Ohio's "Aggressive" Attack on Medical Identity Theft

Article excerpt

  I. INTRODUCTION
 II. DATA BREACH, IDENTITY THEFT, AND MEDICAL IDENTITY
     THEFT
     A. Data Breach
     B. Identity Theft
     C. Medical Identity Theft
III. FEDERAL LEGISLATION TO PREVENT MEDICAL IDENTITY
     THEFT
     A. HIPAA
     B. The HITECH Act A mends HIPAA
     C. Federal Preemption of State Laws
 IV. OHIO'S DATA BREACH LAW DOES NOT COVER HIPAA
     COVERED ENTITLES
  V. OHIO SHOULD AMEND ITS DATA BREACH NOTIFICATION
     LAW
     A. Ohio's Data Breach Notification Law Should
        Apply to HIPAA Covered Entities
     B. Ohio's Data Breach Notification Law Should Have an
        Acquisition-Based Trigger
     C. Ohio's Data Breach Notification Law Should Require
        Healthcare Providers to Destroy or Encrypt Discarded
        Medical Records
     D. Ohio's Data Breach Notification Law Should Be
        Amended to Give Residents a Method of Recovering
        Monetary Awards Against Covered Entities That
        Violate Ohio's Law
 VI. CONCLUSION

I. INTRODUCTION

We all think we are the foremost authority when it comes to our personal health. We are consciously selective in what we tell our doctors, we confidently use WedMD.com to self-diagnose illnesses, and we even think we are savvy enough to make the medical determination of whether we should receive a flu shot each fall. We feel assured knowing that no one knows or can alter our medical identity without our consent or at least our knowledge. But what if someone can?

In 2009, Brandon Sharp, a 37-year-old manager at an oil and gas company in Houston, Texas, (1) was creating his version of the American dream. He was about to get married, buy his first home, and was in perfect physical condition. (2) Before applying for a mortgage, Mr. Sharp requested a copy of his credit report. (3) Much to his chagrin, his credit report revealed several collection notices under his name for emergency room visits throughout the country and a $19,000 bill for a life flight service. (4)

Mr. Sharp, like an increasing number of Americans, had fallen victim to a crime known as medical identity theft. The crime, defined as the theft or unauthorized use of another's personal information to obtain medical goods and services, (5) is dangerous because it alters the victim's medical identity without the victim's knowledge and may never be detected. (6) Additionally, because there is no national centralized repository for medical records, every time a thief uses the victim's medical identity, a record is created that could be easily mistaken for the victim's medical record. (7)

This note explains the severity of medical identity theft and the state and federal legislative reactions to the problem. Specifically, the note discusses data breach notification statutes that require healthcare providers to notify consumers when the systems holding customer personal information are breached. (8) The note concludes that Ohio's data breach notification statute, which does not expressly cover healthcare providers, (9) should be amended to protect residents from medical identity theft and provide redress when healthcare providers (10) violate state law.

Section II of this note describes the nationwide problem of medical identity theft. It begins with an overview of data breach and general identity theft. The section then explains the difference between general identity theft and medical identity theft, and why the latter is more harmful to the victim.

Section III illustrates the federal legislative response to data breaches in the healthcare industry. The section also explains how all healthcare providers are subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (hereinafter "HIPAA"). The section explains the Act's 2009 amendments, known as the Health Information Technology for Economic and Clinical Act. Lastly, the third section illustrates the interaction between state and federal law, and how federal legislation allows for state regulations regarding data breaches. …