can affect the patient's medical and financial records for a long time (Federal Trade Commission, 2003 & 2007). In each medical facility, there is a need for trained professionals who can properly process Release of Information (ROI) requests. These individuals must also be able to make properly disclosures of request to first and third parties for the preservation of the integrity of the data and the privacy of the PHI. Moreover, these trained professionals cannot become complacent or corrupt, as this can lead to loss of privacy and security of the PHI (Littleton Police Department, 2004).
The Health Insurance Portability and Accountability Act (HIPAA) was an attempt by Congress in 1996 to reform the health care system. HIPAA applies to health care providers, health plans and health care clearinghouses that utilize EHRs. HIPAA is enforced by the Department of Health and Human Services (DHHS). All facilities are required to use HIPAA as the basis of their action plans regarding the handling of PHI and PII. Parts of several other pieces of legislation also apply, including the E-Government Act; the Electronic Communications Privacy Act (ECPA); the Freedom of Information Act (FOIA) and the Privacy Act.
These laws have been enacted to deal with an increase in crimes related to health care information. Approximately half a million Americans have been victims of a medical identity theft crime. In large part, these crimes have been the result of poor handling of sensitive information by medical clerks, patients and disposal personnel. As a result, patients are increasingly hesitant to request information from their own records. There is reason to believe that some patients harbor a distrust of the entities that are maintaining and protecting their PHI and PII data. One of the causes for this fear is the reality that although victims have enforceable rights, those rights can only be enforced if the error is identified and corrected (Government Accountability Office (GAO), 2005).
Patients are the primary stakeholder with regards to PHI and PII issues. They have the most to lose from improper handling of their sensitive information. From the patient's perspective, the desired outcomes for EHR and ROI are handling are integrity, accuracy, timeliness of release, confidentiality, privacy and security. Each of these topics has been subject to many articles and training manuals. They are the focal point of EHR and ROI training programs and are the most important principles to which health care providers must adhere for the protection of PHI and PII (American Health Information Management Association (AHIMA), 2007).
Many of the issues regarding the mishandling of PHI and PII can be traced to personnel issues. Employees with access to patient health care information occasionally steal the data and are sometimes incompetent or poorly trained. The FBI has been working with the National Health Information Network (NHIN) to stop criminals corrupting the system from the inside (FBI, 1995). Some of the issues can also be addressed at the health care provider side, with improved training programs or better background checks. Yet at present, the problem remains epidemic. There were approximately 20,000 complaints listed with the Federal Trade Commission (FTC) between 1992 and the spring of 2006 regarding medical identity theft. The FTC, however, does not litigate medical issues (FTC, 2007). This means that for patients who have become victims of medical identity theft, the channels for recourse are unclear. This compounds the perceived intensity of the issue among patients.
Unintentional errors are known as "errors and omissions liability" and can include data that has been lost or misplaces. When employees steal data, this is typically considered fraud.
Law enforcement categories medical identity fraud into two types: organized crime and individual identity theft.
An example of individual identity theft occurred at the University of Connecticut when a man with HIV utilized his cousin's health insurance information without the cousin's knowledge to receive approximately $76,000 worth of medical care and treatment (University of Connecticut, 2005).
The privacy and security review process identifies the strengths and weaknesses of the existing system of health care information management. Central to the review process is