Brach Eichler, LLC. - Counsellors At Law - New Jersey Law Firm - (973) 228-5700 > how_to_comply_with_the_red_flags

HOME

PUBLICATIONS MAIN

Publications

How to Comply with the Red Flags Rule

Todd C. Brower

AN ALTERNATE OF THIS PUBLICATION CAN ALSO BE FOUND HERE

You have until Nov. 1 to develop a written program to spot the warning signs — or "red flags" — of medical identity theft, which happens when a person seeks health care using someone else's name or insurance information.

When crafting your identity theft prevention program, use a model policy as a starting point (ftc.gov/redflagsrule), but adapt it to the particular circumstances of your facility. A good program will account for the size and business practices of your facility and include guidelines that employees can rely on in identifying, responding to and mitigating identity theft. The elements you must incorporate into your identity theft prevention program include:

Identification of relevant red flags. Conduct a risk analysis to identify patterns, practices and specific forms of activity that could signal identity theft. Examples of these red flags might include presentation of suspicious documents or personal identifying information (information on the patient's ID conflicts with that on his insurance card, for example), suspicious account activity or notices from other sources (a patient complaining of receiving an EOB for services never received, for example).
Detection of red flags. Develop mechanisms by which staff can detect red flags. For example, you may require new patients to present identifying information, such as full name, date of birth, address, government-issued ID and insurance card, and have staff verify such information with the patient's insurance company. Similarly, with existing accounts, you may implement procedures to verify the validity of requests to change billing addresses or to verify the identities of individuals before disclosing any personal information. Emphasize due diligence on the part of staff members; they must follow procedures for verifying identity and authority when processing patient accounts and must be alert for red flags in day-to-day operations.
Prevention, mitigation and response. Train staff to report suspicious documents, account activity or any other red flag set forth in your identity theft prevention program. Determine how to appropriately respond to a red flag once it's identified. Examples of appropriate responses may include contacting the patient, changing passwords, security codes or other security devices that permit access to an account or, where appropriate, reporting information to law enforcement or other agencies. Clearly state in your policy that the response will be commensurate with the degree of risk posed.
Periodic updates to the program. The ways in which identity theft occur are always changing; you must continually adapt your program to respond to new threats you discover or learn from others in the industry.

Identity theft is real, and healthcare providers are vulnerable to liability resulting from both the failure to protect patient information and from losses incurred when patients present fraudulent information in order to pay for services rendered.