Thiebaud Remington Thornton Bailey LLP

Identity Theft – Red Flag Rules

Identity Theft - Red Flag Rules

Identity Theft Red Flags Rule
Presented by: Stan Thiebaud
Stinnett Thiebaud & Remington LLP
Identity Theft Red Flags Rule—Originated from the Red Flag and Address Discrepancy Rules are part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003 that designates health-care providers, including hospitals, medical practices, and other health-care providers as creditors.
Date of Implementation:
The rules were to become enforceable on November 1, 2009, but on October 30th, the FTC granted an extension until June 1, 2010 for offices to be in compliance. Members of Congress asked for the extension based on the recent decision by the U.S. District Court for the District of Columbia which ruled that the FTC may not apply the Red Flags Rule to attorneys. Similarly, the American Medical Association has been urging the FTC to exempt physicians from the Rule. In mid-October, House Bill 3763 was submitted to Congress seeking exemption of certain businesses from the Red Flags Rule. This bill includes health care practices with 20 or fewer employees. It appears Congress wants more time to consider this bill before any enforcement deadline.
Who Must Comply?
The Red Flags Rule apply to any entity that meets the definition of a creditor and maintains covered accounts, regardless of whether the health-care provider is a for-profit or not-for-profit entity.
Purpose of the Rule:
Requires applicable entities to implement a Written Identity Theft Prevention Program designed to detect the warning signs—or “Red Flags”—of identity theft in their day-to-day operations, takes steps to prevent the crime, and mitigate the damage it inflicts.
By identifying “Red Flags” in advance, entities will be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from becoming a costly episode of identity theft.
For hospitals, physicians, ambulatory surgery centers and other healthcare providers—the goal is to protect against medical identity theft.
What is medical identity theft?
Occurs when someone uses a person’s name and sometimes other parts of their identity like their date of birth or insurance information without that person’s knowledge or consent to obtain or make false claims for medical services or goods. Medical identity theft can also result in erroneous entries into existing medical records and can involve the creation of fictitious medical records in the victim’s name.
In 2008, HIMSS (Healthcare Information and Management Systems Society) conducted a survey of 155 hospitals and ambulatory facilities across the United States regarding medical identity theft. Of the 155 providers, 20% had experienced medical identity theft at their facility.
Approximately 250,000 people were victims of medical identity theft in 2005 according to the Federal Trade Commission. It is estimated that 1 in 23 identity theft victims is a victim of medical identity theft.
“Stealing and cashing in on medical identities is the ‘theft of the future,’ according to Kirk Ogrosky, deputy chief for health care fraud in the Department of Justice’s criminal division.
What is the draw to medical identity theft?
According to the FTC, a Social Security card is worth $1 on the street, while stolen medical ID cards will fetch between $25 and $50 per identity. “They are worth more because it is so much easier to steal your medical identity information and submit a false claim against your insurance coverage,” says, AHIMA’s director of practice leadership, Harry B. Rhodes. “The average insurance card is usually very plain with only your name on it—no photo, no computer chip like credit cards have—so it is much easier to steal and submit a false claim compared to credit card theft.”
The economic benefits are more lucrative as well. “Credit card limits are usually $20,000 or much less nowadays. But the lifetime benefits on insurance are in the millions of dollars. Victims of medical identity theft often realize that their medical identity has been stolen when they are denied benefits because they’ve reached their limit,” Rhodes says.
Cost of Medical Identity Theft to Healthcare Organizations
Healthcare fraud costs between $70 billion and $255 billion per year, which is between 3% and 10% of total U.S. healthcare spending.
The FTC says that it takes five to 20 hours to clean up records after every incident, at a cost of $182 per record.
Privacy experts are concerned as we push towards electronic medical records (EMRs), it will be easier for people to gain unauthorized access to sensitive patient information on a large scale.
The Identity Theft Red Flags Rule is the federal government’s current response to this concern as EMRs become the norm in our medical practices and facilities.
Creditor—offer or maintain accounts primarily for the customer’s personal, family or household purposes that involve or are designed to permit multiple payments or transactions OR regularly extend, renew, or continue credit, or regularly arrange for the extension of credit by not demanding payment for goods or services immediately when provided.
**The Federal Trade Commission considers physicians and healthcare providers who accept insurance or allow payment plans to be creditors and therefore subject to the Red Flags Rule. Healthcare providers extend credit by allowing deferred payments until the insurance is collected.
The AMA is currently fighting this interpretation by the FTC.
Who is not a creditor? If your practice requires payment in full at the time of service, i.e. cash, credit card, Medicare, or Medicaid, then you are not considered a creditor for purposes of this Rule.
Covered Account—There are two categories of accounts covered:
1) within a physician’s practice, any account offered for the patient’s personal, family or household purposes and is designed for multiple transactions OR
2) an account that has a foreseeable risk of identity theft to patients served by the entity or to the safety and soundness of the entity. (i.e. within a physician’s practice—single transaction consumer accounts)
**Key to Category 2)—category 2) accounts are considered covered accounts “only if the risk of identity theft is foreseeable”.
Red Flag—a pattern, practice or specific account activity that indicates the possibility of identity theft.
The FTC identifies the following as “Red Flags”:
  • Alerts, notifications or warnings from a consumer reporting agency
  • Suspicious documents and/or personal identifying information, such as an inconsistent address, nonexistent Social Security number, or inaccurate medical information (medications, allergies, recent surgeries)
  • Unusual use of, or suspicious activity relating to, a patient account
  • Notices of possible identity theft from patients, victims of identity theft or law enforcement authorities
Knowing Violation–A ‘knowing violation’ is not a term defined in the Red Flag Regulations. It is defined by federal courts. Generally, courts have ruled that knowing violations are violations of a law that occurs when a person knows his or her legal obligation and purposefully disregards them or is indifferent to them. (Discussed in American Arms Intern v. Herbert, 563 F.3d. 78 (C.A.4 (Md.) 2009).
Red Flags Rule different than HIPAA
While HIPAA protects personal health information, the Red Flags Rule is designed to protect other private and sensitive identifying information including:
  • Credit card information
  • Tax identification numbers—Social Security number, Business and employer identification numbers
  • Unique biometric data, such as a fingerprint, voice print, retina or iris image, or other unique physical representation
  • Unique electronic identification number, address, or routing code (i.e. Medicare or Medicaid numbers)
  • Insurance claim information
  • Background checks for employees and service providers.
How to comply?
Rule requires organizations to have “reasonable policies and procedures in place” to identify, detect and respond to identity theft “red flags”. The definition of “reasonable” depends on your practice’s specific circumstances or specific experience with medical identity theft as well as the degree of risk for identity theft in your practice. The policies should complement your current practice’s HIPAA privacy and security policies and procedures that outline the administrative, technical, and physical safeguards your practice uses to ensure the security of your patient’s personal health information.
Implementation of Red Flags Program
Risk Assessment
  • Initial assessment to determine if you are a creditor, if you have covered accounts, and if any red flags exist.
  • Perform periodic assessment to determine whether it offers or maintains covered accounts
  • Have staff familiar with billing, collections, accounts receivable and patient intake perform the risk assessments. 
Sample Red Flags Program:
  • Identify relevant red flags for the covered accounts that the creditor offers or maintains and incorporate those red flags into its program
  • Detect red flags that have been incorporated into the program
    • train staff on medical identity theft and detecting red flags
    • assign a dedicated staff member to investigate possible red flag
    • institute measures to detect red flags, policies on patient identity verification and authentication, address change confirmation, and patient education and awareness on identity theft
  • Respond to any red flags to prevent and mitigate identity theft; and
  • Ensure the program is updated periodically to reflect changes in risks to customers and to the safety and soundness of the creditor from identity theft
Updating the program factors:
    • changes in methods of identity theft
    • changes in methods to detect, prevent, and mitigate identity theft
    • changes in types of accounts the creditor maintains
    • changes in the business arrangements of creditor
How to Administer Program:
  • Oversight by a board or committee—if smaller entity—senior management employee
  • Assign specific responsibility of program to staff member(s)
  • Training of all staff members on Red Flags policy and procedures
  • Create guidelines for appropriate action, including canceling the transaction, notifying the patient and/or authorities and assessing impact on the physician practice or health care provider
  • Have creditor’s staff responsible for program provide regular reports (at least yearly)
  • Reports should contain the following information:
    • Effectiveness of the policies and procedures in addressing the risk of identity theft
    • Service provider arrangements (must ensure the service providers that perform activities in connection with covered accounts operate in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft (i.e. by contract, adoption of policy, notification of any identity theft issues)
    • If using collection agencies—the agency needs to have a program in place to detect and respond to red flags
    • Significant incidents of identity theft and management response
    • Recommended changes to the program
How to Detect Red Flags:
  • Obtain identifying information about and verifying the identity of the person opening a covered account;
  • Authenticate the identity of a patient or others opening covered accounts, monitor transactions and verify the validity of change of address requests in the case of an existing covered account.
  • Common red flags seen by a healthcare provider:
    • A complaint or question from a patient based on the patient’s receipt of:
      • a bill for another individual
      • a bill for a product or service that the patient denies receiving
      • a bill from a health care provider that the patient never patronized
      • a notice of insurance benefits (or EOB) for health services never received
    • A complaint or question from a patient about the receipt of a collection notice from a bill collector
Real World Examples:
  • Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient
  • A patient or insurance company report that coverage for a legitimate hospital stay is denied because insurance benefits have been depleted or a lifetime cap has been reached
  • A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance
  • A patient who presents a fraudulent insurance card
  • A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency  
How to Prevent and Mitigate Identity Theft:
  • Monitor the covered account for evidence of identity theft
  • Contact the holder of the covered account
  • Change passwords or security codes
  • Reopen covered account with a new account number
  • Not attempt to collect on the account
  • Notify law enforcement
  • Determine if no response is necessary
Enforcement of Rules:
  • No criminal penalties
  • Individual patients cannot sue the entity under the Rule
  • Civil penalties up to $3,500 per violation—The FTC has not officially commented on how it would calculate such penalties, however, unofficially, the FTC may issue a violation for each covered account that a noncompliant entity maintained.  Thus, even small practices face the potential of large monetary penalties for noncompliance with the Red Flags Rule. 
  • Injunctive relief
  • Congress increased FTC’s enforcement budget in 2009 to provide the FTC with more manpower and resources to perform audits for enforcement purposes.  If you are not compliant with the Red Flag Rules, an individual sustains losses due to your non-compliance, the patient can report you to the FTC and the FTC will impose fines on your practice.  
  • FTC staff says that the FTC is willing to resolve compliance issues informally if businesses make good-faith efforts to comply.
Current Legislation and How it May Impact Your Practice
  • HR 3763—Introduced October 21, 2009 to the Senate. Currently in the Senate Committee on Banking, Housing and Urban Affairs. Passed the House of Representatives on October 20, 2009. 
  • The term “Creditor” shall not include health care businesses with 20 or fewer employees. 
  • The term ‘health care professional’ means an individual engaged in providing health care and licensed under State law, including physicians, dentists, podiatrists, chiropractors, physical therapists, occupational therapists, marriage and family therapists, optometrists, speech therapists, language therapists, hearing therapists, and veterinarians.