In a letter from Congress to CMS (Centers for Medicare and Medicaid Services) and OCR (Office of Civil Rights) last month, the Senate HELP (Health, Education. Labor and Pensions) Committee and the Senate Committee on Finance showed they've decided enough is enough when it comes to medical identity theft. They issued a stern letter to the government agencies citing the nearly 154 million people who were put at risk due to medical identity theft in 2015. The gist was that Congress wants to know what these agencies are doing to support the victims of medical identity theft after it happens. Is this just closing the barn door after the horses have bolted?
It is a positive sign that Congress is finally sitting up and taking notice of the serious problem of data security and medical identity theft. However this is the second time in as many months that the focus has been on treating the symptom rather than the cause. In October Congress passed a cyber security bill that would give companies legal immunity for sharing data with the federal government. Aside from the privacy concerns this has generated, it again deals with reacting after the event, rather than trying to stop the breach in the first place.
There remains a general apathy in the industry about a lack of oversight. OCR recently announced that it is reducing the number of companies included in its continually delayed Phase 2 audits. This reinforces the likelihood that many companies will just continue to take a chance rather then spend the money required to be compliant.
Until our lawmakers realize that something more has to be done to prevent breaches, expect to see an increase in the steady stream of medical identity theft announced. 2016 is likely to be much worse than 2015.
See my related blog for mHealthnews: Why health IT companies may not take HIPAA seriously until 2016!