Flagging Identify Theft

Is the Patient Who He Says He Is?

Texas Medicine Magazine Logo  

Practice Management Feature - July 2009  


UPDATE:  FTC Delays Red Flags Rule Until June

Tex Med. 2009;105(7):43-46.  

By  Crystal Conde
Associate Editor  

In 2007, John Parsons, a 57-year-old Chicago-area man, allegedly stole the identity of a friend with mental disabilities and used the unsuspecting man's Medicaid account to have heart bypass surgery at Northwestern Memorial Hospital. Medical expenses for the operation totaled $350,000. The disabled man's caregiver became suspicious that something was awry when bills for a procedure he hadn't undergone arrived in the mail.

The hospital ended up footing the bill, unable to recoup the money from Mr. Parsons or to take back the surgery.

What happened to Northwestern Memorial Hospital is a cautionary tale. Medical identity theft doesn't occur only in large medical facilities. It can occur anywhere patients give their Social Security numbers, insurance coverage, financial accounts, or other identifiable information. And, when a patient's identity is stolen, a physician's practice could end up incurring the cost of care, as well as liability for damages the patient suffers from the identity theft.      

Medical identity theft is a harsh reality. The Federal Trade Commission (FTC) reports that of the 8.3 million identity theft victims in the United States in 2005, 4.5 percent experienced some form of medical identity theft. The agency also says 24 percent of victims don't learn someone stole their identity for at least six months. When that much time passes, in 31 percent of cases, the victim's financial loss reaches more than $5,000.

These facts are alarming, and the FTC wants to guarantee medical practices are doing something to thwart the theft of patients' identities. Therefore, the agency has developed regulations requiring "covered entities" to develop, implement, and maintain written programs to identify and respond to patterns, practices, or specific activities - or "red flags" - that indicate possible identity theft.

Known as the " red flag rules ," the directives govern programs to prevent, detect, and mitigate identity theft. The FTC originally expected physicians to implement the rules by Nov. 1, 2008. The agency pushed the deadline to May 1 of this year, then delayed it again to Aug. 1.

In its latest decision to postpone, the FTC said it did so to give businesses more time to develop their compliance policies. The Texas Medical Association, the American Medical Association, and 25 other medical societies are resisting the FTC's classification of physicians as creditors and therefore "covered entities" under the rules.

The organizations argued in a letter to the FTC in March that doctors should not be subject to the rules because they overlap other regulatory requirements already imposed on physicians, such as the Health Insurance Portability and Accountability Act (HIPAA). The letter also expressed concern that the FTC did not comply with the Administrative Procedure Act, which requires the agency to explain its regulatory proposals and give the public notice and a chance to comment.

Regardless of whether TMA, AMA, and others can persuade the FTC that doctors shouldn't have to comply with the rules, experts recommend physicians develop policies and procedures that meet the red flag rules before the FTC forces the issue.

While compliance may sound like another administrative hassle, it does not have to be. TMA offers sample policies and procedures physician members can access for free to help meet the FTC's requirements by Aug. 1. The association and AMA have other helpful resources, as well. (See " TMA Helps You Comply With Red Flag Rules .") 

What the FTC Says  

The FTC has a two-part test for determining whether physicians are subject to the red flag rules. While TMA disagrees with the agency's reasoning, here's how it goes:

First, a physician must be a creditor, which the FTC defines as "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit."

In other words, unless patients pay up front in full at the time of every service, a physician is a creditor under the FTC rules. Physicians who regularly bill for services - including copayments and coinsurance - must comply with the rules, according to the FTC.

Second, the physician must offer or maintain for the patient what the FTC refers to as "covered accounts." These include accounts for personal, family, or household purposes that involve multiple payments or transactions and any other accounts for which there is a reasonably foreseeable risk of patient identity theft. The physician creditor also must have a continuing relationship with the patient.

These criteria apply to a vast majority of patient accounts, once again making physicians subject to the rules.

Mike Kreager, JD, a San Antonio health care attorney, says it's a good idea for physicians to adhere to the red flag rules because physicians want to ensure their patients' information is secure and because it's good business. 

Beyond HIPAA  

David Fleeger, MD, an Austin colon and rectal surgeon and past chair of TMA's Council on Practice Management Services, recognizes the rules represent yet another regulation physicians have to contend with, but agrees that preventing identity theft is important.

"Anything we can do to protect patients' identities is a good business practice," he said. "Most of us are used to doing that while complying with HIPAA. We may be more attentive to the clinical data than to financial data, and that degree of security needs to exist for everything, not just the clinical data."

Protecting financial and personal information is exactly what the red flag rules safeguard. According to Mr. Kreager, the rules differ from HIPAA, which concentrates on protecting the confidentiality and privacy of a patient's protected health information (PHI). The red flag rules, he says, extend beyond PHI and protect Social Security numbers, health insurance benefit information, and addresses, for example.

"The 'red flag rules' are looking at the commercial information that relates to the doctor getting paid for services on behalf of the patient," he said.

The rules require an organization's board of directors to approve identity theft prevention programs. But, because most physician practices don't have a board, the senior physician leadership or an individual physician may approve them.

The program also must have a designated compliance officer and a provision for staff training.

Cedar Park Surgeons, PA, already has adopted policies and procedures for complying with the red flag rules, in addition to HIPAA. Jonathan Dayton, the group's practice administrator, says he made sure the practice had identity theft prevention measures when it opened in 2007.

Mr. Dayton referred to TMA's sample policies and procedures for guidance when he refined the practice's existing policy after the red flag rules were proposed. One of the changes he made was asking patients for a driver's license or state identification card to be scanned into the electronic medical record system.

The rules don't require physicians to change the information they request from patients at registration. Asking for a driver's license or some other form of photo identification is one possible measure a practice could take to confirm a patient's identity.

Mr. Dayton also checks the background of new employees to make certain they don't have a history of fraud. In addition, he is the group's compliance officer and is responsible for updating the policies and procedures annually and for overseeing training of staff members.

He also sees the value in abiding by the FTC's red flag rules.

"It makes us double-check ourselves. Following the red flag rules allows us to ensure we're safeguarding ourselves and our patients' identities," he said. 

Identify, Detect, and Respond  

As the name implies, the red flag rules are standards that help physicians identify patterns, practices, or activities that raise suspicion of a possible identity theft. Examples of red flags that could lead to detecting identity theft include:

  • A query from a patient about a bill or insurance statement for services never received or in someone else's name;
  • Records showing medical treatment inconsistent with a patient's medical history;
  • Suspicious documents such as a forged driver's license or health insurance card;
  • A patient who has an insurance number but never produces a card or other documentation;
  • A notice from a patient or law enforcement entity indicating possible identity theft;
  • Name discrepancy on identification or insurance information; and
  • Personal information that's inconsistent with that on file.

It's important to note that the red flag rules aren't one-size-fits-all standards but require identity theft prevention programs to mesh with the size, complexity, and scope of the medical practice. All compliance programs, however, must address plans to:

  • Identify red flags that a physician's office staff may come across in day-to-day operations;
  • Detect those red flags;
  • Respond appropriately upon detecting a red flag; and
  • Reevaluate the compliance program to reflect new risks and necessary modifications.

Responses to red flags will vary and will depend on the degree of risk posed. Appropriate responses to red flags might include monitoring an account, notifying the appropriate members of the office staff, contacting other physicians who treat the patient affected, contacting the patient, or notifying law enforcement.

If a physician knowingly violates the red flag rules, the FTC can levy a penalty of up to $2,500 per infraction. Mr. Kreager adds that states' attorneys general can sue on behalf of patients for up to $1,000 per violation, plus attorney's fees.

While having policies and procedures for compliance doesn't protect a physician from a lawsuit, Mr. Kreager says it helps.

"The practice has a good defense because it exercised reasonable effort to protect the patient by having the policies and procedures in place," he said.

Crystal Conde can be reached by telephone at (800) 880-1300, ext. 1385, or (512) 370-1385; by fax at (512) 370-1629; or by e-mail at  Crystal Conde .   


TMA Helps You Comply With Red Flag Rules

If the Federal Trade Commission's red flag rules ultimately take effect, the Texas Medical Association stands ready to help you comply with them and avoid hassles.

TMA's Learn @ Lunch audio series offers a prerecorded red flag rules course for continuing medical education credit through Dec. 31. The series covers:

  • What physicians' offices need to do to comply with identity theft prevention regulations;
  • How to develop action plans, policies and procedures, and implementation techniques to assist with compliance; and
  • How to develop a plan to mitigate identity theft.

Physicians can ensure their entire staff receives training on the red flag rules for one payment of $50.

You can access the series through the  TMA Web site .

If you have questions or require further assistance, call the TMA Knowledge Center at (800) 880-7955, or contact Shanan Anderson by telephone at (800) 880-1300, ext. 1419, or by e-mail at  Shanan Anderson .

In addition, TMA Practice Consulting can train your office staff on general medical office policies and procedures, including red flag rules implementation and compliance. To call on TMA's expertise, simply click  here  and submit a request for proposal. A TMA staff member will respond within 24 hours to assess your practice's needs. Services are available for a fee that varies based upon the services requested.

Finally, TMA worked with Sarah Fontenot, BSN, JD, to develop sample policies and procedures. The resources are free to TMA members and help members develop their own identity theft compliance plans. The policies and procedures are available on the  TMA Web site .

It is important to note that these policies and procedures are specific to the red flag rules and do not reflect HIPAA compliance practices. To ensure privacy and security compliance, a practice will need both identity theft and HIPAA policies and procedures.

The American Medical Association has also created sample policies and procedures available to AMA members on its Web site, www.ama-assn.org. To access the tools, select Physician Resources from the menu, and click on Legal Issues to be directed to Regulatory & Compliance Topics. From the same site, anyone can access the AMA's guidance document, which explains what physicians need to know about the red flag rules.

More information about the red flag rules also is available on the  Federal Trade Commission Web site

Back to article  



July 2009 Texas Medicine Contents
Texas Medicine Main Page