UPDATE:
Since the publishing of this article, new developments have been reported pertaining to the launch of the Identity Theft Program discussed in the article below. Originally, it was to take place August 1, 2009 but now has been delayed to November 1, 2009.
Overview
The Red Flags Rule is a set of regulations issued by the Federal Trade Commission (FTC) under the Fair and Accurate Credit Transactions Act (FACTA), a federal law (2003) intended to strengthen protection of consumers from identity theft. Identity theft occurs when someone uses another person’s personal identifying information (name, Social Security number, credit card number, insurance enrollment or coverage data) to commit fraud or other crimes.
The rule requires financial institutions and certain businesses to develop and implement written identity theft prevention programs. FACTA provides a broad definition of “creditor” as “any entity that regularly extends, renews or continues credit.” The FTC has interpreted this definition to include healthcare providers and physicians.
What is medical identity theft?
Medical identity theft can occur when a person seeks care using another person’s name or insurance information without that person’s knowledge or consent to obtain or make false claims for medical services or goods.
In a nationwide survey, the FTC found that 4.5 of the 8.3 million victims of identity theft had experienced some form of medical identity theft. This translates to 373,500 patients’ lives that were verified to have been impacted by medical identity theft. The FTC has taken the position that application of the Red Flags Rule to physicians will reduce the incidence of medical identity theft.
Must all physicians comply with the “Red Flags Rule?
Physicians will need to review their billing and payment procedures to determine if they are subject to the Red Flags Rule. Medical practices will be subject to the rule if they meet two conditions: (1) They are a “creditor” organization; (2) They have “covered accounts.”
Under the rule, credit is an arrangement by which an entity defers payment of debts or accepts deferred payment for the purchase of goods or services. If a medical practice accepts insurance and then bills the remaining amount to the patient, or allows patient payment plans, it is a “creditor organization.” The FTC considers this to be a creditor arrangement because payments for goods and services are deferred.
Alternatively, a medical practice that requires payment before or at the time of service would not be a creditor under the rule. In addition, if a practice accepts only direct payment from Medicare or similar programs where the patient is not responsible for the fees, then it is not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make your practice a creditor under the rule.
Once you’ve concluded that your organization is a creditor, then you need to determine whether you have “covered accounts” as defined by the rule. Patient billing records are covered accounts if they permit multiple payments or if they have a foreseeable risk of identity theft. Under the rule, a medical practice will need to implement a written identity theft program only if it has covered accounts.
What is a Red Flag?
A Red Flag is a pattern, practice or specific account activity that should alert you to possible identity theft. The FTC identifies the following five categories of warning signs or Red Flags:
1. Alerts, notifications or warnings from a consumer reporting agency or a service provider (a person or entity which performs services on your covered accounts)
Example: a notice of address discrepancy provided by a credit reporting agency
2. Suspicious documents
Example: the person presenting the identification, such as a driver’s license, doesn’t look like the photo or match the physical description
3. Suspicious personal identifying information
Example: inconsistencies in information the person has given, such as an address or non-existent social security number (according to SSA issuance tables)
4. Unusual use of or suspicious activity relating to a patient account
Example: mail sent to the person that is returned repeatedly as undeliverable but transactions continue on the account
5. Notices of possible identity theft from patients, victims of identity theft or law enforcement authorities
What must physician practices do to comply with the Red Flags Rule?
The Red Flags Rule requires that organizations have “reasonable policies and procedures in place” to identify, detect and respond to identity theft Red Flags. The definition of “reasonable" will depend on your practice’s specific circumstances, experience with medical identity theft and the degree of risk for identity theft in your practice.