How to Cope With Red Flags Rule on ID Theft


WASHINGTON — The federal Red Flags Rule that requires creditors to check for identity theft may mean a few new procedures for office-based physicians, Patricia King said at the American Health Lawyers Association's annual meeting.

“Do health care providers have to comply with the Red Flags Rule? Yes, if they're [considered] creditors,” said Ms. King, assistant general counsel at Swedish Covenant Hospital in Chicago.

The rule requires creditors to establish formal identify theft prevention programs to protect consumers. Aimed primarily at the financial industry, the regulation was originally scheduled to go into effect on Nov. 1, 2008. However, to give small businesses more time to prepare for compliance, the Federal Trade Commission (FTC) delayed enforcement until May 1, and then until Aug. 1, and most recently until Nov. 1.

Earlier this year, the AMA and physician specialty societies argued that physicians are not creditors because they bill insurance companies, not individual consumers, Ms. King said. “But the patient does get billed for copays, deductibles, and excluded services, so unless all those charges are collected up front, the health care provider is billing and possibly deferring payment for the cost of services.”

To address health care providers' concerns, the FTC has published guidance and developed a template for identity theft prevention program for low-risk creditors. (The information is available at

Low-risk providers who see the same patients regularly can adopt a simple identity theft program, she said, adding that personnel involved with front desk, medical records, and patient account functions should be involved in the program.

Physicians need to identify which patient accounts will be covered by the rule—such as those patients who need to make repeat payments—and develop appropriate policies and procedures, Ms. King said. “The final [Red Flags] rule had 26 examples of identity theft. Look through them and see which ones are most applicable to you.”

Providers also need to look at what information they collect when patients register. “Many of us need to re-think our standard registration procedures and beef them up,” said Ms. King.

Procedures for guarding against identity theft need to be approved by the organization's board of directors and overseen by senior management, according to the rule, “because this is intended to be a high-priority program, not something that's delegated to a lower-level manager.”

Typical red flags that practices should watch for include:

▸ Insurance information that cannot be verified.

▸ No identification.

▸ A photo ID that doesn't match the patient.

▸ Documents that appear to be altered or forged.

▸ Information given that is different from information already on file.

▸ An invalid Social Security number.

▸ A patient who receives a bill or an explanation of benefits for services he or she didn't receive.

▸ A patient who finds inaccurate information on their credit report or on a medical record.

▸ A payer that says its patient information does not match that supplied by the provider.

When a particular patient raises one or more red flags, the practice has two options, according to Ms. King. It could refuse to provide service, although this might raise a problem under the Emergency Medical Treatment and Labor Act (EMTALA), a law that prohibits providers from not treating persons with questionable identification who require emergency care. Or the practice could provide the service, but ask the patient to bring in the correct information to his or her next visit. Ms. King cautioned providers about freely providing medical records to a patient suspected of identity theft, because it could lead to more identity theft.

Patients also will have to be educated about the new rule, Ms. King said. “Providers are going to run into problems with patient expectations. Patients have gotten used to coming to their doctor … with either no identifying documents or only their insurance card. They will need some education in advance by being informed when they call on the phone to schedule an appointment, or by signs in the waiting room, that you really need to have identifying documents with you.”

She noted that under EMTALA, a hospital cannot delay performing the medical screening examination or stabilizing treatment, to inquire about insurance or payment, “but it can follow reasonable registration processes as long as the medical screening exam is not delayed by the process. So after the patient has been triaged and is sitting in the waiting room waiting to be seen for the medical screening exam, you can ask them for identifying information. But if they don't have identifying information, you can't turn them away. You have to provide the [screening exam] and necessary stabilizing treatment.”


Next Article: