Identity theft has been an ongoing concern of government agencies over the past 10 years. It was, in large part, the driving force behind the HIPAA Security Rule implemented by the Department of Health and Human Services. Now, another agency is taking aim at preventing identity theft, and we get to help.
The Federal Trade Commission (FTC) has announced the "Red Flag Rules," which are designed to help "creditors" prevent identity theft. Traditionally, healthcare providers have not been considered "creditors," since we typically do not charge interest. But, under the new rules, if you defer payment for your services, you will be responsible for watching for these red flags and taking steps to respond to suspected identity theft (as if you didn't have other things to do!). The FTC will begin to enforce these rules on August 1, 2009, for most healthcare providers.
There are basically four elements required for the Written Identity Theft Program:
- You must identify any relevant red flags, taking into consideration the risks inherent in your type of business. For healthcare providers, those risks include patients using someone else's insurance policy or name and address. The "red flags" that would alert you to this type of identity theft would include a patient who gives an insurance number but has no insurance card, a complaint from a person you have billed who says they did not receive the service, or a notice that you have an incorrect address.
- Once you have identified what these "red flags" should be, you have to develop a method to detect them. The rules suggest this be accomplished by obtaining identifying information about the person who is opening an account with you (for us, that would be our patients). For ambulance providers, obtaining verification of insurance coverage should also be a key element of your program.
- In the event you detect a "red flag" that indicates possible identity theft, you must respond "appropriately." For example, if a patient complains that you billed him (or his insurance) for services he did not receive, an identified red flag has been detected and you must take action. That action may be to write off the account (once you verify that you do in fact have the wrong patient) and/or to contact law enforcement to let them know about possible identity theft (and theft of your services). It is likely that you have had these situations arise in the past. Use that experience in developing your program.
- You must update your program periodically to address changes in identity theft risks and your company's history with identity theft in the preceding months. There should also be a written report, at least annually, on the effectiveness of your program. Given the similarities between this rule and the HIPAA Security Rule, the best person at your office to put this program together and write your annual report would likely be your HIPAA Compliance Officer; however, the rules require that the program be administered by your board of directors or a member of "senior management." Once the written program is in place, you must train your staff on at least the first three elements.
Unfortunately, as you can see from this article or a review of the rules themselves (see www.ftc.gov/opa/2007/10/redflag.shtm), there is not a lot of specific guidance, and many of the suggestions given are relevant to "creditors" in the traditional sense (ones who take credit applications, or at least have the patient fill in an information sheet before goods or services are given).
This article provides a general outline of the rule's requirements, but it is up to you to actually determine what your "red flags" are, how you will detect them and what you should do once you find an instance of possible identity theft. The information must then be put into a written program and assessed in an annual report. Yes, it is up to you to help prevent identity theft. And you thought all you had to do was save lives!