Ohio's "aggressive" attack on medical identity theft.

• Author: Ball, Stanley C.

1. INTRODUCTION II. DATA BREACH, IDENTITY THEFT, AND MEDICAL IDENTITY THEFT A. Data Breach B. Identity Theft C. Medical Identity Theft III. FEDERAL LEGISLATION TO PREVENT MEDICAL IDENTITY THEFT A. HIPAA B. The HITECH Act A mends HIPAA C. Federal Preemption of State Laws IV. OHIO'S DATA BREACH LAW DOES NOT COVER HIPAA COVERED ENTITLES V. OHIO SHOULD AMEND ITS DATA BREACH NOTIFICATION LAW A. Ohio's Data Breach Notification Law Should Apply to HIPAA Covered Entities B. Ohio's Data Breach Notification Law Should Have an Acquisition-Based Trigger C. Ohio's Data Breach Notification Law Should Require Healthcare Providers to Destroy or Encrypt Discarded Medical Records D. Ohio's Data Breach Notification Law Should Be Amended to Give Residents a Method of Recovering Monetary Awards Against Covered Entities That Violate Ohio's Law VI. CONCLUSION I. INTRODUCTION

   We all think we are the foremost authority when it comes to our personal health. We are consciously selective in what we tell our doctors, we confidently use WedMD.com to self-diagnose illnesses, and we even think we are savvy enough to make the medical determination of whether we should receive a flu shot each fall. We feel assured knowing that no one knows or can alter our medical identity without our consent or at least our knowledge. But what if someone can?

   In 2009, Brandon Sharp, a 37-year-old manager at an oil and gas company in Houston, Texas, (1) was creating his version of the American dream. He was about to get married, buy his first home, and was in perfect physical condition. (2) Before applying for a mortgage, Mr. Sharp requested a copy of his credit report. (3) Much to his chagrin, his credit report revealed several collection notices under his name for emergency room visits throughout the country and a $19,000 bill for a life flight service. (4)

   Mr. Sharp, like an increasing number of Americans, had fallen victim to a crime known as medical identity theft. The crime, defined as the theft or unauthorized use of another's personal information to obtain medical goods and services, (5) is dangerous because it alters the victim's medical identity without the victim's knowledge and may never be detected. (6) Additionally, because there is no national centralized repository for medical records, every time a thief uses the victim's medical identity, a record is created that could be easily mistaken for the victim's medical record. (7)

   This note explains the severity of medical identity theft and the state and federal legislative reactions to the problem. Specifically, the note discusses data breach notification statutes that require healthcare providers to notify consumers when the systems holding customer personal information are breached. (8) The note concludes that Ohio's data breach notification statute, which does not expressly cover healthcare providers, (9) should be amended to protect residents from medical identity theft and provide redress when healthcare providers (10) violate state law.

   Section II of this note describes the nationwide problem of medical identity theft. It begins with an overview of data breach and general identity theft. The section then explains the difference between general identity theft and medical identity theft, and why the latter is more harmful to the victim.

   Section III illustrates the federal legislative response to data breaches in the healthcare industry. The section also explains how all healthcare providers are subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (hereinafter "HIPAA"). The section explains the Act's 2009 amendments, known as the Health Information Technology for Economic and Clinical Act. Lastly, the third section illustrates the interaction between state and federal law, and how federal legislation allows for state regulations regarding data breaches.

   Section IV provides an overview of the current Ohio law on data breach notification. The section articulates how and when the Ohio law applies. And most importantly, it explains that Ohio's data breach notification statute does not apply to healthcare providers.

   Lastly, Section V provides several suggestions that will ensure Ohio is better able to protect its residents from medical identity theft through an amended data breach notification statute. Specifically, the section offers four proposals: (1) Ohio should make its data breach laws applicable to healthcare providers; (2) healthcare providers doing business in Ohio should not have any discretion when it comes to notifying patients when their data systems have been breached; (3) Ohio's data breach legislation should require healthcare providers to destroy patient's personal information when they dispose of it; and (4) Ohio's legislation should provide a mechanism for victims of medical identity theft to have access to monetary penalties from healthcare providers who violate the amended state law.

   While it is undisputed that medical identity theft is a fast growing and fairly complex crime, there is no justifiable reason why Ohio should punt its ability to protect Ohio residents from medical identity theft to the federal government. As this note dictates, there are several concerns that favor and disfavor state laws that address consumer protection from medical identity theft. After weighing these concerns, however, the state legislature should be a driving force rather than a complacent participant in the fight against medical identity theft.

2. DATA BREACH, IDENTITY THEFT, AND MEDICAL IDENTITY THEFT

   There are three actions that involve the unauthorized acquisition or misuse of an individual's personal information that may harm an individual. The first is the breach of an organization's information storage system containing consumer data. The second is identity theft. The third is a more severe form of identity theft known as medical identity theft. This section distinguishes the three actions and further explains the severe effects of medical identity theft.

   1. Data Breach

      The heart of data breach is personal information. In general terms, personal information is any data that identifies a particular person. (11) Organizations collect this personal information because it creates an efficient way to provide goods and services. (12) At the same time, this collection creates a prime target for identity thieves. (13)

      The unauthorized acquisition of, or access to, records containing an individual's personal information constitutes a security breach. (14) Often times, data breaches result in unauthorized access to only a small number of records. For example, in 2008, a 38-year-old Avon Lake, Ohio man spent a measly $115 for a spyware program that enabled him to view details of medical procedures, diagnostic notes, and other confidential information of 62 hospital patients. (15) Data breaches can also result in access to an enormous amount of personal information. For example, a laptop containing the social security numbers of approximately 2,000 current and former school employees from Springfield City Schools in Ohio was stolen from a state auditor's car, which was parked in his home garage. (16)

      Just as data breaches can occur in numerous sizes, they also occur in several forms. For instance, hackers can use the Internet illegally to retrieve information stored in computer systems. (17) Individuals can also physically steal computers, data storage equipment, and paper files. (18) Additionally, personal information can be improperly displayed or thrown away, allowing sensitive data to be viewed by those who should not have access. (19) And finally, a disgruntled or opportunistic employee may also be the source of data breach. (20)

      When a data breach occurs, it can be costly to the individual whose information has been compromised, as well as to the company that had its data system breached. (21) The individual may have to monitor his credit for years, if not a lifetime. (22) The organization, in many cases, must bear the cost of notifying the individuals whose information has been stolen. When a publically traded company is involved, there is a significant, negative effect on the company's stock price. (23) The company may also be liable for damages if a customer brings a successful civil action based on common law principles or violations of federal and state data breach notification statutes. (24) Even if the suit is unsuccessful, the litigation cost alone can be an unexpected and substantial expenditure. Overall, a data breach's effect can be considerable, but in many cases it is just the tip of the iceberg.

   2. Identity Theft

      While data breaches pose a serious threat to the privacy of personal information, most people fear what happens after a data breach has occurred. A data breach exposes personal information that is lawfully used by many organizations to open new accounts, verify information, and make changes to existing accounts. Identity theft occurs when an individual uses another person's identifying information, without permission, to commit fraud or other crimes. (25)

      An identity thief uses the personal information in a variety of ways. He may open a new credit card account in the victim's name or change the billing address on a victim's account, while accumulating charges (26) on the credit line. (27) Identity thieves may also create counterfeit checks using the victim's name and account number, or take out a loan in the victim's name. (28) An identity thief may even get a driver's license or official ID card in the victim's name with the thief's picture on it. (29) In 2009 alone, the number of identity theft victims in the United States increased 12 percent from the previous year to 11.1 million people. (30) In 2008, the Federal Trade Commission reported that 8,237 Ohioans were identity theft victims. (31)

      The number of identity theft victims is increasing because committing the crime is relatively simple, while catching and...