Physicians and health care organizations will have to implement a formal identity theft prevention program to protect their patients under a little-known set of regulations called the “Identity Theft Red Flags Rule.”
The rule, which was issued by the Federal Trade Commission (FTC) in 2007 but will be enforced starting in August, is aimed primarily at creditors and financial institutions. However, after publication of the rule, the FTC informed physician groups that it was interpreting the term creditor broadly to include health care professionals who regularly allow consumers to defer payment for services. Therefore, any medical practices that allow patients to defer payment while they bill insurance would be covered under the rule.
Physicians and other health care professionals were required to come into compliance with the rule as of Aug. 1.
The rule requires health care professionals to develop and implement a written identity-theft prevention and detection program to protect consumers. Specifically, organizations must conduct a risk assessment to determine their vulnerability to identity theft. Next, they must develop and implement a written identity-theft program to identify, detect, and respond to those risks.
As part of the plan, organizations must specify how they will detect the “red flags” alerting them to potential identity theft. The program also must include how the organization will respond once a red flag is detected.
While identify theft is most commonly associated with financial transactions, there is increasing concern about identity theft in the health care sector, according to the FTC. For example, medical identify theft can occur when a patient seeks care using the name or insurance information of another person.
For most physicians in settings with a low risk for fraud, an identity-theft program could be simple, according to the FTC. For example, staff at the practice could check a photo ID at the time services are sought. Another part of a basic program would be to develop steps to take in the event that someone's identity has been misused. That might include not collecting debt from the “true consumer.”
But the interpretation of physicians as creditors has raised the hackles of the American Medical Association, the American College of Cardiology, the Heart Rhythm Society, the Society for Cardiovascular Angiography and Interventions, the American College of Physicians, and several other physician organizations. Those groups contend that physicians are being inappropriately labeled as creditors, and that the requirements place an undue burden on physicians that could adversely affect patients' access to services.
In addition, the physician groups point out that they didn't have an opportunity to comment on the rule's impact before it was issued. Since the 2007 rule didn't explicitly mention physicians, the groups contend that the FTC must publish a new rule and put that new rule out for public comment.
Tips for Red Flags Rule Compliance
Physician practices seeking to comply with the “Red Flags Rule” can begin by appointing someone who will be the officer for the identity-theft prevention program, said Sai Huda, an expert in financial services regulation. The next step is to conduct an inventory of the medical services that are covered by the rule, said Mr. Huda, chairman and CEO of Compliance Coach Inc., a provider of regulatory compliance software. Under the rule, practices also must identify the applicable “red flags” for each of their covered services and develop procedures to detect and respond to potential identity fraud.
Mr. Huda recommended tightening up hiring and retention practices as part of the effort to reduce fraud. It's worth spending the money for a background and credit check on potential new hires, he said.
Compliance Coach sells an online tool to help in the formulation of an identity theft prevention plan, but there are also free resources that physicians can use to help set up a program. Mr. Huda advised that physicians check out the Red Flags Rule at