Red Flags Rule: Impact on Healthcare Providers

The Red Flags Rule: Impact on Healthcare Providers

NOTE: The effective date of the Red Flags Rule has been extended to December 31, 2010

Effective December 31, 2010, most health care providers will be required to comply with the "Red Flags Rule." The Red Flags Rule was developed by the Federal Trade Commission (FTC), the Federal bank regulatory agencies, and the National Credit Union Administration to fight the incidence of identity theft.

The Red Flags Rule applies to creditors. Although health care providers do not usually consider themselves to be "creditors", they do meet the rule's broad definition. The term "creditor" includes "any person who regularly extends, renews, or continues credit" or "any person who regularly arranges for the extension, renewal or continuation of credit." Therefore, a health care provider who regularly bills patients after completion of services, allows patients to set up payment plans, or helps patients get credit from other services, will fall under the rule's broad definition of creditor.

It is important to recognize that the Red Flags Rule only applies to "covered accounts." A "covered account" includes any account for which there is a "reasonable risk" of identity theft. The FTC has specifically stated that it considers patient accounts to have a "reasonable risk of identity theft" because of concerns regarding identity fraud in the medical care context.

Healthcare providers who are subject to the Red Flags Rule are required to implement a written Identity Theft Prevention Program. Providers who have effective policies in place for compliance with HIPAA Privacy and Security will already meet many of the requirements for the Red Flags Rule with regard to prevention of identity theft. However, to be fully compliant with the Red Flags Rules, providers must implement policies that specifically deal with the identification, detection and response to "Red Flags." These "Red Flags" are defined as "a pattern, practice or specific activity that indicates the possible existence of identity theft." In addition, the Identity Theft Prevention Program must be approved by a "board of directors" or a senior management member, and must include staff training with appropriate oversight.

"Red Flags" healthcare providers should be aware of with regards to medical identity theft should include suspicious activities such as:

· Presentation of identification by a patient that looks altered or forged;

· Information provided by a patient that is inconsistent with previous information contained in the medical chart or obtained from another source such as an insurer, e.g., an inconsistent birth date;

· Mail to a patient that is consistently returned as undeliverable even though the patient still shows up for appointments;

· Patient complaints about getting a bill for services that he or she never received;

· Inconsistency between a medical examination and information in the patient's record;

· Notice from victims of identity theft, law enforcement officers or insurers indicating possible identity theft.

Violation of the Red Flags Rule could result in civil penalties up to $2,500 per violation. It could also damage a provider's reputation and open them up to additional liability. Therefore, providers should not delay in implementing a Red Flags Rule compliant Identity Theft Prevention Program. In addition to the implementation of a compliant Identity Theft Prevention Program, providers should also review their HIPAA Privacy and Security Policies to determine the extent to which they can be incorporated into an Identity Theft Prevention Program.

Please click here to visit the FTC's website for more information on the Red Flags Rule and its impact on healthcare providers.