Note: This story was originally published on July 24. It was updated on July 29 to reflect changes to Federal Trade Commission policy.
Elena Castro was finishing the paperwork to buy her first home when the bank called to warn her of a problem-- nearly $10,000 in unpaid hospital bills on her credit report. The charges were for several ear, nose and throat procedures done at hospitals in her region.
But they weren’t for her. And, at the time, Castro was an insured medical student. The charges had been quietly festering for several years, the bank told her, eating away at her credit score.
"It was very, very upsetting and overwhelming. We were about to get married and buy our first home," she remembers. Castro soon discovered that a thief had used her personal information to obtain medical care.
Armed with as little as a stolen name, Social Security number and date of birth, an imposter can walk into a doctor’s office or hospital and receive services billed to the victim or the insurance provider.
Although few statistics are available, the Federal Trade Commission reports that medical identity theft accounts for 1.3 percent to 3 percent of all identity theft crime -- about 250,000 cases each year.
The FTC hopes to address a part of the problem with a new regulation called the "Red Flags Rule," The rule would require physicians’ offices and hospitals, among other businesses, to create new protocols to spot the "red flags" of identity theft. These could include detecting fake or altered IDs, inconsistencies in a patient’s medical records or fraud alerts from consumer reporting agencies.
Doctors will not only be required to implement procedures – such as checking a photo ID - that allow them to detect these warning signs effectively but also to spell out what they'll do when they find something fishy. Physicians would likely plan to alert the victim and avoid sending out a bill for services.
But medical provider groups, including the American Medical Association, insist the rule is misguided.
Their reasoning, in part, comes down to the actual language of the law. The statute specifies that all "creditors" – which are defined as businesses that regularly extend or renew credit – are required to implement the new protocols. That includes auto dealers, lawyers, utility companies and, according to the FTC, any physician’s office or hospital that accepts insurance or allows a payment plan.
The AMA and nearly 100 other physicians groups argue in letters to the FTC that while doctors defer payment for services, they are not creditors. One of the letters says the rule imposes an "unjustified, unfunded mandate on physicians" and could have "serious adverse consequences" on patients’ access to health care.
Dr. Ardis Hoven, an AMA board member and infectious disease specialist in Lexington, Ky., believes the rules "add another degree of regulatory burden for physicians and patients to a system that’s already burdened with responsibilities."
Although the AMA recognizes the problem of medical identity theft, Hoven said her worry is that the regulations could "severely impact" a doctor’s administrative work load. She is also concerned about the rule’s effect on patients: "In my practice, patients arrive acutely ill. The last thing I want is my patient to be detained at the check-in desk when they’re having acute medical problems."
Although Elena Castro, now an emergency room doctor, was a victim herself, she worries that it will also make doctors' practices more difficult. "It may be worth it if it prevents situations like mine, but we already do a ton of paperwork," she says.
Betsy Broder, who oversees the FTC’s Red Flags program, says patients shouldn’t notice much of a difference at the doctor’s office. They might be asked to show a photo ID when they arrive, but most of the changes will affect doctors behind the scenes.
She also notes that the extent of the policies a physician would need to put in place depends on the risk of identity theft at each particular office. A small office with a regular patient base, for example, is less likely to confront an imposter than an office that receives many walk-ins.
The ‘red flag’ regulations, which were developed under the Fair and Accurate Credit Transactions Act of 2003, actually went into effect on November 1, 2008. Then it was set to take effect on August 1. But on July 29, the FTC announced that it will "delay enforcement of the Rule until Nov. 1." The agency said this was "to give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs."
Once the rule is in effect, penalties will kick in. Creditors - including doctors or hospitals - could be slapped with a $3,500 fine for each "knowing violation" of the rule.
Broder says the FTC will monitor consumer complaints to look for any patterns of theft at a particular office to pursue investigations. But she adds that "at this early stage, we will be looking for good faith efforts at compliance."
Pam Dixon, executive director of the World Privacy Forum, says "the health care sector is where the financial sector was 10 to 15 years ago." As cost and incidence data emerged, officials in the financial sector realized they needed to take action. She believes the new protections are well worth the obligations the rule imposes.
"Ultimately it’s in the providers’ best interest to work on resolving this problem earlier than later," she says, adding that aside from being one of the most expensive forms of identity theft, the medical variety also is one of the most difficult types to remedy because a victim’s medical records can be nearly impossible to clear.
Elena Castro's fraudulent medical records under her social security number still remain in hospital files. And it's taken her years to completely clear her credit report. "It was very frustrating and a waste of my time," she says.
Theresa Fleming, another victim of medical identity theft in which a thief used her social security number to access emergency medical care, says she has called the hospital repeatedly to get her record expunged. "I felt so violated, it just feels so eerie," she says. "After you get this, you get very leery about everything."