1 See Joseph Menn, ID Theft Infects Medical Records, L.A. TIMES, Sept. 25, 2006, at 1.

2 Id. Aside from the amputation, Weaver's records were alter to include an erroneous diagnosis of diabetes that Weaver only learned of after an emergency admission. Id.

3 See Joel Hood & Stacy St. Clair, Man Stole Pal's Identity to Pay for Bypass Surgery, Police Say, CHI. TRIB., Aug. 22, 2008, at 1.

4 See Henry K. Lee, Hackers Tap Thousands of Students’ Key Records, S.F. CHRON., May 9, 2009, at B1 (discussing overseas hackers’ intentional breach of the University of California at Berkeley's student health center database which contained 97,000 Social Security numbers and additional health insurance information).

5 See Elizabeth Cooney, HIV Patients Sue After Records Lost: Hospital Worker Left Files on the MBTA, BOSTON GLOBE, May 21, 2009, at 15 (describing accidental breach that exposed the names and Social Security numbers of sixty-six patients).

6 The cause, size and consequences of data breaches can vary widely. Compare Rich Shapiro, Stolen Hospital Records Sold to ID Thieves, N.Y. Daily News, Apr. 13, 2008, at 4 (theft and sale of almost 50,000 patient records by hospital worker to third parties) with Liz Austin Peterson, County Hospital Patient Data Missing; Employee Put Info of 1,200 People on Device and Now Cannot Find It, Hous. Chron., Aug. 7, 2008, at B1 (loss or theft of data storage device containing protected health information of 1,200 patients).

7 See Seth Stevenson, Credit Crunch, Slate, Apr. 6, 2009, http://www.slate.com/id/2215447/ (discussing new Federal Trade Commission advertising campaign designed to compete with freecreditreport.com); Nancy Trejos, Identity Theft Gets Personal; When a Debit Card Number is Stolen, America's New Crime Wave Hits Home, Wash. Post, Jan. 13, 2008, at F01 (giving tips for consumers to prevent identity theft); Federal Trade Commission, Fighting Back Against Identity Theft, http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/index.html (last visited Sept. 27, 2009); Walecia Konrad, Tips for Avoiding, or Recovering From, Insurance ID Theft, N.Y. Times, June 13, 2009, at B6.

8 See U.S. Dep't of Health & Human Servs., Office of the Nat’l Coordinator of Health Info. Tech., Medical Identity Theft Final Report 1 (2009) [hereinafter 2009 HHS Report] (defining medical identity theft as “the misuse of an individual's personally identifiable information … to obtain or bill for medical services or medical goods.”).

9 See Fed. Trade Comm’n, 2006 Identity Theft Survey Report 21 (2007) (three percent of identity theft victims surveyed reported that the thief obtained medical services using the stolen information). An additional three percent of victims reported the misuse of existing medical insurance related to identity theft. Id. at 17. The independence of the two data sets is not clear from the report.

10 Data on the number of victims of medical identity theft are generally underestimates because the FTC generally does not analyze medical identity theft as a separate category of identity theft. See 2009 HHS Report at 6.

11 See Identity Theft Res. Ctr., Identity Theft: The Aftermath 2008 13 (2009), available at http://www.idtheftcenter.org/artman2/uploads/1/Aftermath_2008_20090520.pdf.

12 See McMahon, R. Bradley, Note, After Billions Spent To Comply with HIPAA and GLBA Privacy Provisions, Why Is Identity Theft the Most Prevalent Crime in America?, 49 Vill. L. Rev. 625, 628 (2004)Google Scholar.

13 Further, poor information systems management on the part of health care providers exacerbates the threat to health care consumers. For example, a recent study of peer-to-peer (“P2P”) network data discovered personally identifiable health information for tens of thousands of patients that had been inadvertently shared by computer users on health care provider networks. See M. Eric Johnson, Data Hemorrhages in the Health-Sector, Fin. Cryptography & Data Security (forthcoming 2009).

14 See AHIMA e-HIM Work Group on Medical Identity Theft, Mitigating Medical Identity Theft, 79 J. AHIMA 63, 63 (2008)Google Scholar [hereinafter 2008 AHIMA Report]; see also U.S. Dep't of Justice, Nat’l Drug Intelligence Ctr., Intelligence Bulletin: Methamphetamine-Related Identity Theft (2007) (citing growing trend of methamphetamine abusers using stolen medical identities to obtain medical treatment for methamphetamine-related illnesses and addiction).

15 Health Insurance Portability and Accountability Act, Pub. L. No. 104-191, 110 Stat. 1936 (1996).

16 2008 AHIMA Report, supra note 14.

17 Pam Dixon, World Privacy Forum, Medical Identity Theft: The Information Crime That Can Kill You 17 (2006).

18 “Social engineering” refers to the manipulation of people into disclosing confidential information by gaining their trust.

19 See 2009 HHS Report, supra note 8, at 16. Potential harm to an individual identity thief seems unlikely to outweigh the enormous benefit of receiving free health care or the harm from not receiving said care.

20 See Alexandra Zavis, Cedars Reveals Identity Theft: Former Employee in Workers’ Compensation Unit is Accused of Using Patients’ Records to File False Insurance Claims, L.A. Times, Dec. 30, 2008, at B1 (describing scheme that netted perpetrator, a former hospital employee, at least $69,000).

21 See, e.g., Press Release, U.S. Dep't of Justice, Two Defendants Sentenced in Health Care Fraud, HIPAA, & Identity Theft Conspiracy (May 3, 2007) (describing conspiracy between Isis Machado, an office coordinator at the Cleveland Clinic, and Fernando Ferrer, Jr., Machado's cousin. Machado wrongfully accessed and downloaded the personal identification information of more than 1,100 patients and then sold the information to Ferrer, who used the patient information to submit over $2.5 million in false claims to Medicare. Machado pled guilty to conspiracy, and Ferrer was convicted on eight counts, including a substantive count of violation of HIPAA for the wrongful disclosure of personally identifiable health information.).

22 See 2009 HHS Report, supra note 8, at 3.

23 See Laura J. Merisalo, Medical Identity Theft: Patient Access First in Line to Manage the Nation's Fastest Growing Crime, Healthcare Registration June 2008, 1, 1 (“when medical identity theft is perpetrated by sophisticated criminals … [it is often] the first step in a larger scheme to commit health care fraud for financial gain.”).

24 See Victoria E. Knight, Escalating Health-Care Costs Fuel Medical Identity Theft – Patients Are Told to Guard ID Cards Like Other Plastic, Wall St. J., Oct. 11, 2007, at D3; see also Michelle Andrews, Medical Identity Theft Turns Patients Into Victims, U.S. News & World Rep., Feb. 29, 2008, http://health.usnews.com/articles/health/living-wellusn/2008/02/29/medical-identity-theft-turns-patients-into-victims.html (quoting Dixon that more than 90% of patient identity thefts are being committed by healthcare system employees).

25 See, e.g., John Markoff, F.B.I. Looks Into a Threat to Reveal Patient Data, N.Y. Times, Nov. 7, 2008, at B3 (describing extortion threat against Express Scripts, a pharmacy benefits management company, after a data breach).

26 See 2008 AHIMA Report, supra note 14.

27 See id.

28 This hazard is what distinguishes medical identity theft from other forms of identity theft. See 2009 HHS Report, supra note 8, at 5.

29 See id. at 3; Winn, Peter A., Confidentiality in Cyberspace: The HIPAA Privacy Rules and the Common Law, 33 Rutgers L.J. 617, 621 (2002)Google Scholar. The current legislative push for electronic medical records (“EMRs”) may exacerbate the impact of medical identity theft on a victim's medical records by causing all of a victim's medical records to be altered simultaneously. On the other hand, interoperable EMRs theoretically would be easier to correct than paper records held by various parties in disparate locations.

30 See Merisalo, supra note 23, at 2 (inaccuracies in a victim's medical records due to identity theft could result in medical error).

31 See Winn, supra note 29, at 621.

32 See Knight, supra note 24, at D3.

33 See Winn, supra note 29, at 621 (discussing social shunning for diseases such as HIV and cancer).

34 See Dixon, supra note 17, at 8.

35 Merisalo, supra note 23, at 2.

36 See Sen. Jeffords, James M., Confidentiality of Medical information: Protecting Privacy in an Electronic Age, 30 Prof’l Psychol.: Research & Practice 115, 115 (1999)CrossRefGoogle Scholar.

37 See Linda Foley, Identity Theft Res. Ctr., Testimony at Medical Identity Theft Town Hall, Office of the National Coordinator for Health Information Technology, U.S. Department of Health and Services (Oct. 15, 2008) (citing assertion by unnamed Blue Cross investigations agent). More than a dozen different organizations, and numerous individuals within each organization, may handle a patient's medical records. See Nat’l Research Council, For the Record: Protecting Electronic Health Information 73 (1997).

38 See Foley, supra note 37.

39 See Scott, Charity, Is Too Much Privacy Bad for Your Health? An Introduction to the Law, Ethics, and HIPAA Rule on Medical Privacy, 17 Ga. St. U. L. Rev. 481, 484 (2000)Google Scholar.

40 Winn, supra note 29, at 625-26 (discussing the number of parties to whom private health information is disclosed).

41 Id. at 632.

42 Id. at 637.

43 A comprehensive treatment of the reasons for these differences is beyond the scope of this analysis. One extremely basic explanation for the relative efficiency of financial processing is that the credit industry has a financial incentive for developing systems capable of able moving data efficiently: the convenience of rapid credit processing allows consumers to make greater use of credit products. The healthcare industry has traditionally had little interest in implementing technology: faster processing of reimbursements for services rendered or standardization of record-keeping (between healthcare providers) does not mean that a consumer will turn around and utilize more healthcare services.

44 “Payment card” refers to a credit card, charge card, or debit card. For purposes of this comparison, a generic credit card transaction will be described. Payment card transactions are of increasing importance given the increase in consumer use of payment cards to pay for copays and deductibles, and the use of debit cards linked to Health Savings Accounts (HSA’s). See, e.g., Robert Lowes, Ready, Set, Swipe!, Med. Econ., Oct. 20, 2006, at 62.

45 See Rosenberg, Arnold S., Better Than Cash? Global Proliferation of Payment Cards and Consumer Protection Policy, 60 Consumer Fin. L.Q. Rep. 426, 427 (2006)Google Scholar.

46 See Levin, Adam J., Payment Wars: The Merchant-Bank Struggle for Control of Payment Systems, 12 Stan. J. L. Bus. & Fin. 425, 426 (2007)Google Scholar. Merchants are charged different fees by different credit card networks. Id.

47 Seventy-five percent of claims were submitted electronically in 2006. See Hannah Yoo & Karen Harner, AHIP Center for Policy & Research, An Updated Survey of Health Care Claims Receipt and Processing Times 2 (2006).

48 Id. at 1.

49 Id. at 3.

50 Id. at 4.

51 See 2009 HHS Report, supra note 8, at 10. However, EOBs tend to be “technical, confusing, or sent too long after the patient encounter to provide an effective warning of irregularities.” Id. Further, a sophisticated identity thief could potentially change the address to which EOBs would be sent. See id.

52 See Casillas, John, The Rise of the Bank Infomediary in Health Care: Privacy and Security Regulations and the Rise of Consumer-Driven Health Care Are Changing the Role of Banks in Health Care, 62 Healthcare Fin. Mgmt. 86, 87 (2008)Google Scholar.

53 See Dixon, supra note 17, at 8.

54 See, e.g., S. Rep. No. 104-156, at 1 (1995) (“[The purpose of HIPAA is to] reduce many of the current barriers to obtaining health coverage by making it easer for people who change jobs or lose their jobs to maintain adequate coverage, and by providing increased purchasing poser to small businesses and individuals.”).

55 See HIPAA, Pub. L. No. 104-191 at 7 (1996).

56 See id. §§ 1172(d), 1173(d). “Through HIPAA, the federal government has attempted to create safeguards and routine by establishing security standards for electronic transmissions and defining the limits of authority for disclosure in the privacy standards.” Moore, Ilene N. et al., Confidentiality and Privacy from the Patient's Perspective: Does HIPAA Help?, 17 Health Matrix 215, 227 (2007)Google ScholarPubMed.

57 HIPAA initially authorized maximum penalties of $50,000 plus one year of prison for knowingly obtaining, using, or disclosing individually identifiable health information, with increased penalties for use of false pretenses and if the offense is committed with intent to use for personal gain. See 42 U.S.C. § 1320d-6(b) (2000), amended by Pub. L. No. 111-005 (2009).

58 See Pub. L. No. 104-191 § 264(b).

59 See 42 U.S.C. § 1320d.

60 68 Fed. Reg. 8334, 8334 (Feb. 20, 2003).

61 66 Fed. Reg. 12,434, 12,434 (Feb. 26, 2001).

62 See 42 U.S.C. § 1320d-5(a)(1) (2000). Congress recently expanded the right of enforcement to state attorneys general under the American Recovery and Reinvestment Act of 2009. See Pub. L. No. 111-5, 123 Stat. 115, § 13410.

63 See 45 C.F.R § 164.504 (2008).

64 See 42 U.S.C. § 1320d(3) (2000); 45 C.F.R. § 160.103 (2008).

65 See, e.g., 142 Cong. Rec. H3045-02, H3128-H3146 (1996) (debating whether Republican or Democratic version of the bill provides greater protection to the self-employed and small businesses).

66 See, e.g., 142 Cong. Rec. H9785-02 (1996); 142 Cong. Rec. S9501-01 (1996). Health care fraud is defined as the manipulation of billing codes and billing for unnecessary services by physicians in order to increase the amount of reimbursement received from Medicare and Medicaid. See 18 U.S.C. § 1347 (2000) (enacted as part of HIPAA); see generally Mastin, Yvette M., The Punishment of “Health Care Fraud,” 15 J.L. & Health 53 (2001)Google Scholar. Health care abuse is defined as “provider practices that are inconsistent with sound fiscal, business, or medical practices, and result in an unnecessary cost to the Medicaid program, or in reimbursement for services that are not medically necessary or that fail to meet professionally recognized standards for health care. It also includes recipient practices that result in unnecessary cost to the Medicaid program.” 42 C.F.R. § 455.2 (2008). Health care fraud and abuse are distinguishable from medical identity theft in that the primary beneficiary of medical identity theft is a third party to the physician-patient relationship and in that medical identity theft requires non-privileged access to patient information.

67 See, e.g., 142 Cong. Rec. H3045-02, at H3084 (1996) (testimony of Hobsen) (discussing need for interoperability between health information systems).

68 “Individually Identifiable Health Information” is defined as “any information, including demographic information collected from an individual, that – (a) is created or received by a health care provider, health plan, employer, or health care clearing house; and (b) relates to the past, present or future physical or mental health or condition of and individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and – (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” 42 U.S.C. § 1320d (6); 45 C.F.R. § 160.103.

69 Defined at 42 U.S.C. § 1320d (6) (2000) and 45 C.F.R. § 160.103 (2008).

70 45 C.F.R. §§ 164.302–318 (2009).

71 45 C.F.R. §§ 164.500-534 (2009).

72 See 42 U.S.C. § 1320d-1.

73 See Moore, supra note 56, at 228.

74 See 42 U.S.C. § 1320d-1.

75 See 45 C.F.R. 164.530(c) (2008).

76 See Moore, supra note 56, at 229; see generally 45 C.F.R. §§ 164.508-512 (2008).

77 See 45 C.F.R. § 164.524(a) (2008) (“[A]n individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set … .”). A designated record set is defined as “(1) a group of records maintained by or for a covered entity[,] that is: (i) the medical records and billing records about individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the covered entity to make decisions about individuals.” 45 C.F.R. § 164.501(1) (2008). Individually identifiable health information, or protected health information, is defined as any information relating to an individual that is created by a health care provider with regard to the individuals past, present, or future which can be tied to the individual. See 42 U.S.C. § 1320d(4) (2006). The healthcare provider has discretion to require requests for access be made in writing, and must respond to requests within thirty days. See 45 C.F.R. § 164.524(b).

78 See 45 C.F.R. § 164.526 (2008). These exceptions include psychotherapy notes, information gathered in anticipation of litigation, and information that is exempt under the 1988 Clinical Laboratory Improvements Act. See § 164.524(a)(1)(i)-(4).

79 See id. at 350; see also 45 C.F.R. § 164.524(a)(4).

80 For the definition of designated record set, see footnote 77, supra. Under this definition, documents generated by and unique to each step of covered entity in the health care billing chain would likely not be included in a request for the designated record set of another.

81 A covered entity can deny requests for amendment of documents not created by the covered entity, not part of the designated record set, not available for inspection, or if the covered entity determines that the record subject to the request is accurate and complete. See 45 C.F.R. § 164.526(a). The burden is on the individual to prove that the contested health record is inaccurate, just as the burden is on the individual to prove that information in a credit report is inaccurate. See Dixon, supra note 17, at 41.

82 See 45 C.F.R. §164.526(a)(2)(i) (2008).

83 See 45 C.F.R. § 164.526(c)(3).

84 See Smith, supra note 88, at 65.

85 See Dixon, supra note 17, at 40; see also United States v. Streich, 560 F.3d 926, 935 (9th Cir. 2009) (“HIPAA does not provide a private right of action, much less a suppression remedy.”) (Kleinfeld, J., writing separately).

86 Dixon, supra note 17, at 41.

87 See id. at 40-41.

88 See Clarice P. Smith, Applying HIPAA to Identity Theft, in Medical Identity Theft 61, 65 (Cindy L. Nichols ed., 2008). It is not clear, however, what standard of proof would be required in cases where the medical records could have been plausibly related to the victim.

89 See id.

90 See id.

91 See id. Amendments to medical records have been traditionally limited to a strikethrough the erroneous information. See Roach, William H. Jr., Medical Records and the Law 59 (3d ed. 1998)Google Scholar. A few states have statutes that specify how amendments should be made. Id. at 60.

92 See Knight, supra note 24, at D3 (citing speech by Pam Dixon to the American Health Information Management Association).

93 See Andrews, supra note 24.

94 This would seem to place a heavy burden on the victim. See Smith, supra note 88, at 65 (noting that “HIPAA may allow the healthcare entity to disclose the health information to the potential victim” in “good faith that the health information belongs to the potential victim”).

95 The HITECH Act can be found at Pub. L. No. 111-5, 123 Stat. 115, §§ 13001-13424 (2009).

96 Id. § 13404.

97 Id. § 13424(b).

98 Id. §§ 13402, 13407. Section 13402(h) of the HITECH Act directed HHS to issue guidance on what technology or methodology would suffice to secure PHI. On August 24, 2009, HHS published its final guidance on methodologies that make PHI unreadable and unusable. See Breach Notification for Unsecured PHI, 74 Fed. Reg. 42,740, 42,741 (Interim Final Rule) (to be codified at 45 C.F.R. pts. 160 & 164). The Final Guidance notes that a covered entity could reasonably decline to encrypt PHI and be in compliance with the HIPAA Security Rule but would still be subject to the breach notification requirements of the HITECH Act. Id. at 42,741-42. The Guidance also specifies that destruction of paper records is the only method which “will relieve a covered entity or business associate from breach notification [in the event of a breach of paper records containing PHI].” Id. at 42,742.

99 See, e.g., Ponemon Inst., National Survey on Data Security Breach Notification (2005), available at http://www.whitecase.com/files/FileControl/863d572d-cde3-4e33-903c-37eaba537060/7483b893-e478-44a4-8fedf49aa917d8cf/Presentation/File/Security_Breach_Survey%5B1%5D.pdf. According to the survey, half of people who receive a data breach notification take no action. Id. at 17.

100 For more information on PHRs, see generally Kahn, James S. et al., What It Takes: Characteristics of the Ideal Personal Health Record, 28 Health Aff. 369 (2009)CrossRefGoogle ScholarPubMed.

101 16 C.F.R. § 318.2(d) (2009). “PHR identifiable health information means ‘individually identifiable health information … .’” Id. § 318.2(e).

102 Welcome to HealthVault, http://www.healthvault.com (last visited Nov. 19, 2009).

103 Google Health, http://www.google.com/intl/en-US/health/about/ (last visited Nov. 19, 2009).

104 See 74 Fed. Reg. 42,962 (to be codified at 16 C.F.R. pt. 318).

105 Id. at 42,963. The FTC notes that its jurisdiction does include non-profit PHR providers, contrary to its usual Section 5 jurisdiction. Id.

106 See 16 C.F.R. § 318.3(a).

107 Id. § 318.5(a)-(b).

108 See id. § 318.7.

109 See generally Kahn, supra note 100.

110 See Pub. L. No. 111-5, 123 Stat. 115, § 13402 (2009).

111 See 74 Fed. Reg. 42,740 (to be codified at 45 C.F.R. pts. 160 & 164).

112 Id. at 42,743.

113 45 C.F.R. §§ 164.404, 410 (2009).

114 See Pub. L. No. 108-159, § 114, 117 Stat. 1952, 1960, (2003). The FTC, National Credit Union, and Federal banking agencies were charged with promulgating guidelines “regarding identity theft with respect to account holders at, or customers of [financial institutions and creditors] … .” Id. The guidelines were required to “identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft.” Id. Prior to FACTA, the Identity Theft and Assumption Deterrence Act, Pub. L. No. 105-318 (1998), directed the FTC to act as a resource for victims of identity theft.

115 See 16 C.F.R. § 681.2 (2009). A “covered account” is defined as “[a]n account that a financial institution or creditor offers or maintains … that involves or is designed to permit multiple payments or transactions … and any other account … for which there is a reasonably foreseeable risk to customers … from identity theft.” Id. § 681.2(b)(3).

116 15 U.S.C. § 1691a(e) (2000).

117 See Pub. L. No. 108-159, § 114, 117 Stat. 1952, 1960 (2003).

118 See Tiffany George & Pavneet Singh, The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft, http://www.foma.com/RedFlagsRule.html, (pointing out that even non-profit and government agencies may still be creditors).

119 See Press Release, Fed. Trade Comm’n, FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule (Oct. 30, 2009) (pushing enforcement from November 1, 2009 to June 1, 2010), available at http://www.ftc.gov/opa/2009/10/redflags.shtm [hereinafter FTC Press Release]. To date, the American Bar Association appears to be the only entity that has sought to challenge the FTC's enforcement of the Red Flags Rule. See Brief of ABA, ABA v. FTC, No. 1:09-cv-01636-RBW (D.D.C. Aug. 27, 2009). On October 30, 2009 the U.S. District Court for the District of Columbia enjoined the FTC from applying the Red Flags Rules to attorneys. See FTC Press Release.

120 16 C.F.R. § 681.2(d) (2009).

121 See 16 C.F.R. § 681 app. A (2009). Examples of red flags include forged documents, suspicious identification, and suspicious account activity. See id. The Red Flags Rules also require creditors to “[o]btain[] identifying information about, and verify[] the identity of, a person opening a covered account … and [a]uthenticating customers.” Id. (emphases added).

122 See id.

123 Two Circuit Courts and numerous District Courts have all held that HIPAA does not create a private right of action. See Webb v. Smart Document Solutions, LLC, 499 F.3d 1078, 1081 (9th Cir. 2007); Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006); accord Warren Pearl Const. Corp. v. Guardian Life Ins. Co. of Am., 639 F. Supp. 2d 371, 377 (S.D.N.Y. 2009); Butler v. Illinois Dep't of Transp., 533 F. Supp. 2d 821, 827 (N.D. Ill. 2008); Rzayeva v. United States, 492 F. Supp. 2d 60, 83 (D. Conn. 2007); Segen v. Buchanan Gen. Hosp., Inc., 552 F. Supp. 2d 579, 584 (W.D. Va. 2007); Agee v. United States, 72 Fed.Cl. 284, 290-91 (2006); Runkle v. Gonzales, 391 F. Supp. 2d 210, 236 (2005); Univ. of Colorado Hosp. v. Denver Pub. Co., 340 F. Supp. 2d 1142, 1143-44 (D. Colo. 2004).

124 The lack of litigation by high-profile victims is logical, since a lawsuit would bring further publicity to the medical records issue. See, e.g., Charles Orenstein, Breaches in Privacy Cost Kaiser: The Bellflower Facility is Fined $250,000, L.A. Times, May 15, 2009, at A3 (describing breaches of medical records regarding Nadiya Suelman (“Octomom”) by hospital employees); Charles Orenstein, Ex-worker Cited in Celebrity Patient Leaks: Former Employee of UCLA Medical Center is Accused of Selling Data to the Media, L.A. Times, Apr. 30, 2008, at A1 (discussing federal prosecution of former hospital employee who wrongfully accessed files on Farah Fawcett under HIPAA).

125 “An employer is subject to liability for torts committed by employee while acting within the scope of their employment.” RESTATEMENT (THIRD) OF AGENCY § 2.04 (2006).

126 See, e.g., Foster ex rel. J.L. v. Hillcrest Baptist Medical Center, 2004 WL 254713 at *3-4 (Tex. App. Waco 2004) (holding no evidence to prove removal of medical records from employer was within scope of employment and analyzing whether a direct negligence claim by child's mother against employer for disclosure was cognizable); Bagent v. Blessing Care Corp., 862 N.E.2d 985, 993 (Ill. App. 2d 2007) (holding hospital employee's disclosure of patient information at tavern not within scope of employment for purposes of vicarious liability on the part of the hospital); see also Restatement (Third) of Agency § 7.07(2) (2006) (setting out scope of employment).

127 See Prince v. St. Francis-St. George Hosp., Inc., 484 N.E.2d 265, 267 (Ohio Ct. App. 1985) (hospital not liable for physician's breach of confidentiality because physician not hospital employee, despite having staff privileges).

128 “A principal is subject to vicarious liability for a tort committed by an agent in dealing or communicating with a third party on or purportedly on behalf of the principal when actions taken by the agent with apparent authority constitute the tort … .” Restatement (Third) of Agency § 7.08 (2006).

129 See, e.g., Doe v. Smith, 913 So. 2d 140, 143 (La. Ct. App. 2005) (leaving documents containing confidential patient information in a parking lot sufficient to constitute breach of duty of confidentiality).

130 See Doe v. Medlantic Health Care Group, Inc., 814 A.2d 939, 953 (D.C. 2003) (holding health care provider liable for damage to patient due to employee breaches of patient confidentiality protocols).

131 See, e.g., The Joint Commission, 2008 National Patient Safety Goals, at Goal 1 (May 31, 2007), http://www.jointcommission.org/PatientSafety/NationalPatientSafetyGoals/08_hap_npsgs.htm (listing patient identification as a priority goal).

132 The purpose of the breach of confidentiality tort is to encourage full disclosure by a patient to his or her physician. See Commonwealth v. Brandwein, 760 N.E.2d 724, 729 (Mass. 2002) (holding that patients have a right to expect confidentiality and that disclosure of confidential information is an actionable tort).

133 Other health care providers may also be found to have a duty of confidentiality. See e.g., Watts v. Cumberland County Hosp. Sys. Inc., 330 S.E. 2d 242, 248-49 (N.C. Ct. App. 1985), rev’d on other grounds, 345 S.E. 2d 201 (N.C. 1986) (finding counselor also owed duty of confidentiality on basis of state licensing as a health care provider).

134 See Geisberger v. Willhun, 390 N.E. 2d 945, 947 (Ill. App. Ct. 1979) (disclosure of patient name not sufficient to constitute breach of confidentiality).

135 Since the information disclosed must be private, a victim may still need to prove that the information was generated in the course of a physician-patient relationship as part of the victim's prima facie case.

136 The four types are intrusion on seclusion, appropriation of name or likeness, publicity given to private life, and publicity placing the victim in a false light. Restatement (Second) of Torts §§ 652B-652E (1977).

137 “One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Id. § 652B.

138 Id. § 652D.

139 See also Pat Reavy, What Baby? ID Victim Gets a Jolt, Deseret Morning News, May 2, 2006, at A1 (the victim in the actual case chose to discuss the incident with various press outlets).

140 See Alsip v. Johnson City Med. Ctr., 197 S.W. 3d 722, 725-26 (Tenn. 2006) (finding duty not to disclose confidential patient information).

141 See Doe v. Portland Health Ctrs., Inc., 782 P.2d 446, 448 (Or. Ct. App. 1989) (finding question of fact as to whether implied confidentiality contract existed between mother of patient and health care provider). Courts may be willing to recognize an implied promise of confidentiality. See Doe v. Roe, 400 N.Y.S.2d 668, 674 (N.Y. Sup. Ct. 1977).

142 “One who appropriates to his own use or benefit the name or likeness of another is subject to liability to the other for invasion of his privacy.” Restatement (Second) of Torts § 652C (1977). Appropriation “includes circumstances where a defendant ‘pirates’ a plaintiff's identity (name or likeness) for the purpose of benefit or advantage, such as obtaining credit.” Moore et al., supra note 56, at 226.

143 “One who uses a chattel in a manner which is a serious violation of the right of another to control its use is subject to liability to the other for conversion.” Restatement (Second) of Torts § 227 (1965).

144 Although this section has focused on potential civil remedies for victims of medical identity theft, it is important to note that there are criminal consequences for individuals who violate security and privacy laws regarding medical records. Law enforcement has recently started to respond to the threat of misappropriation and misuse of medical information. For example, the Department of Justice recently formed health care fraud task forces in the Southern District of Florida and in the Central District of California to combat the combined threat of medical identity theft and traditional health care fraud. See The President's Identity Theft Task Force, Combating Identity Theft: A Strategic Plan 42 (2008) (describing the conviction of a medical identity theft perpetrator who obtained a duplicate of a friend's Social Security Card in order to obtain medical treatment). The President's Identity Theft Task Force has acknowledged that medical identity theft is a fast-growing area of identity theft. Id. at 50.

145 Data collected by the credit reporting agencies is also used for marketing and customer relations purposes. See, e.g., Business Services for Medium & Large Enterprises from Experian, http://www.experian.com/business-services/business-services.html (last visited Nov. 21, 2009).

146 See Avery, Robert B. et al., Credit Report Accuracy and Access to Credit, 90 Fed. Res. Bull. 297, 298 (2004)Google Scholar (“Each [credit bureau] has records on perhaps as many as 1.5 billion credit accounts held by approximately 210 million individuals.”) [hereinafter Access to Credit] (citing Fair Credit Reporting Act: How it Functions for Consumers and the Economy: Hearing Before the Subcomm. on Financial Institutions and Consumer Credit of the H. Comm. On Financial Services, 108th Cong. 108-33 (statement of John A. Ford, Chief Privacy Officer, Equinox, Inc.). See also O’Neill, Ian, Disparate Impact, Federal/State Tension, and the Use of Credit Scores by Insurance Companies, 19 Loy. Consumer L. Rev. 151, 153 (2007)Google Scholar (estimating more than 200,000,000 individuals’ credit histories on file).

147 TransUnion, Equifax, and Experian are for-profit corporations. The information on an individual credit report may vary between the three bureaus, however, due to the differences in reporting by some institutions, and the timing of processing of new data. Robert B. Avery et al., An Overview of Consumer Data and Credit Reporting, 89 FED. RES. BULL. 48, 51 n.11 (2003) [hereinafter Consumer Data & Credit Reporting] (citing Consumer Fed’n of Am. & Nat’l Credit Reporting Assoc., Credit Score Accuracy and Implications for Consumers (2002)).

148 See Heroy, J. Alex, Other People's Money: How a Time-Gap in Credit Reporting May Lead to Fraud, 12 N.C. BANKING INST. 321, 322 (2008)Google Scholar.

149 See O’Brien, Elizabeth Doyle, Comment, Minimizing the Risk of the Undeserved Scarlet Letter: An Urgent Call to Amend § 1681E(B) of the Fair Credit Reporting Act, 57 Cath. U. L. Rev. 1217, 1221-22 (2008)Google Scholar.

150 15 U.S.C. § 1681 (2006). The first version of FCRA was enacted in 1968. See Pub. L. No. 90-321, 82 Stat. 146 (1968).

151 See 15 U.S.C. §§ 1681c-1 – c-2 (2006).

152 See Dowe, Erin, Frustration Station: Attempting to Control Your Credit, 16 Geo. Mason U. Civ. Rts. L.J. 359, 359-360 (2006)Google Scholar.

153 See O’Neill, supra note 146, at 159.

154 See Hillebrand, Gail, After the FACTA: State Power to Prevent Identity Theft, 17 Loy. Consumer L. Rev. 53, 53-54 (2004)Google Scholar.

155 See Dowe, supra note 152, at 369.

156 “Credit cards” refers to accounts that have revolving balances. “Charge cards,” such as an American Express card and some department store cards, must be paid in full at the end of every month.

157 See Consumer Data & Credit Reporting, supra note 147, at 48.

158 See id.

159 See id. at 51, 69. Avery et al. attribute the high proportion of unpaid medical bills to the high cost of health care. Id.

160 See Part I, supra.

161 See Menn, supra note 1.

162 O’Brien, supra note 149, at 1222.

163 Michael Turner et al., Info. Policy Inst., The Fair Credit Reporting Act: Access Efficiency & Opportunity: The Economic Importance of Fair Credit Reauthorization 37-39 (2003).

164 Nat’l Ass’n of State PIRGs, Mistakes Do Happen: A Look at Errors in Consumer Credit Reports 11 (2004) (categorizing false delinquencies or accounts that did not belong to the consumer as serious errors).

165 Heroy, supra note 148, at 324.

166 Id. at 322.

167 “Some of the mistakes on consumer reports are the result of mis-merged file information, when the bureau simply adds one consumer's account to another's file. Other mistakes are the result of identity theft, when a thief's fraudulent accounts end up on an innocent consumer's report. Still others result from coding or reporting errors, where a consumer's on-time payments are falsely listed as late.” Nat’l Ass’n of State PIRGs, supra note 164, at 6.

168 See Consumer Data & Credit Reporting, supra note 147, at 50.

169 “A credit score or rating is a numerical calculation intended to represent the specific level of risk that a person or entity brings to a particular transaction.” O’Neill, supra note 146, at 152. “Credit scoring models are complex statistical tools that use the wealth of information contained in the consumer's credit file to predict the likelihood of repayment … [S]coring models provide an objective, empirically based method of assessing credit risk.” Michael Turner et al., The Info. Policy Inst., The Fair Credit Reporting Act: Access, Efficiency & Opportunity – The Economic Importance of Fair Credit Reauthorization 35 (2003) (arguing against stricter state regulation of credit and privacy).

170 See O’Neill, supra note 146, at 153.

171 See Heroy, supra note 148, at 323-24.

172 See O’Neill, supra note 146, at 172.

173 See Access to Credit, supra note 146, at 298.

174 See id. at 299.

175 See Consumer Data & Credit Reporting, supra note 147, at 61.

176 See Heroy, supra note 148, at 323 (reporting a thirty day lag between the time information is submitted to a credit reporting bureau and when it appears on a credit report).

177 See Dowe, supra note 152, at 362 (contrasting identity theft with burglary).

178 See Rosenberg, supra note 45, at 431.

179 See id.

180 See id. Chargeback rules are considered proprietary and are not disclosed to the public on the basis that they govern the relationship between the banks that are party to the credit transaction. See id. Another rationale for not disclosing chargeback rules would likely be to limit consumer ability to dispute charges.

181 See id. If the request is justified, the card issuer will credit the consumer. Id. The chargeback can then be passed back to the merchant acquirer, who in turn may debit the merchant's account. Id. “The issuer's right to pass on the claim to the merchant acquirer is a contractual right of the issuer, not a right of the consumer.” Id.

182 See id.

183 See O’Neill, supra note 146, at 174 (citing Candace Heckman, Study Assails Accuracy of Credit Reports, Seattle Post, June 21, 2004).

184 See Dowe, supra note 152, at 367.

185 See id.

186 See id. at 360 (citing to FTC's online instructions regarding maintaining credit history), available at www.ftc.gov/bcl.conline/pubs/credit/idtheft.htm.

187 See id. at 370 (citing FTC instructions).

188 For example, Massachusetts General Hospital has formed a Data Integrity Group, whose membership includes clinical departments, security, information technology, and administrative departments. 2009 HHS Report, supra note 8, at 23. The “group meets to discuss any inconsistencies its members may see within their own work that may relate to the role of others in the hospital.” Id. The purpose of the Group is to prevent “silo mentality” between disparate parts of the MGH organization. Id.

189 To a certain extent, the need for a government push for interoperable electronic record-keeping in the healthcare sector indicates the lack of private economic incentive to increase the efficiency of record-keeping.

190 Healthcare providers that lack state licenses are not allowed to operate in that state. Also, the majority of health care facilities take advantage of “deemed” status eligibility for Medicare and Medicaid billing by undergoing a voluntary accreditation process. See 42 U.S.C. § 1395bb (2006) (describing the effect of accreditation).

191 The Joint Commission is a private entity that accredits hospitals and healthcare providers. See generally, About Us: Joint Commission, http://www.jointcommission.org/AboutUs/ (last visited Feb. 8, 2009).

192 See 2008 Joint Comm’n Nat’l Patient Safety Goals for Hospitals, http://www.jointcommission.org/PatientSafety/NationalPatientSafetyGoals/08_hap_npsgs.htm (last visited Nov. 1, 2009).

193 See 2009 Joint Comm’n Nat’l Patient Safety Goals for Hospitals at 1.01, available at http://www.jointcommission.org/NR/rdonlyres/31666E86-E7F4-423E-9BE8-F05BD1CB0AA8/0/HAP_NPSG.pdf.

194 “Sentinel events” are occurrences of egregious medical or operational error, such as surgery on the wrong limb. The Joint Commission currently lists twenty-two categories of Sentinel Events, including “other.” See Sentinel Event Statistics as of June 30, 2009, The Joint Commission, http://www.jointcommission.org/NR/rdonlyres/241CD6F3-6EF0-4E9C-90AD-7FEAE5EDCEA5/0/SE_Stats12_08.pdf. Similarly, the Center for Medicaid and Medicare Services (CMS) keeps a list of “never events” that closely mirrors that of the Joint Commission. See Press Release, Center for Medicare and Medicaid Services, Eliminating Serious, Preventable, and Costly Medical Errors - Never Events (May 18, 2006), available at http://www.cms.hhs.gov/apps/media/press/release.asp?Counter=1863. Errors on either of these lists are considered non-reimbursable by the federal government.

195 For example, a healthcare provider could keep patient photographs or identification documents on file, and require that these documents be presented at the time of service. See Merisalo, supra note 23, at 3. One “credentials plus” authentication procedure is to require patients to demonstrate knowledge of their personal information or medical records already on file with the healthcare provider. See 2009 HHS Report, supra note 8, at 16. Similarly, a provider could use a biometric identification system, such as fingerprinting or palm scans, to verify the identity of a patient. See 2008 AHIMA Report, supra note 14. Biometric data have the added benefit of not being forgeable, and are available during a medical emergency when a patient may be unavailable to self-identify. See id. Another technological innovation is the use of “smart cards” in combination with a personal identification number (PIN) to confirm patient identity. See 2009 HHS Report, supra note 8, at 17. The smart card system is used by Elmhurst and Queens Hospitals in Queens, New York. Id. The smart cards contain patients’ biographical information and emergency contacts, as well as allergies and medications. Id.

196 One obvious step is to institute strict access policies that ensure that an employee's level of access to protected health information is appropriate to the employee's function in providing care. See Cindy L. Nichols, Internal and External Threats, Risks, and Controls, in Medical Identity Theft 47, 52-53 (Cindy L. Nichols, ed. 2008). Other steps to be taken include the securing of computer equipment and physical files when they are not being actively used, and requiring or automating logoffs when an employee is not actively accessing information. Id. Finally, providers should take care to ensure that encryption policies are in place for data storage, as encryption can delay or prevent thieves from using information stored on lost or stolen hardware. Id.

197 See Winn, supra note 29, at 635.

198 See id.

199 Potential fears about a National Health Information Network (NHIN) include “the vulnerability of the health data resulting from access to large quantities of it at one time, combined with the cascading effect across the system in the case of data corruption.” See 2009 HHS Report, supra note 8, at 4. The “cascade effect” is the result of incorrect medical records data being incorporated into not only the victim's medical records, but also public health and research data. Id. at 20.

200 See Merisalo, supra note 23, at 3.

201 See Winn, supra note 29, at 636.

202 A limited health records reporting system exists in the form of the Members Insurance Bureau (MIB). With regard to healthcare, MIB is limited in scope to individually underwritten policies. See Consumer Guide, MIB Group, Inc., http://www.mib.com/html/consumer_guide.html (last visited Sept. 28, 2009). The vast majority of private health insurance is underwritten on a group basis, and public health insurance data is not underwritten.

203 As discussed in Part Error ! Reference source not found. supra, the concept of medical identity theft was not considered during the drafting of HIPAA.

204 DIXON, supra note 17, at 41. The current HIPAA access regulation allows covered entities to decline to allow access if it is determined that “[t]he protected health information makes reference to another person … and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person … .” 45 C.F.R. § 164.524(3)(ii) (2008). This ground for denial, however, is categorized as “reviewable.” Id.

205 Although another option would be to fully federalize the administration of medical records, a public-private partnership similar to that in FACTA would appear to be more costeffective.

206 It is unclear whether this type of reporting can be accomplished under the current structure of medical services record keeping, where multiple entities generate and keep records on an individual patient. In order to effectively combat medical identity theft, the scope of the entities required to report to a centralized database would be very broad. There have been, however, some private initiatives to give patients online access to their medical records. See 2009 HHS Report, supra note 8, at 9.

207 Under HIPAA, covered entities are only required to report disclosures of private health information under certain circumstances. HIPAA's narrow requirements could potentially limit the amount of information provided on an “annual health report” so as to make it useless for purposes of preventing medical identity theft. See Dixon, supra note 17, at 15.

208 Although it would likely require specialized staffing to deal with disputes, this feature, rather than a flagging system, would be particularly valuable, since individuals “may be the only ones who can tell if a medical service billed to an insurer in their name was really a service they received or sought.” Id. at 45.

209 The Presidential Task Force is focused on financial identity theft. See Presidential Identity Theft Task Force, “About the Task Force,” http://www.idtheft.gov/about.html (last visited Feb. 9, 2009). To date, the Task Force has completed a strategic plan and a set of recommendations. See 2009 HHS Report, supra note 8, at 5; Task Force Website, http://www.idtheft.gov/ (providing links to strategic plan and implementation report) (last visited Feb. 9, 2009).

210 See 2009 HHS Report, supra note 8, at 10. The FTC provides resources on its website, as well as a telephone hotline. Id.; see FTC Identity Theft Website, http://www.ftc.gov/bcp/edu/microsites/idtheft/. The FTC also engages in some data collection as to the incidence of medical identity theft incidental to its collection of financial identity theft information. See 2009 HHS Report, supra note 8, at 6.

211 Dixon, supra note 17, at 11. OIG is currently excluded from enforcement of identity theft and instead concentrates on prosecuting medical fraud and abuse. See id. OIG's 2009 work plan, however, includes a review of CMS’ efforts to deter medical identity theft as part of its effort to combat fraud and waste. See OIG Issues 2009 Work Plan, 18 Healthcare Registration 1, 2 (2008)Google Scholar.

212 See generally 2009 HHS Report, supra note 3.

213 Another option would be to make this the responsibility of Office of the National Coordinator for Health Information Technology (ONCHIT), created by the HITECH Act. See Pub. L. No. 111-5, 123 Stat. 115, § 13101 (2009). ONCHIT, however, is focused setting privacy and security standards for the implementation of EHRs. See id.

214 2009 HHS Report, supra note 8, at 3.

215 See Merisalo, supra note 23, at 3 (citing 2008 Joint Commission recommendations for healthcare providers).