How ObamaCare hurts Americans in fight against medical identity theft

Patient identity mix-ups can be disastrous, according to both common sense and statistics.

A new report by the ECRI Institute, a nonprofit dedicated to improving patient care, revealed more than 7,600 cases of “wrong-patient” errors over a two-and-a-half-year period.

In one instance, a patient died while undergoing cardiac arrest because the medical providers thought he had a do-not-resuscitate order. Another died after having the wrong surgery.

The study focused on mistakes made by healthcare providers, but there’s another way you can be hurt by having the wrong information in your file: medical identity theft. And regulations intended to protect consumers in other areas of identity theft are actually part of this problem.

{mosads}After a healthcare data breach, if someone uses stolen information to fraudulently receive care in your name, your lifetime medical records become contaminated with incorrect information. That can later lead to a misdiagnosis based on a condition you don’t have, a prescription mistake with a medication to which you’re allergic, and other dangerous or inappropriate medical treatment.

Virtually all data breaches put consumers at risk for some version of identity theft, which can lead to bank account fraud, credit card fraud, tax fraud and other financial impacts. But breaches involving medical identity information can truly put your life or health at risk.

For six years, my company has been sponsoring a study with the Ponemon Institute, the nation’s leading information security research organization. Over that time, we’ve seen continued growth in the number and severity of data breaches hitting the healthcare industry.

In our most recent survey, fully 89 percent of healthcare organizations reported at least one data breach in the previous 24 months. Many of these incidents were small, but collectively they add up to tens of millions of Americans at risk each year.

What used to be a problem of negligence has evolved into something far more sinister. Half of reported healthcare breaches can now be traced to criminal hacking attacks. This is information not lost, but rather stolen with a purpose.

Healthcare organizations know they’re vulnerable, particularly the insurers.

The Medical Identity Fraud Alliance recently did an informal survey of health plans. They found health plans have an average of just one fraud investigator for every 192,000 plan members. These plans reported spending a total of 52 cents per year per member fighting fraud.

The health insurance industry executives I talk to are deep into initiatives to develop lasting, trusted relationships with consumers. The last thing they want is to end up on the nightly news for losing the information they’re supposed to protect.

But these same executives also say their hands are tied by the Affordable Care Act requirement that they spend at least 80 or 85 percent of customer premiums on claims or quality improvement initiatives. If they come in below that amount, they must issue rebates to their enrollees.

Overall, this seems like a reasonable requirement. The problem is that security measures to protect data or fight fraud are considered administrative expenses and not quality of care improvements. Insurers are effectively barred from spending beyond a certain amount on protections for their customers’ medical identities, protections that could potentially save their lives.

Health plans should not be penalized for spending money to protect their customers. Annually, data breaches cost the healthcare industry more than $6 billion. It sounds counterintuitive, but by allowing the insurers to spend more in this area, we could reduce costs for everyone in the system.

Congress should make the technical correction to the current “Medical Loss Ratio” formula to clarify that detecting and preventing medical identity fraud is part of providing health quality improvements.

The Medical Loss Ratio rules come from a good place. They were intended to improve transparency and ensure customers got the full value of their premium dollars.

Unfortunately, in this one small but important way, they’re hurting the very people they’re intended to protect.

Gregg is CEO of ID Experts, which helps companies and consumers recover from data breaches and identity fraud.

The views expressed by contributors are their own and not the views of The Hill.