Mary Ellen Schneider contributed to this article.

WASHINGTON The federal Red Flags Rule that requires creditors to check for identity theft may mean a few new procedures for office-based physicians, Patricia King said at the American Health Lawyers Association's annual meeting.

"Do health care providers have to comply with the Red Flags Rule? Yes, if they're [considered] creditors," said Ms. King, assistant general counsel at Swedish Covenant Hospital in Chicago.

The rule requires creditors to establish formal identity theft prevention programs to protect consumers. Aimed primarily at the financial industry, the regulation was originally scheduled to go into effect on Nov. 1, 2008. However, to give small businesses more time to prepare for compliance, the Federal Trade Commission (FTC) delayed enforcement until May 1, and then until Aug. 1, and most recently until Nov. 1.

Earlier this year, the AMA and physician specialty societies argued that physicians are not creditors because they bill insurance companies, not individual consumers, Ms. King said. "But the patient does get billed for copays, deductibles, and excluded services, so unless all those charges are collected up front, the health care provider is billing and possibly deferring payment for the cost of services."

To address providers' concerns, the FTC has published guidance and developed a template for identity theft prevention program for low-risk creditors. (Information available at www.ftc.gov/bcp/edu/pubs/articles/art11.shtm

Low-risk providers who see the same patients regularly can adopt a simple identity theft program, she said, adding that personnel involved with front desk, medical records, and patient account functions should be involved in the program.

Physicians need to identify which patient accounts will be covered by the rulesuch as those patients who need to make repeat paymentsand develop appropriate policies and procedures, Ms. King said. "The final [Red Flags] rule had 26 examples of identity theft. Look through them and see which ones are most applicable to you."

Providers also need to look at what information they collect when patients register. "Many of us need to re-think our standard registration procedures and beef them up," said Ms. King. One example might be to ask for a photo ID.

Procedures to fight identity theft need to be approved by the organization's board of directors and overseen by senior management, according to the rule, "because this is intended to be a high-priority program, not something that's delegated to a lower-level manager," she said.

Typical "red flags" include:

▸ Insurance information that cannot be verified.

▸ No identification.

▸ A photo ID that doesn't match the patient.

▸ Documents that appear to be altered or forged.

▸ Information given that is different from information already on file.

▸ An invalid Social Security number.

▸ A patient who receives a bill or an explanation of benefits for services he or she didn't receive.

▸ A patient who finds inaccurate information on their credit report or on a medical record.

▸ A payer that says its patient information does not match that supplied by the provider.

When a patient raises one or more red flags, the practice has two options. It could refuse to provide service, although this might raise a problem under the Emergency Medical Treatment and Labor Act, which prohibits providers from not treating persons with questionable identification who require emergency care.

Or the practice could provide the service, but ask the patient to bring in the correct information to his or her next visit. Ms. King cautioned providers about freely providing medical records to a patient suspected of identity theft, because it could lead to more identity theft.

Patients will have to be educated about the new rule, Ms. King said. "Providers are going to run into problems with patient expectations. Patients have gotten used to coming to their doctor … with either no identifying documents or only their insurance card. They will need some education in advance."

She encountered a case of identity theft at her own hospital involving two elderly women, one of whom had a public assistance card, while the other one didn't. They thought it would be okay if the woman without the card used her friend's card. The identity theft was discovered by a hospital radiologist who noticed that the women's scans were different.

Providers also should note that compliance with the Health Insurance Portability and Accountability Act (HIPAA) does not shield them from complying with the Red Flags Rule.

"One of the questions we get is, 'I already comply with HIPAA; aren't I done?' The answer is, 'Probably not,'" said Naomi Lefkowitz of the Federal Trade Commission's division of privacy and identity protection. "The Red Flags Rule is really about fraud protection, and HIPAA is more about data security. There is certainly some overlap, and to the extent that, for example, someone is checking photo IDs … to make sure that the person only has access to their [own] medical record, that's a policy that might do double duty under the client's identity theft program as far as verifying ID … Having the HIPAA program is probably not going to make [providers] compliant."

70464_fx1.sml

Low-risk providers who see the same patients regularly can adopt a simple identity theft program. MS. KING

70464_fx2.sml

'Having the HIPAA program is probably not going to make [providers] compliant' with Red Flags. ms. Lefkowitz

Experts Offer Advice on Complying With the Red Flags Rule