A written program must include four basic elements that create a framework for addressing the threat of identity theft:

1.       Identify what Red Flags could occur in your practice. The categories of common warning signs listed above are not exhaustive, but offered to help you think about relevant Red Flags in the context of your practice.

This procedure will outline occurrences that may be Red Flags, such as: records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient or a complaint or question from a patient about the receipt of a collection notice from a bill collector.  

2.       Detect Red Flags. This step will describe your practice’s process to detect Red Flags in day-to-day operations. Procedures may vary depending on whether identity verification or authentication takes place in-person or at a distance (phone, mail, etc.). It should describe how you will train staff on medical identity theft and detecting Red Flags, and whether you have assigned a designated staff member to investigate possible Red Flags.

3.       Respond to identity theft. This procedure will describe actions your practice will take when you spot a red flag: documentation to collect; process for reporting and person to whom to report an incident. You might also establish guidelines for appropriate action, such as notifying the patient and/or authorities and evaluating the effect on the physician practice. Your response will depend upon the degree of risk (see guidelines in the rule for more examples of appropriate responses).

4.       Update the program. You should periodically assess and revise your program, as needed. The goal is to keep it current with your practice’s experience, changes in technology, changes in identity theft tactics and new risks, changes in your operations and arrangements with service providers and new methods in preventing and mitigating identity theft. Assign responsibility for maintaining and updating the program (and procedures) to a specific individual.

In addition, your program needs to incorporate specific administrative elements, including a process for obtaining management approval of written policies and procedures, and procedures for implementing and keeping it current. It should also describe your process(es) to monitor staff to ensure that they are adhering to the program. The practice must also monitor its vendors and service providers to ensure they provide sufficient precautions to detect and minimize identity theft.

Enforcement delayed until August 1, 2009
Editor's Note 7/31/09: the FTC has delayed the launch again until November 1, 2009.

The FTC recently announced that it will delay enforcement of the rule until August 1, 2009, to give physicians and other organizations that are subject to its regulatory oversight additional time to develop and implement their programs.

The rule does not provide for criminal penalties for failing to comply with the rule; however, organizations found not in compliance may be subject to financial penalties, up to $2,500 per “knowing violation.”

The AMA and several other medical specialty associations have objected to the inclusion of healthcare providers in the rule, claiming that physicians should not be classified as “creditors.” Despite these objections, as of this writing, the FTC has maintained its position that the language and purpose of the rule do apply to physicians.  

How does the Red Flags Rule differ from HIPAA privacy and security rules?

HIPAA, another federal law that impacts physicians, is intended to protect personal health information (PHI) for security and privacy purposes. PHI is also included under the Red Flags Rule, but the scope of the rule is broader, extending to other sensitive information, such as: credit card information; tax identification numbers (social security or employer identification numbers), insurance claim information and background checks for employees and service providers.

Are there state laws that must be considered?

NJ’s Identity Theft Prevention Act (ITPA)[1], in effect since 2006, also deals with protection of personal data security. The ITPA’s regulations apply to any entity, regardless of size, which does business in NJ and maintains computerized records that hold personal information on NJ residents. The ITPA regulations adopted to date include restrictions on the communication of social security numbers. In particular, the regulations require that any business that maintains a client’s credit card information or social security number must have in place technology and office procedures to protect the privacy of this information. NJ physicians should incorporate their existing ITPA compliance policies into their new programs developed to comply with the Red Flags Rule.

Action recommendations

As indicated in the preceding sections, physicians need to evaluate whether their billing and payment practices come within the rule’s definitions for “creditor” and “covered accounts.”  If you conclude that you are subject to the rule, then you need to try to identify the Red Flags that are relevant to your practice, and implement procedures to detect them in your day-to-day operations.

Because many physician practices are likely to meet the rule’s broad definition of “creditor” and have patient accounts that fall within the scope of “covered account,” Princeton Insurance encourages physicians to develop a written identity theft detection and prevention program, and make a good faith effort to be in compliance with the rule’s requirements by the August 1^st deadline.

##########

For additional information on developing your Identity Theft Prevention Program:

The FTC’s “Fighting Fraud with the Red Flags Rule:  A How-to Guide for Business,” a plain-language handbook on developing an Identity Theft Prevention Program.   www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.shtm

The FTC’s “Business Alert” on the “Red Flags” Rule’s requirements.  www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm

The FTC has published a fill-in-the-blank template for organizations at low risk for identity theft, with instructions to help covered entities design a written identity theft prevention program. Access it at: www.ftc.gov/redflagsrule

The American Medical Association has published a Red Flag Rule Guidance Document (PDF) and Sample Policy (PDF); accessible to members at: www.ama-assn.org/ama/no-index/physician-resources/red-flags-rule_print.html

Kern, Augustine, Conroy & Schoppmann, P.C. law firm has published a template program to assist practices in meeting the Red Flags Rule: www.drlaw.com/publications/Red_Flag_Rules_Template.pdf     Several professional medical specialty organizations have published information and resources on this topic, including the American College of Obstetricians and Gynecologists article titled “Red Flag Rules Apply to Physicians,” which can be accessed at www.acog.org/departments/dept_notice.cfm?recno=19&bulletin=4759