Monday, April 20, 2009

Red Flags Rule Takes Effect May 1

Editor's Note: Since this article was published, the date for enforcement has been moved to August 1, 2009.

New Red Flags rule regarding identity theft goes into effect May 1. While still being challenged, the rule is interpreted to apply to most health care organizations.

Health care organizations that accept insurance or provide payment plans are considered creditors subject to the red flags requirements.

Red Flag - Painting by Ana Bikic

Red Flags Rule requires that creditors must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. Information including Protected Health Information (PHI), social security numbers, credit card info, claims data and other sensitive information are covered by the rule.

According to the Federal Trade Commission (FTC), Red Flags rule requires a "a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees ... include appropriate staff training, and provide for oversight of any service providers."

The AMA's Practice Management Center has published a sample policy for Red Flags compliance and a good overview document on what physician practices should do to prepare for Red Flags compliance.

1 comment:

ID Insight said...

We've been following this on the banking side for the past few years. While there are various provisions on the new Red Flag Guidelines, the new prescriptive requirement is for anyone pulling a credit report to take action in the event of an address discrepancy.

This address discrepancy is the leading indicator of identity theft. For example, let's say someone steals my identify (Social, Name, Date of Birth, etc.) Once in hand, they look to open new accounts in the victim's name. In filling out the application, they use all of the victim's credentials but use an alternate address.

They do this so that all statements, checks, etc. get delivered to this alternate address as opposed to the victim's address. When you look at true identity theft cases, you hear this all the time - "Someone in Dallas TX opened up 3 account in my name!" How? They filled out an application just like the victim and changed the address.

We are now in the beginning stages of hearing about "medical identity theft". Up until now, most of this fraud has been associated with financial services. However, a the banks have begun to tighten up their ID Theft efforts, we are beginning to see a swing towards the very lucrative health care space where fraud processes aren't nearly as well established.

The one thing we know is that the seasoned fraud professional will always seek the system with fewest controls. In short, health care is a very inviting target, and the new Red Flag Guidelines look to only be the beginning of this impending battle.

Adam J Elliott