|New regulation requires medical practices to protect against identity theft|
|Written by Patricia King, JD|
Editor's note Oct. 30, 2009: The FTC today announced "At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC." Source: FTC
Identity Theft "Red Flags": How Healthcare Providers Can Protect Themselves and Patients from Identity Theft.
On November 9, 2007, the Federal Trade Commission (FTC), along with the banking regulatory agencies, published final rules entitled "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003". Perhaps because health care providers don't ordinarily track actions of the Comptroller of the Currency, the Federal Reserve System and the other bank regulators, it came as a surprise to the health care industry to learn that the FTC thought that hospitals, physicians and other providers could be "creditors" subject to the Red Flags Rule. When the industry did learn of this interpretation, there was great concern.
The FTC concluded that health care professionals who regularly bill for services after the services are rendered are "creditors". Since there is no exception for physicians and other professionals in FACTA's definition of creditor, they are required to comply with the Red Flags rule. The FTC commented that most physicians would face minimal risk of identity theft, and therefore a simple, streamlined identity theft prevention program should suffice.
While the FTC was not persuaded that physicians should be exempt from the Red Flags Rule, industry pressure did cause the agency to delay enforcement several times: most recently, to November 1, 2009. Meanwhile, the FTC developed resources to help businesses that are at low risk of encountering identity theft - including physician practices - develop identity theft prevention programs adequate for a low-risk environment.
Background of the Red Flags Rule
The Red Flags Rule represents part of a multi-faceted approach to the growing problem of identity theft. According to the FTC's 2006 identity theft report, 8.3 million Americans were victims of identity theft in 2005. Over the last several years, Congress has enacted laws to implement several tools for fighting identity theft:
It is important to recognize that an effective identity theft prevention program will not only protect consumers, but also protect businesses. State and federal laws limit the financial exposure of identity theft victims. Therefore, if a patient has used another person's identity (and benefit eligibility) to obtain health care services, and the identity theft is discovered, any charges to the identity theft victim's account will have to be written off. In many cases, health care providers have sustained large losses due to identity theft.
What does the Red Flags Rule require?
The Red Flags Rule requires a creditor (including a health care provider who bills patients after performance of services) to adopt a written identity theft prevention program. The program should be appropriate for the level of risk of identity theft. For example, a practice where most of the patients are established patients, personally known to the physicians, is at low risk of identity theft and can probably use the FTC's tools for low-risk creditors. By comparison, a health center that sees large numbers of new patients is at greater risk, and will require more detailed policies. Entities that are at high risk may find it appropriate to use commercial tools that validate the address and social security number. Some health care providers even use biometric identifiers. The Red Flags Rule does not mandate any single approach to identity theft prevention, but does require every creditor to determine what is appropriate for the creditor's operations.
The identity theft prevention program should identify the relevant "red flags" - the circumstances that should put staff on alert for potential identity theft. The Red Flags Rule included a supplement that identified some of the most common red flags. Some suspicious circumstances that may be encountered by health care providers include identifying documents that appear to be altered or forged; identifying documents which have a photograph or physical description that does not match the individual's appearance; social security numbers that are invalid, or that are the same as SSNs of other patients; and failure to supply any identifying information.
The program should describe how staff will detect red flags. Some health care providers have changed their registration procedures in response to this requirement (e.g., asking for a photo ID when this had not been requested in the past). The program should also identify the response if a red flag is encountered. Some health care providers may choose not to provide services if the individual's identification is questionable (of course, this option is not available to hospital emergency departments). Alternatively, the provider may decide to provide care, but flag the record for further review.
In addition to describing how to respond if a red flag is encountered at patient registration, the program should describe how the health care provider respond if a complaint of identity theft is received. For example, an individual may claim that he/she received a bill for services never received. The provider will need to investigate the complaint, and if it turns out that the patient was actually an identity thief using someone else's name and benefit information, the account will have to be corrected (which may require refunding of payment made by a third party payor).
Red Flag Rule compliance presents more complicated issues for health care providers than for banks and finance companies. If identity theft has occurred, there is a possibility that the medical record contains erroneous information, or may even combine information of two individuals.
Medical identity theft
In 2008, the U.S. Department of Health and Human Services, Office of the National Coordinator for Health Information Technology (ONCHIT) engaged Booz Allen Hamilton for a project on medical identity theft. The first phase of the project was an "environmental scan", to capture what was currently known about the scope of the problem of medical identity theft, and existing resources to address the issue. The environmental scan was released on October 15, 2008 - the same day as a "Town Hall meeting" held with stakeholders to discuss the role of health information technology in addressing medical identity theft. The final report of the project was released on January 15, 2009.
The environmental scan used the following definition of medical identity theft:
While acknowledging that data on the incidence of medical identity theft is sparse, the environmental scan noted that according to the FTC's 2006 identity theft report, 3% of identity theft victims (about 250,000 Americans) reported that their identity was used fraudulently to obtain medical services. The difficulty of estimating the incidence of medical identity theft is compounded by the fact that medical identity theft can arise from health care fraud (when a provider fraudulently uses an individual's information to bill for services not provided), from misappropriation of an individual's PII, or from misuse of an individual's PII with that individual's consent to fraudulently obtain health care services.
Medical identity theft requires a two-pronged response: investigation and mitigation of identity theft in accordance with the Red Flags Rule, and restoring the integrity of the medical record. If the identity theft victim has never received services from the provider, the problem is somewhat less complicated: a fraud alert can be placed on the record. If the victim has been a patient, then medical information of the identity thief must be separated from the victim's health information. Under HIPAA, individuals have the right to request amendment of their PHI. A resource developed by the American Health Information Management Association (AHIMA) describes the process as follows:
Covered entities are also obligated under HIPAA to send the amended information to other parties (e.g., other providers, health plans, etc.) in certain cases.
Medical identity theft presents unique risks, because the wrong identifying information can lead to medical errors, and consequently physical as well as financial harm. The trend toward electronic medical records increases the risk. This is likely to be an area for further attention by lawmakers and regulatory agencies.
 72 Fed. Reg. 63718 (Nov. 9, 2007).
 Letter dated February 4, 2009 from Eileen Harrington, Acting Director of Bureau of Consumer Protection, FTC to Margaret Garikes, Director of Federal Affairs, American Medical Association, reproduced online at http://www.ftc.gov/os/statutes/redflags.pdf.
 Official Staff Commentary, 12 C.F.R. § 202.3.
 Federal Trade Commission 2006 Identity Theft Report, available at http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf.
 One example is a story reported in the Chicago Tribune in April 2009, describing an illegal immigrant who obtained $530,000 in cancer care using an ID that she had purchased on the black market.
 The environmental scan, transcript of the Town Hall meeting, and final report are available at http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&cached=true&objID=1177&PageID=15441.
 Medical Identity Theft Environmental Scan, Oct. 15, 2008, p. 4.
 45 C.F.R. § 164.526.
 Smith, Applying HIPAA to Identity Theft, in Medical Identity Theft, American Health Information Management Association, 2008 (Nichols, Ed.) p. 65.
 45 C.F.R. § 164.526(c)(3).
About the Author
Patricia King is a health care attorney in Illinois, and principal of the web-based business Digital Age Healthcare LLC (http://www.digitalagemd.com/).
|< Prev||Next >|
Swine Flu - Updates and information on H1N1 2009 (AKA Swine Influenza) pandemic.
Ankylosing spondylitis - Current protocols for diagnosis and treatment options.
Wegener granulomatosis - Autoimmune etiology and clinical course.
Diabetes - disease and management information, including diagnosis, typical treatment plans and diabetes supplies.
The US medical jobs market has stayed hot for health care providers. Whether you believe that a provider shortage is in the offing or that the ratio of physicians-to-patients is too high, physician jobs and nursing jobs abound.
A wide variety of medical jobs can be found in the netdoc health care job listings. Particular strengths include permanent and locum tenens physician jobs, nursing jobs across the US, and radiology positions.