Last week, the chairmen and ranking members of the Senate Committee on Health, Education, Labor, and Pensions and the Senate Committee on Finance sent a letter to Andy Slavitt, Acting Administrator for the Centers for Medicare & Medicaid Services (“CMS”), and Jocelyn Samuels, Director of the Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), requesting information on how HHS “is working to support and protect victims of medical identity theft” in order to “assess the adequacy of current efforts.”

As background for their questions, the senators cite OCR’s “breach portal” statistics, which indicate that nearly 154 million individuals were affected by 1,367 reported data breaches at healthcare organizations. The senators also express their concern “that data theft will continue to rise and will result in an increase in medical identity theft.”  They explain that medical identity theft can have “serious financial repercussions for victims,” can “lead to adulteration of victims’ medical records,” and can “lead to significant losses for the Medicare Trust Funds and taxpayers.”

The letter also highlights an area of confusion: how the Health Insurance Portability and Accountability Act (“HIPAA”) applies where a thief’s information is comingled with that of his or her victim’s. Citing a report from the Ponemon Institute, the letter notes that “nearly one in five victims of medical identity theft were refused access to their medical records ‘due to laws protecting the privacy of the identity thief.’” The senators posed a series of specific questions, including:

  1. What services does CMS offer to Medicare and Medicaid beneficiaries who suspect they are victims of medical identity theft?
  2. Does HHS track the financial and medical impact of identity theft on victims?
  3. How do OCR and CMS coordinate medical identity theft prevention and mitigation efforts?
  4. What support does HHS provide to federal, state, and local law enforcement officials to aid their response to medical identity theft?
  5. Does HHS believe that HIPAA gives a victim of medical identity theft the right to access his or her health record if it contains a thief’s health information? Has HHS encountered confusion on this matter previously?
  6. Does HHS monitor the effects of data breaches at non-covered entities, such as the Office of Personnel Management, on incidence of medical identity theft?

The senators requested a response by November 24, 2015.