In the worst-case scenario, you’re going to need to correct multiple areas of your identity: financial, insurance, and medical. So I’ll walk you through how to get the documents you need, what information to look for, and how to build a case to support your claim of identity theft.

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that governs how the healthcare world manages paper and electronic records. Under HIPAA, insurers and healthcare providers can only charge you expenses to copy the files, though medical records can easily run dozens of pages and x-rays can be expensive to duplicate unless they are transferred electronically. At the very least, get X-ray, CT scan, and other written reports. If you need the actual images of scans, X-rays, and ultrasounds, you can have the actual hard copies or digital files sent to your doctor.

Your credit reports won’t always be affected by medical identity theft if the fraudster has paid the bills. Many impostors will use your insurance and pay the co-pay, hoping you won’t notice on your statements from your carrier. That’s why it’s so important to review your insurance statements. For example, if no one has reported unpaid accounts to any of the CRAs, then you won’t see anything on the credit report. But you need to check anyway, using the detailed approach in Chapter 4.

If there are delinquent medical collection accounts on your credit report, use the information in Chapter 4 to remove it. Those accounts will lead you to important information for the rest of your medical identity theft investigation.

You’ll need the name, address, and phone number of every healthcare provider, which you may obtain from the debt-collection companies on your credit report. You may not recognize the providers if they treated the fraudster, so check your credit header information on your credit report to see if there is an address or phone number you don’t recognize that the fraudster may have supplied to the healthcare provider.

If there is fraud on your credit report, it will indicate medical collection accounts, but it will not show any medical information because that would be a violation of FCRA.

Because health insurance companies pay for much of the medical service provided in this country, you’ll need to get information from them. First you need to know which insurers to contact. There’s yours, but the fraudster may have created an account at another insurer.

Start by going to the Medical Information Bureau (MIB), which is considered a specialty consumer-reporting agency under the Fair Credit Reporting Act. This means that you can get a copy of the report free once every year at www.mib.com, and you have the right to dispute errors, have the MIB investigate by notifying the carriers who reported the mistakes /fraud, and have the erroneous data deleted from your file.

The MIB is contacted by member life, health, disability, or critical illness insurance companies when they are establishing an account for someone. If you or the fraudster using your identity have applied for life, health, or disability insurance in the last seven years, there may be an MIB consumer record for you.

Your MIB record can have three different types of information: details of medical history and treatment associated with you, a list of insurance companies that reported the details of medical history and treatment, and a list of all insurers that received a copy of your file during the last 12 months. The details of medical history and treatment become part of the information you’ll sift later in the chapter for evidence of fraud or error.

The lists of insurance companies either reporting those medical details or receiving a copy of your file will become the carriers from whom you seek additional information, as you’ll see detailed in the next section.

Once a year you can request a free copy of your MIB consumer file by calling 1-866- 692-6901 or going to www.mib.com . When you call, you will be asked for personal identification information. You’ll need to certify under penalty of perjury that the information you provide is accurate.

Once you learn what healthcare providers reported to insurance companies, you’ll need to get their records. Each healthcare agency and health insurer’s notice of privacy practices becomes the guideline that tells you how to ask for and get information from them. Every entity may have different procedures, so you need to get a notice of your rights and their privacy practices from each entity.

The listing of benefits shows everything that the specific insurance carrier has paid in your name, as well as the healthcare provider that performed the service. If the identity thief has changed your address and phone number, you would not have seen the bills. The same is true if someone has used your identity to create an account with a different insurer, which may happen if the person gets a job with healthcare benefits in your name or applies for Medicaid or Medicare using your identity. The listing will also let you see which healthcare providers have been specifically paid by the insurance company.

As you go through the listing of insurance benefits, specifically look for treatments, doctors visits, medicines, hospitalizations, medical devices, tests, or anything else that you cannot remember getting. Circle those benefits and the associated healthcare providers that don’t pertain to you. Now you’re ready to get your medical records.

Your medical records show the details of illnesses and conditions, diagnoses made, and care or treatment provided, listing the specific people who were involved with the care, including doctors, nurses, radiologists, pharmacists, physical therapists, dentists, and so on. Every healthcare provider generates medical records for its patients.

Just as you did with the insurance companies, start by asking each provider for a notice of privacy practices. Under HIPAA, every provider must give a copy of its notice to anyone who asks. First search the provider’s website, as it may have the notice of privacy practices and how you can access your record. If not, call the provider and ask for the steps and forms to obtain records. Under HIPAA, the provider has 30 days to act on your request.

Remember to keep track of your out-of-pocket costs. Also, most healthcare offices now have their most recent records in electronic form, so you can ask them to send the electronic files to you encrypted with a password. Those should be sent at very little cost.

At this early stage, don’t let the healthcare provider know you are a victim of ID theft. One problem in getting your healthcare records is that HIPAA can become as much of a problem as a help. Under the law, healthcare providers, insurance companies, and other entities aren’t allowed to disclose someone’s medical information to an unauthorized party. Guess what? If you tell a healthcare provider upfront that your record includes data about someone other than you (your impostor), the provider or insurer legally cannot disclose that privileged information. When it comes to the fraudster, you’re considered an unauthorized party, even though we’re talking about a record in your name.

The way to work around this is not to say a single word about fraud at first. Just say, “I need copies of all medical records and billing statements in my name, please. How do I obtain those?” You legally needn’t say anything more, so don’t.

Once you have the records, scrutinize the following information:

If the descriptive data (address, age, blood type, and so on) does not match yours, you have evidence of fraud.

If you don’t understand a diagnosis, ask the provider. And if you see records from your own provider or don’t recognize a procedure, don’t automatically assume the worst. It’s surprisingly easy to completely forget about something you had done years before, and a provider might have made an error that must be corrected.

In all cases, talk to the specific healthcare providers who were involved with the treatment in question. Call the healthcare provider (you may be able to go there if it’s local) and ask for the records. Then ask to speak to the treating professional and get as much specific detail about the person claiming to be you as possible, and send a summary letter to confirm what was said. Ask questions including, but not limited to, the following:

Take copious notes and, if you learn a great deal about the fraudster, document the conversation in a thank-you note to the healthcare provider and ask him or her for help in correcting the files to show it was not you. The provider will be worried that he or she has legal liability, so unless there was a conspiracy, just let the provider know you want help in getting back your life, and you want to help law enforcement get the criminal.

The truth is, if the providers are helpful to you, they are mitigating their own liability. If they’re not and they were negligent in treating someone who used your name, you may have a right to a legal action against them. If you can’t get the information you need from the healthcare providers, you may need to write a letter requesting the information. You should attach your police report, FTC affidavit, and evidence of your identity, and reiterate your rights as a victim to get this information under FCRA 609e. If that fails, look at Chapter 18 and consider legal help.

As with other types of identity theft, you have to become your own private investigator. Summarize the problem and be sure to concisely compare and contrast your impersonator’s characteristics with your own. Assemble everything you’ve learned from the healthcare providers and the MIB file and put all the data, along with copies of records, into a ring binder. You’ll need a divider to split the binder into two categories: “Mistakes” and “Fraud.”

Medical record mistakes are difficult to challenge, because the healthcare providers aren’t comfortable changing medical records. If the record was correct for the patient who was treated, albeit an impostor, the treatment and diagnosis for that criminal was most likely correct as to the procedures. There is a dilemma for the healthcare providers, especially if the fraudster returns for treatment. For malpractice concerns as well as standard protocol, healthcare providers will add an amendment to the file rather than delete information. The process will be clarified below.

Create a single master list of all the fraudulent information from all of the healthcare records. For each fraudulent use of care, you want to list the discrepancies of the following:

Now go down the master list of fraudulent service, concentrating on two things. First, look for information about a given care event or activity that can prove you were not the recipient. For example, if a record lists the recipient as having blood type O+ when you actually have A-, then that’s proof you aren’t the person being mentioned. Did the impostor use an address that was not yours? Was care given in a place or at a time when you can prove (through receipts or other paperwork) that you could not have been there? Did the patient take a medicine to which you are highly allergic, without any negative effect? Did the fraudster sign a form and leave a signature obviously different from yours? Look for every possible logical inconsistency that can prove your point.

The second thing you look for are grouped records, where more than one provider is involved with a single incident. Are there inconsistencies, like a doctor authorizing one test and a lab doing another more expensive test? Or do two healthcare providers have data that would describe different people?