Go
About UsServicesOur PeopleNewsEventsPublicationsBlogsDiversityLocationsCareers

Keyword(s)
By Practice or Industry
All Services
By Attorney
News Search
Publication Type
All
Alerts
Articles
Booklets
Newsletters
Join Mailing List

Professionals


Practice Areas


Industries


Articles

Health Care Identity Theft Prevention Programs and Red Flags Rules Compliance

March 10, 2009

Medical Identity Theft
Millions of Americans fall prey to identity theft each year. This crime can not only significantly damage the affected individual’s credit ratings, it can also result in a significant loss of otherwise productive time for that person as he or she remedies the resulting damage.

Identity theft in the heath care setting differs from the run-of-the-mill version of the crime. This is because the former is oftentimes more costly to a provider of health care services than the latter is to a provider of general commercial services. For example, health care providers, such as physicians and hospitals, may find that they have provided thousands of dollars worth of services to a patient who turns out to have stolen another’s identity. The provider then may have no recourse to be compensated for the services and supplies provided.

In addition, information from the perpetrator of medical identity theft, commingled with the legitimate information in the victim’s medical record, could potentially impact the future medical care given to the victim. Therefore, medical identity theft victims must concern themselves not only with the problems that all identity theft victims have to worry about (such as financial harm, time for clearing their record, fraud alerts, accounts closed), but also that the integrity of their medical information may have been compromised.

Fair and Accurate Credit Transactions Act of 2003 (FACTA) and the Red Flag Rules
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) imposed substantial obligations on credit card issuers, consumer reporting agencies and financial institutions, and other creditors. The FACTA was amended by the Fair Credit Reporting Act, which mandated the promulgation of identity theft regulations.

The FACTA required the Federal Trade Commission (FTC) to establish regulations to mitigate incidents of identity theft. These regulations, which require mandatory compliance by May 1, 2009, are commonly referred to as the “Red Flag Rules.” The Red Flag Rules require affected entities to develop and implement written identity theft prevention programs to identify, detect and mitigate identity theft when red flags are present. A red flag is a pattern, practice or specific activity that indicates the possible existence of identity theft.

There is no private right of action under this legislation. But the FTC can bring a civil enforcement action and recover attorneys’ fees, actual damages and civil penalties of up to $2,500 per violation for those creditors who do not comply with the regulations.

While at first most thought that only those institutions affected were financial institutions, it became apparent that the regulatory definition of “creditors” includes anyone who regularly permitted individuals to pay for items on a deferred basis. Most hospitals and many medical practices are therefore affected by these Red Flag Rules if they permit patients to pay for services on a deferred basis over time. Furthermore, if a hospital or a medical practice uses consumer reports from nationwide consumer reporting agencies as part of their employment screening process, in addition to the criminal background checks that they are required to do by law, then certain other requirements are placed on the entity.

Hospitals and other providers are considered creditors, if they regularly extend, renew or continue credit, or regularly arrange for the extension, renewal or continuation of credit. Those creditors who have “covered accounts” must comply with the Red Flag Rules. An account is a continuing relationship established by a person that a creditor offers or maintains primarily for personal, family or household purposes that involves or was designed to permit multiple payments or transactions. This would include situations in which a provider extends patient payment accounts. Surprisingly, a covered account also includes loans to employees or doctors, and would include loans that a hospital utilizes in any physician recruitment programs to physician corporations or individual physicians. An account may be considered a covered account if there is a reasonably foreseeable risk of identity theft in connection with it.

Red Flag Rules Compliance ― Identity Theft Prevention Programs
Compliance with the Red Flag Rules involves developing and implementing an identity theft prevention program (ITPP). Thus, healthcare institutions which meet the definition of creditor should develop and implement a written program with policies and procedures to “detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account.”

Health care providers which, like most institutional providers and physician groups, meet the definition of “creditor,” need to develop and implement an identity theft prevention program by May 1, 2009. The program can be different, depending on the organization’s size and complexity. Thus, a four person physician practice might have a much different program than a 500 bed hospital. Any program would include four basic points, which could be covered under one or multiple policies. 

An ITPP must be developed from the top down. Thus, it must be approved by the organization’s board of directors, or a committee of the board, and contain provisions in which an appropriate administrative official is assigned responsibility for monitoring and implementing the program. The program must also be reviewed periodically (annually is recommended), to incorporate any updates or revisions, as necessary. Finally, the program should be thought of as another component of the overall compliance activities of the organization. Health care entities have compliance activities for Fraud and Abuse, Ethics in Patient Referral Act matters, privacy issues, tax-exemption issues, etc. The ITPP should just be one more component of such efforts. Many health care providers place this program under their general supervision of the individual in charge of their compliance program.

Given the above, how should a health care provider proceed?

First, it should identify relevant red flags for the covered accounts that the entity offers, and incorporate those red flags into a policy. Common red flags include:

  • patients who present for an episode of care and are recognized as someone other than the patient presenting;
  • patients who submit a driver’s license, insurance card or other identifying information that appears to have been altered or forged;
  • the photograph on a driver’s license or other photo ID submitted by the patient that doesn’t resemble the patient;
  • information on one form of identification submitted by the patient is inconsistent with information on another form of identification or information in the provider’s records;
  • discrepancies exist between admission information and prior account information, or current insurance eligibility information;
  • the address provided by the patient is known to not exist, or the patient cannot provide anything other than a post office box as an address;
  • there is an address or name discrepancy on identification or insurance information; and
  • the Social Security number furnished by the patient has not been issued, is listed on the Social Security Administration’s Death Master File, or is otherwise unavailable.

Red Flag Rules Compliance ― Red Flag Detection Procedures
The second element of compliance with the Red Flag Rules is the development of procedures designed to detect red flags. These procedures must be incorporated into the ITPP. To do this, the provider should, at the time of registration, request certain information and documents, including: a driver’s license, passport, state identification card or other photo identification, and any two of the following: Social Security number and Social Security card, if available; date of birth, physical address, telephone number, insurance card, or other verification, such as voter registration card or credit card.

Red Flag Rules Compliance ― Responses to Identified Red Flags
The third element of compliance with the Red Flag Rules involves responding appropriately to any red flag that is detected to prevent unmitigated identity theft. This includes, for example, responding to notification by a patient of possible identity theft with regard to a medical record or bill. The provider should develop policies with regard to notification of the affected individuals. These policies might include sending a letter to possible victims of identity theft advising them of any relevant security breaches, and suggesting that a fraud alert be placed in such persons’ credit files.

In addition, health care providers must ensure the integrity of patient medical records. Thus, if it is confirmed that a patient record was created as a result of identity theft, a notation concerning identity theft should be placed in the record. All incorrect demographic information must also be removed from such record. Furthermore, staff should determine whether any other records are linked to the record found to be created through identity theft. In some instances, identity theft involves the perpetrator receiving care under the name of another person who has been a patient. In such a case, the files of that other person must be reviewed for any information commingled with the perpetrator’s medical information.

Red Flag Rules Compliance ― Identity Theft Prevention Program Execution and Updating
Fourth, the provider should have in place procedures to ensure that the ITPP is updated annually, and that, as required, an assigned person from the management team is designated with overall responsibility for the program. Oftentimes, a risk manager or compliance officer can direct the ITPP and oversee compliance with its policies and procedures. A member of the senior management should review and evaluate the program’s effectiveness with risk management, at least annually, and report to the board of directors.

A key component of program oversight is training. Once a program is developed and implemented, the organization must designate a trainer and arrange for training of all affected employees. Thereafter, the entity must ensure that the necessary training for new employees in those areas affected by the policy occurs within 30 days of the hiring or engagement.

Generally, hospitals can develop the following four policies to start the program:

  • verifying patient identity at time of registration
  • identifying and detecting attempted identity theft or fraud
  • investigation of suspected identity theft, and
  • disposition of medical records when identity theft is confirmed.

Finally, as indicated, the hospital should obtain board approval of the ITPP.

The ITPP can be included as part of the overall compliance program, although a compliance officer would have to work with the Chief Financial Officer to develop, initiate and monitor such a program.

For further information, please contact Roy M. Bossen, Angela M. Rust, or your regular Hinshaw attorney.

This publication has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.

Site Map | Contact Us | | RSS | Disclaimer
© 2012 Hinshaw & Culbertson LLP. ATTORNEY ADVERTISING pursuant to New York RPC 7.1
The choice of a lawyer is an important decision and should not be based solely upon advertisements.