• Home
• |
• Professionals
  • Attorneys
  • Management
• |
• Practice Areas
• |
• News
  • Firm News
  • Recent Cases
  • Upcoming Events
• |
• Resources
  • Publications
  • HIPAA Resources
  • Practice Technology
• |
• Diversity
• |
• Contact
  • Offices
  • Directions
• |
• Search

Publications

Print

• Publications
• Health Care Updates
• HIPAA Resources
• Practice Technology

On January 1, 2008, the federal government issued final rules (the "Red Flags Rule") on Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions ("FACT") Act of 2003. The Red Flags Rule responds to a statutory requirement for "establishment of procedures for the identification of possible instances of identity theft and reconciling addresses." The FTC recently issued guidelines and supplemental information for affected entities which must now comply by August 1, 2009.

The Red Flags Rule seeks to reduce identity theft by requiring affected entities to develop and implement written identity theft prevention programs to identify, detect and mitigate identity theft when red flags are present. A red flag is a pattern, practice or specific activity that indicates the possible existence of identity theft.

Who Must Comply with the Red Flags Rule?

The Red Flags Rule apply to "creditors" (any entity that provides a good or service for which it receives payment at a later time) if they offer or maintain a covered account. "Covered accounts" include accounts maintained primarily for personal, family or household purposes that involve or are designed to permit multiple payments or transactions or for which there is a reasonably foreseeable risk of identity theft. The FTC defines "creditor" broadly, thus the rules reach beyond the typical financial institutions and creditors such as banks, credit card companies and finance companies and, depending on billing practices and other factors, may require compliance by health care providers. The FTC has taken the position that health care providers are "creditors" for purposes of the Red Flags Rule unless they require full payment up front at the time that services are provided to a patient. Health care providers that accept insurance are considered creditors if the consumer ultimately is responsible for the medical fees. Accordingly, a provider who bills patients after services are provided or allows installment payments could be considered a creditor and, therefore, is required to develop and implement a written identity theft prevention program, in accordance with the Red Flags Rule.

Identifying Red Flags

A creditor is required to identify relevant red flags for covered accounts. Thus, the first step in creating an identity theft prevention program, as required by the Red Flags Rule, is to determine which red flags are relevant to your health care organization and to incorporate those red flags into your program. The Red Flags Rule includes a list of red flags that must be considered. Examples of possible applicable red flags include:

• During registration the patient identification is inconsistent with the patient name (e.g., drivers license has different last name than provided by patient)
• During registration the patient provides suspicious documents, such as a fake ID or insurance card
• The patient complains that he or she received an explanation of benefits for services not received
• Patients who present for an episode of care and are recognized as someone other than the patient presenting
• Patients who submit a driver's license, insurance card or other identifying information that appears to have been altered or forged
• The photograph on a driver's license or other photo ID submitted by the patient that doesn't resemble the patient
• Information on one form of identification submitted by the patient is inconsistent with information on another form of identification or information in the provider's records
• Discrepancies exist between admission information and prior account information, or current insurance eligibility information
• The address provided by the patient is known to not exist, or the patient cannot provide anything other than a post office box as an address
• There is an address or name discrepancy on identification or insurance information
• The Social Security number furnished by the patient has not been issued, is listed on the Social Security Administration's Death Master File, or is otherwise unavailable

Detecting Red Flags

Once the health care provider has identified red flags, the provider must take steps to detect them. The health care organization should be sure to verify the identity of persons opening new covered accounts and should authenticate customers with existing covered accounts. For example, the health care provider could request identification, such as a driver's license, passport, state identification card or other photo identification, and two of the following: social security number and social security card, date of birth, physical address, telephone number, insurance card, or other verification such as voter registration card or credit card to confirm the identity of new patients.

Respond Appropriately to Red Flags that are Detected

If a possible identity theft is detected, the health care provider must take steps to prevent or mitigate the identity theft. This includes, for example, responding to notification by a patient of possible identity theft with regard to a medical record or bill. The provider should develop policies with regard to notification of the affected individuals. These policies might include sending a letter to possible victims of identity theft advising them of any relevant security breaches, and suggesting that a fraud alert be placed in such persons' credit files.

In addition, health care providers must ensure the integrity of patient medical records. Thus, if it is confirmed that a patient record was created as a result of identity theft, a notation concerning identity theft should be placed in the record. All incorrect demographic information should also be removed from such record. Furthermore, staff should determine whether any other records are linked to the record found to be created through identity theft. In some instances, identity theft involves the perpetrator receiving care under the name of another person who has been a patient. In such a case, the files of that other person must be reviewed for any information commingled with the perpetrator's medical information.

Implementation of the Identity Theft Prevention Program

The written identity theft program (the "Program") must be designed to "detect, prevent, and mitigate identity theft in connection with those covered accounts." Each entity's Program must be able to detect patterns, practices and certain "red flag" activities that could signal possible identity theft. Programs must include "reasonable policies and procedures" to: (1) Identify red flag activities for covered accounts and incorporate any newly identified red flag activities into the Program, (2) Detect red flag activities, (3) Respond to red flag activities that have been detected, and (4) Update the Program periodically to incorporate new risks. Each Program must be tailored to the scope and complexity of the company's particular business as well as to its past experience with and risk of identity theft.

Effective implementation of a Program includes: (1) Obtaining approval of the Program by the Board of Directors or an appropriate committee of the board, (2) Oversight of service providers who deal with covered accounts, and (3) Training staff to effectively implement the program. Annual reports to the Board or senior management and periodic (not less than annually) review of the red flags and the Program are also mandated.

Penalties for Noncompliance

Failure to comply with the Red Flags Rule may subject a covered entity to an enforcement action by the appropriate federal agency (e.g., FTC) which has jurisdiction over the financial institution or creditor. The appropriate federal agency has procedural, investigative and enforcement powers necessary to enforce compliance with the Red Flags Rule. Additionally, the covered entity may be subject to penalties of up to $2,500 per person. The Red Flags Rule does not provide for private legal action, however there is the potential for private plaintiff lawsuits because a violation of the Red Flags Rule may itself be a violation of state laws. State laws may permit private lawsuits or actions by state attorneys general.

Conclusion

Health care organizations should examine their covered accounts and identify potential sources of red flags, develop a process for detecting identified red flags, and establish red flag detection response procedures. A Health care provider's existing HIPAA compliance program or general corporate compliance program can be expanded to include the Red Flags Rule as an additional compliance requirement. Health care providers should begin the process with their compliance programs to implement the Red Flags Rule. Our firm can assist with Red Flags Rule compliance. We can help conduct risk assessments and develop or review your Red Flag program and policies, including employee training; advise on duties to detect, prevent, and mitigate identity theft; analyze and prepare vendor agreements that comply with health care organization Red Flag duties; and advise senior management on responsibilities under the rules. If you require our assistance or have any questions please contact Michael Dowell at mdowell@tocounsel.com or the lawyer in the firm who generally handles your health care legal matters.