Are You Prepared for the Red Flags Rule?

Red Flags Rule is instituted by the FTC and it is designed to protect against identity theft. The rule will take effect on November 1, 2009. It sets out how physicians’ offices, clinics and hospitals assess and identify medical identity theft. This occurs when a person uses another person’s personal information (Name, Social Security Number or insurance information) without the victim’s consent to obtain medical services. As defined by the FTC, “Red Flags” are suspicious patterns or practices that indicate the possibility of identity theft.

Physicians and medical practices are covered under the rule if it is a “creditor” that offers or maintain “covered account”. FTC classifies physicians and medical practices as “creditor” because they extend credits to patients when they bill them and do not collect at the time of service. Patient billing account is considered a “covered account” because it permits multiple payments and it carries a reasonably foreseeable risk to patients.

Four steps to developing a Red Flag compliant program:

1. Identify relevant red flags in your practice. Your program must include policies and procedures to identify the red flags of identity theft
2. Detect red flags: Set up procedures to detect those red flags in your daily operations.
3. Prevent and Mitigate identity theft: Respond appropriately to prevent and mitigate.
4. Update your program and keep it current as the risks of identity theft change rapidly.
5. The FTC guidelines offer a detailed description of each step as well as providing some examples.

Steps physicians and medical practices can do to prevent a compromise of patient record:

• Check patients photo IDs and require a second identification prior to providing medical services.
• Train staff to detect fraud and misuse.
• Monitor who is accessing patient files and records.
• Look for patterns or suspicious activities in patient accounts
• If you detect a fraud, report incident to a law enforcement agency and lockup patient account.

After the Red Flags Rule take effect on November 1 of this year, physicians and medical practices must keep their program updated and to guard against latest threats. Physicians who fail to comply could face a fine of up to $2,500 per identity theft incident. Physicians may even face a lawsuit as well.

Resources to learn more about Red Flags Rule:

The AMA-American Medical Association has prepared a guidance document, along with sample policies to help physicians incorporate a simple identity theft prevention and detection program into their existing compliance and HIPAA security and privacy policies. You can visit The AMA website to access these documents to access these documents.

About Medvertex Client Education Center

Medvertex Client Education Center (CEC) was developed to assist and educate our current and future clients to be good stewards of their clinics’ business and financial health. Our CEC has a library of articles on wide spectrum of topics, tools, processes, latest updates on insurance and government regulations. For more information, please email our Client Education Center at cec@medvertex.com.