The rules make it necessary for physicians to implement an office strategy to detect possible identity theft. The AMA is now asking the FTC to submit a new rule and allow for public comment on it. The written compliance program must include the following basic elements: (1) the identification of red flags; (2) the detection of such red flags; (3) the appropriate response to any such detection; and (4) the periodic review of the overall program. Failure to comply may result in penalties not to exceed $2,500.

The MSMA also has a sample red flag rule policy available to members.
Click Red Flag Rules Sample Policy

Remember, your policy should be tailored to your practice and can include the following “red flags”:

• A query from a patient regarding a bill or insurance statement for services never received or in another individual’s name.

• Records showing medical treatment that is inconsistent with a patient’s medical history.

• Suspicious documents, such as a forged license or insurance card.

• A patient who has an insurance number but never produces a card or other documentation.

• A notice from a patient or law enforcement entity indicating possible identity theft.

• Unusual billing patterns.

What is the Red Flags Rule?

The Rule (an FTC regulation) requires certain entities to develop and maintain a system of procedures to guard against identity theft. Identity theft occurs when one person uses another’s information to commit fraud. As far as practices are concerned, identity theft usually occurs when a person uses another’s medical information to receive medical services. The information could be someone else’s insurance card, credit card, Social Security number, a false driver’s license, etc. 

Why do we have to comply?

You may not have to, but if there’s any doubt, it’s best to have a procedure in place. The FTC extended this regulation to “creditors.” A creditor is defined by the FTC as, “any person who regularly extends, renews, or continues credit or any person who regularly arranges for the extension of credit…” This definition includes those entities which extend credit by allowing deferred payment until insurance is collected. This includes a lot of physicians.

Does this supersede HIPAA?

No. HIPAA is supposed to protect sensitive personal health information.  The Red Flags Rule covers PHI, but also covers other sensitive information: credit cards, insurance claim information, tax identification numbers, etc.

What is a “red flag?”

A Red Flag is a pattern, practice, or specific account activity that indicates the possibility of identity theft. The FTC has identified some examples: alerts from a credit reporting agency, suspicious documents, unusual activity related to patient accounts, notices of possible identity theft from patients or law enforcement.

How does my practice comply with the rule?

The rule requires practices to have “reasonable policies and procedures in place” to identify, detect and respond to identity theft red flags. These procedures can be tailored to fit your practice and your degree of risk for identity theft. The procedures should compliment your current HIPAA policy.

Where can I find a policy template to get me started?