The Red Flag Rules is a regulation issued by the Federal Trade Commission (FTC) under the Fair and Accurate Credit Transactions Act (FACTA). It contains guidelines which require institutions, utilities, and other creditors to set up programs aimed at preventing identity theft.
Identity theft is a form of con in which someone pretends to be someone else by supposing that person’s identity, typically in order to access resources or obtain credit and other benefits in that person’s name. In the case of medical practitioners, the primary concern is the theft of one’s medical identity. Medical identity theft occurs when someone claims to be another person without the knowledge of that person to obtain or make false demands for medical services, therefore leading to fictitious and erroneous medical records.
The FTC released RFR (Red Flag Rules) on November 2007. However, the RFR did not specify whether medical practitioners were included in the Red Flag requirements. The American Medical Association (AMA), who is committed in guarding the patients and physicians, delayed the implementation of the RFR until June 1, 2010 due to its response to the appeal of the FTC staff regarding the intentions of applying it to physician practices. The AMA continues to insist that physicians should not be included in the Red Flag Rules because they are not “creditors”.
Conforming With the Red Flag Rules
The Red Flag Rules relate to any institution that is regarded as a creditor. A creditor is defined as “any person who regularly extends, renews, or continues credit; an entity (person or institution) that extends credit by giving another entity permission to borrow money if it is paid back at a later date.” However, physicians who submit insurance claims or permit payment plans are considered to be creditors by the FTC and therefore are bound by the Red Flag Rules.
The Red Flag Rules cover doctors who accept insurance or allow payment plans and must have sufficient policies and procedures in place by June 1, 2010 or they may face a penalty up to $2,500 per known violation. Without quoting the entire definition from the Final Rules, here’s the simple version: If the product or service you sell or provide is not paid in full at the time of purchase, you must comply.
Differentiating RFR and HIPAA privacy and security rules
The Health Insurance Portability and Accountability Act (HIPAA) protects health insurance (PHI) coverage for workers and their families when they change or lose their jobs. PHI as defined by HIPAA is swathed by the RFR but the Rule extends to different sensitive information:
· Credit card information;
· Tax identification numbers: social security numbers, business identification numbers, and employer identification numbers;
· Insurance claims;
· Background checks for employees and service providers.
What is a “Red Flag”?
A red flag is a model, exercise or specific account activity that indicates the probability of identity theft. The FTC identifies the following as red flags:
- Alerts, notifications or warnings from a consumer reporting agency;
- Suspicious documents;
- Suspicious personally identifying information, such as a suspicious address;
- Unusual use of – or suspicious activity relating to – a covered account;
- Notices from customers, victims of identity theft, law enforcement authorities, other businesses about possible identity theft in connection with covered accounts.
How can Health Practitioners Comply with The Red Flag Rules?
In the majority of medical practices, the Red Flag Rules will apply because accepting insurance generally results in deferring payment from a patient until payment is received from the insurance carrier. This determination is important because the Red Flag Rules require creditors with accounts that are covered to identity those accounts that are at risk, and to define, detect, and respond to the Red Flags in order to prevent or at least mitigate identity theft. In short, a primary goal of a physician is to recognize suspicious circumstances that would prompt your office to be alert for possible theft of a patient’s identity and to respond accordingly.
Obligations Under the Red Flags Rule
The Red Flag Rules requires a creditor that maintains covered accounts to develop and implement a written identity theft program that has reasonable policies and procedures to:
1.) Identify Relevant Red Flags;
2.) Detect Red Flags;
3.) Respond appropriately to any Red Flags that are detected;
4.) Oversee the Program;
5.) Train Employees;
6.) Oversee Service Provider Arrangements;
7.) Ensure the Program is Updated Periodically and Provide Reports.
Identify Relevant Red Flags
Health care providers should identify specific activities or practices that indicate the possibility of identity theft. This could include the use of suspicious documents, which could include: documents (e.g. drivers license) that appear to be altered; the photograph on the identification does not resemble the appearance of the individual; and other information on the identification is not consistent with information provided by the person. Also, suspicious changes of address and fictitious addresses or phone numbers are signs of identity theft. Mail sent to the person that is returned repeatedly as undeliverable is also a red flag. Other red flags could include: a complaint of question from a patient based on the patient’s receipt of a bill for another individual; a bill for a service or item that the patient claims he/she did not receive; or an Explanation of Benefits or other notice for health care services never received.
Detect Red Flags
The Identity Theft Program should include reasonable approaches for detecting the identified Red Flags that have been incorporated into the program. This could include verifying the identity of the patients being treated, and verifying the validity of any change of address requests. Providers should implement registration procedures that could detect red flags. For example, the provider could request and in some cases (e.g. driver’s license) make a copy of the following information and documents at the time of registration:
– Driver’s license, passport, state identification, or other photo identification;
– Date of birth
– Physical address and telephone number
– Insurance card (if available)
– Other verification of identity (such as voter’s registration card or credit card)
– If there is no photo identification, the provider should ask for two forms of non-photo identification (e.g. social security card, school identification, utility bill, birth certificate, etc.)
The person registering the patient should be alert for any conflicting information (e.g. the photo on a driver’s license does not match the patient, insurance card appears to be altered or forged, signature does not match driver’s license). If during the admission process, a “red flag” is detected, the person in the office who is designated as the officer should be contacted to investigate and take any necessary action. This could involve stopping the admissions process and requesting additional documents/information to verify the identity or interviewing other individuals.
Respond to Red Flags
A health care provider should takes steps to prevent and mitigate identity theft by taking the following actions: monitoring covered accounts for evidence of identity theft, contacting the patient if necessary, changing passwords/security codes; not attempting to collect on an account when the individual has been a victim of identity theft; and notifying law enforcement officials.
A health care provider should have policies and procedures in effect that ensure the integrity of the medical record. When an individual’s identity is stolen to obtain health care services, this can potentially have significant harm for the patient. For example, inaccurate information in the medical record could result in the patient receiving inappropriate services. A provider should immediately correct any errors in medical records resulting from identity theft.
Oversee the Program
The practice should identify someone to oversee, develop, implement and administer the Identity Theft Prevention Program. It could be overseen by the board of directors or a designated member of staff.
It is imperative to train your staff regarding the Identity Theft Prevention Program. This could include general training of all employees and more specific training for employees who are responsible for patient registration and patient accounts.
Oversee Service Provider Arrangements
For any third party who provides services to a health care provider (e.g. coding, billing, or accounting activities) and has access to the covered accounts; the health care provider must take steps to ensure that the activity is in compliance with its Identity Theft Program. A business associate contract or other service agreement should include provisions obligating the service provider to comply with the Identity Theft Prevention requirements.
Ensure the Program is Updated Periodically and Provide Reports On an annual basis, the practice should provide a written report that addresses matters concerning identity theft, such as the effectiveness of the policies and procedures, significant incidents that have occurred and response to those incidents, and recommendations for changes to the program.