Completing the third and final phase of a $450,000 study funded by the Office of the National Coordinator for Health IT (ONC), on January 15, 2009, security and defense contractor Booz Allen Hamilton released a 26-page report containing recommendations for a national policy on medical identity theft.  

While providers and other holders of patient data are instrumental in reducing the risk of such theft, the report notes that the federal government must take a leadership role as well. Medical identity theft, which has become increasingly widespread, poses serious financial risks to those affected and can also be injurious to patient health because inaccurate information can become part of one's medical records.  

The report, which defines medical identity theft as the misuse of one person's personal information (e.g., the name, date of birth, Social Security number, and/or insurance policy number) to obtain or bill for medical goods or services, centers around three overarching elements related to the problem: prevention, detection, and remediation.  

Themes that emerged throughout the study include: the consumer should be the key focus in addressing these elements; although there has been an increased awareness of medical identity theft, there is limited knowledge about its scope; and health IT has a role in addressing the problem. These themes are similar to the steps recommended by the FTC in its Red Flags Rule, relating to identity theft prevention programs generally.  

According to the report, most stakeholders agree there is a great need for leadership at the federal level, driving a standardized and coordinated approach to prevention, detection, and victim recovery. Industry participants feel that government should take the initiative to ensure that medical identity theft is taken into consideration as part of the broader interoperability, privacy, and security initiatives associated with the interchange and protection of personal health data. Research and stakeholder input indicated agreement across the health care community that the prevention and detection of medical identity theft needs to be built into and considered as an integral part of health IT activities, now and in the future.  

The report sets forth as its broad conclusion that "layering prevention, detection, and remediation methods for medical identity theft on top of ongoing health information exchange privacy and security initiatives could provide a scalable and cost-effective set of potential actions." It emphasizes, however, that understanding of medical identity theft is still in its early phases, and that more detailed actions and recommendations will evolve as more is learned.

The first phase of the medical identity theft study, which was commissioned in May 2008, consisted of the development of an "environmental scan," a research paper that detailed the scope of the problem by setting forth existing knowledge, policies, and practices addressing the issue. The scan, which was released on October 15, 2008, was designed to inform stakeholders about what medical identity theft is and explain its impact on the health care system.  

On the day the environmental scan was released, a public “Town Hall” meeting was held to facilitate a discussion with stakeholders regarding the issue and the role of health IT in combating it. This second phase of the identity theft study consisted of four panel discussions, which focused on current understanding and scope of the issue of medical identity theft; possible methods of examining the issues of prevention, detection and remediation of medical identity theft; the role of health IT; and potential actions to address the issue. This report incorporated the previous elements to conclude the three phases.