Raising Red Flags New Rule Picks Up Where Data Security Leaves Off


There is a new set of federal regulations, collectively called the Red Flags Rule, requiring most health care providers to implement a written compliance plan to protect patients from identity theft. The plan must be in place by Nov. 1. Failure to comply can result in civil penalties of up to $2,500 per violation, plus actual damages, punitive penalties, and attorney fees.

This article is intended to help you understand these regulations and to give guidance in developing your compliance program.

What Is the Red Flags Rule?

In response to the growing problem of identity theft, the federal government enacted the Fair and Accurate Credit Transactions Act of 2003 (FACTA). One provision of FACTA requires financial institutions and creditors to put an Identity Theft Prevention Program in place. In November 2007, the Federal Trade Commission (FTC), in a joint effort with several other federal agencies, developed joint final rules and regulations, commonly referred to as the Red Flags Rule, which was published in the Nov. 9, 2007 Federal Register.

The Red Flags Rule requires financial institutions and creditors, as defined by regulations, with ‘covered accounts,’ to implement written compliance programs with reasonable policies and procedures for identifying, detecting, and responding to identity-theft ‘red flags.’ The effective date for compliance was originally Nov. 1, 2008; however, it was extended to May 1, 2009 and again was extended to Aug. 1, 2009, as a result of objections by the American Medical Association (AMA) and others who object to the applicability of this rule to health care providers and other professionals. The final compliance date is now set for Nov. 1.

Does It Apply to My Practice?

In a Feb. 4, 2009 letter to the AMA, the FTC confirmed that physicians and other providers are creditors and subject to the rule when they “regularly defer payment for goods and services.” Specifically, according to the FTC, the Red Flags Rule applies if you regularly extend, renew, or continue credit or allow an assignee to do so on your behalf.

By this, the FTC considers medical and dental practices to be creditors if they bill a patient for services subsequent to the date of visit, including co-pays and deductibles; bill insurance or other third-party payers for services to a patient; or set up a payment plan for patients to pay for services rendered. If they collect payment up front or on the date of delivering goods or services, including accepting credit cards, or if they accept third-party reimbursement as payment in full without balance billing the patient, this isn’t considered extending credit.

Since patient accounts are for personal or family purposes, generally involve multiple payments or transactions, and involve continuing relationships for medical services, they are considered covered accounts.

Doesn’t Our HIPAA Compliance Program Cover This?

The Health Insurance Portability and Accountability Act (HIPAA) addresses the privacy and security of personal health information (PHI). The Red Flags Rule compliments HIPAA in that it covers not only PHI but also credit-card information, tax identification and Social Security numbers, insurance-claim information, and background checks on employees and service providers.

The Red Flags Rule is not a data privacy and security rule in itself, but rather a warning system that someone may be attempting to access a patient’s personal information to illegally procure money, goods, or medical services. While there may be some overlap of data-security practices, the Red Flags Rule identity-theft prevention program is aimed at preventing a different kind of harm. While data security systems play an essential rule in keeping people’s sensitive information from falling into the wrong hands, thieves are resourceful and still may find ways to steal information. The Red Flags Rule adds a second level of protection by paying attention to signs that suggest a fraudulent event may be taking place.

In essence, the Red Flags Rule picks up where data security leaves off. In the words of the FTC, the rule “seeks to prevent identity theft by insuring that your business or organization is on the lookout for the signs that a crook is using someone else’s information typically to get products or services from you with no intention of paying.”

Relevance to Medical Practices

With medical practices, the target of thieves is medical identity theft, the use of someone’s name and other identifying traits, such as insurance information, without that person’s knowledge or consent to obtain or make false claims for medical services or goods. This can also lead to incorrect information made into the victim’s medical records.

Examples of medical theft include procuring medical services under another individual’s name, utilizing patient medical record information to obtain prescription drugs and goods, utilizing patient credit-card information to procure goods and services, and utilizing patient Social Security number to establish a false identity.

What Is a Red Flag?

A red flag is a specific activity, pattern, or practice that indicates the possibility of identity theft in process, such as:

  • The appearance of altered or forged identification documents;
  • Photo or other physical description on identification document not consistent with physical appearance of individual presenting;
  • An address doesn’t match address on file;
  • The individual cannot readily answer questions as to date of birth, Social Security number, or mother’s maiden name;
  • A Social Security number that has not been issued or is listed on the Social Security Administration’s death master file;
  • A P.O. box number given as address in lieu of geographic address;
  • An inactive patient appears with information inconsistent with latest medical demographics;
  • A patient complaint of a bill for services not rendered;
  • An invalid phone number;
  • Failure of the individual to provide accurate authenticating information upon request, i.e., parent’s address, children’s names and ages; and
  • Patient medical record is not indicative of the individual’s physical condition or appearance.

What Do I Need to Do?

The Red Flags Rule requires organizations to have “reasonable policies and procedures in place” to identify, detect, and respond to identity-theft red flags. The rule doesn’t require any specific practice or procedures and does not define what is reasonable. It allows you the flexibility to design your program to address the risks and peculiarities of your organization. Ultimately, the FTC will determine compliance based on its judgment of the reasonableness of your organization’s policies and procedures. More specifically, your plan should enable your staff to:

Identify relevant patterns, practices, and specific forms of activity that are red flags signaling possible identity theft, and incorporate those red flags into the program;

Detect red flags that have been incorporated into the program;

Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and

Ensure the program is updated periodically to reflect changes in risks from identity theft.

How Do I Proceed with Developing a Plan?

First you need to understand the rule and make your health care providers and staff employees aware of its importance. You need to assign an individual or committee the responsibility for developing policies and procedures and a process for responding to a potential fraudulent act. You should designate a compliance officer in your practice and backup individuals as go-to people.

The plan needs to be written and requires approval by the board of directors or other appropriate governing group. Included in the plan should be specific red flags that are relevant to your practice, such as those listed above.

You should schedule a training session for all employees and provide each employee with a copy of the written program. The training session should include some specific scenarios and role-playing responses.

Making your patients aware of the change in policies and that this is being done for their protection is very important. This can be done with a handout as they register and with a posting in the waiting room and your Web site.

Your business associate agreements that you should have as part of your HIPAA compliance program should be updated to incorporate the Red Flags Rule requirements.

As with all compliance programs, you should review and update it annually or more often as situations dictate. New employees need to be versed in the program, and an annual program training session for all employees should be scheduled. This could be done in one session, covering all your practice compliance programs.

Are There Sample Programs and Reference Materials to Help Me?

The Medical Group Management Association, the AMA, and the FTC all have material to help you. The FTC has a booklet, Fighting Fraud with the Red Flags Rule: A How-To Guide for Business, available at www.ftc.gov/redflagsrule. You can also purchase a compliance kit, including a sample program, documents, and step-by-step approach from Decision Health at www.decisionhealth.com/store.

James B. Calnan, CPA, is partner-in-charge of the Health Care Services Division of Meyers Brothers Kalicka, P.C., in Holyoke.

Comments are closed.