IT IS A PATTERN, practice or specific account activity that indicates the possibility of identity theft. The FTC identifies the following as red flags: Alerts, notifications or warnings from a consumer reporting agency; suspicious documents and/or personal identifying information, such as inconsistent address or non-existent SSN; unusual use of or suspicious activity relating to, a patient account; notices of possible identity theft from patients, victims of identity theft or law enforcement authorities.

A Bit of Background

ACCORDING TO THE Federal Trade Commission, as many as nine million Americans have their identity stolen each year. So, back in Nov. 2007, the agency issued the Red Flags Rule, which was to take effect Nov. 1, 2008. But many small businesses—including physician practices—were unaware that they needed to comply. The CMA and the AMA both took up the charge—an effort that helped delay implementation requirements for physicians and other businesses until May 1 of this year. Both the CMA and the AMA are continuing their efforts to persuade the FTC that physicians are not creditors and therefore should not be subject to the Red Flags Rule. They also argue that HIPAA compliance covers the majority of the goals of the Red Flags Rule. Yet, the FTC is also doggedly pursuing their point. The group published a nine-page statement on Feb. 1 of this year, with a ruling that specifically includes physicians’ offices in the rules.

WE’LL BET THAT when you enrolled in medical school, you were thinking of a career in, well, medicine—not in finance. Yet, a set of regulations issued by the Federal Trade Commission in November 2007 essentially turns physicians into creditors as of May 1. Poof!

Known familiarly as the Red Flags Rule, the regulations require you to develop and implement written identity theft prevention and detection programs by May 1, if you offer credit or payment plans to consumers, allow consumers to pay in installments, or simply accept insurance as a physician. Congratulations! You are now considered a “Creditor” or a “Financial Institution” under the Identity Theft Red Flags Rules.

The Rules apply to financial institutions and nonfinancial institutions, and they affect businesses as diverse as nonprofits, auto dealerships, and, yes, physicians. As a result, you are now required to establish and maintain a written program, although the details will vary depending on factors such as the size of your practice, the kinds of consumer accounts that your practice maintains, and the potential risk of identity theft. The Rules do not apply to businesses that accept payment by credit card in only a single transaction.

For physician practices, the biggest concern involves medical identity theft. For example, a patient walks in and hands your receptionist his insurance card. But let’s say that the card isn’t really his—he’s just trying to get some free medical treatment. A red flag could be that the chart says the patient is 50 years old, 5'5" and weighs 250 pounds. The person in front of you is clearly younger, taller and much thinner. Red flag! And, as you can imagine, medical identity theft could also result in erroneous entries into existing medical records—an even more serious event when you consider the national move toward electronic health record systems.

But before you start doing any serious hand-wringing, know that establishing and maintaining a program may not be as complicated as it sounds. First, the scale of your identity theft program can be commensurate with the scale of your practice. For some practices, simply checking for photo identification when registering a new patient and monitoring address changes may be enough. Second, the rule allows you to rely on existing security measures—many physicians may comply in large part by relying on current HIPAA policies and procedures since these go a long way toward protecting confidential patient information. Plus, there are already a wealth of resources available to help you from the California Medical Association and the American Medical Association. So let’s get started.

What Is Required
Physician practices must create and institute a written program that is appropriate to their size. The program’s operations identify and detect patterns, practices and specific forms of activity signaling the possiblity of identity theft. The Rules provide an extensive list of potential red flags for organizations to use—for example, the attempted use of a photocopied driver’s license as proof of identification, unusual account activity, or a suspicious addresschange request. These are provided merely as examples and are not physician-specific.

Your written program must also provide procedures for detecting red flags if they occur, and it must plan for appropriate responses to prevent and mitigate identity theft if a red flag is detected. For example, in addition to monitoring an account for evidence of identity theft, you may find it appropriate to contact the patient, change passwords, close an existing account, or notify law enforcement. The detection and response system must be updated periodically to reflect changes in red flags or changes in a practice’s amount of risk.

The Red Flags Rule also includes four administrative mandates. First, the program must be approved by a board of directors or a senior manager such as a medical director. Second, a board member or senior manager must be involved in the oversight, development, implementation and administration of your identity theft program. Third, the staff must be adequately trained to implement the program, and finally, the program must include oversight of outside service provider arrangements, such as lab services.

Medical practices and other organizations must keep solid documentation of the initial written program, reports, and any decisions made regarding the program. The current penalties for failure to comply with the rules include fines of up to $2,500 per violation, as well as regulatory enforcement actions, which have yet to be clearly defined. Plus, there is an added risk of harm to your practice’s reputation. There is another incentive, too: A well-documented and compliant program will be helpful if your practice is ever implicated in the identity theft of one of its account holders.

The Five Steps for Creating a Program
The FTC outlines the steps you need to take to create a compliant Red Flags Rule program. However, the steps can be difficult to understand. We’ll provide a summary here. The CMA’s Center for Legal Affairs created a comprehensive Red Flags Rule Toolkit that provides much more detail on the rules and it features sample programs. The 26-page toolkit is free for members and $2 per page for non-members; you can find it on the CMA’s website at www.cmanet.org.

STEP 1 : Determine if you have covered accounts. The Red Flags Rule only comes into play if you have “covered accounts.” There are generally two types of covered accounts. The first type is a patient account or file used to store patient background and payment information, through which bills and outstanding balances are generated and maintained. Traditional medical records are not likely to be considered covered accounts since they do not generally contain billing information.

The second type of covered account is very broadly defined as, basically, any other account for which there is a reasonably foreseeable risk to patients or to the practice from identity theft. Determining whether an account falls under this definition involves consideration of the methods you use to open patient accounts, the methods you use to access accounts, and your previous experience or exposure to identity theft. For example, there may be a reasonably foreseeable risk of identity theft in connection with accounts that can be accessed remotely, such as through the Internet or by the telephone. There may also be non-patient accounts with third-party vendors, such as labs or imaging services that fall into this category. This is especially likely if such accounts contain patient information that could be used by identity thieves.

STEP 2: Identify red flags relevant to your covered accounts. Although an appendix to the Red Flags Rule provides a list of examples of red flags, not all of them are relevant to physicians. A few that you might consider as a starting point are:

• A bill for a service or product that the patient denies receiving.
• A bill from a physician or other healthcare provider that the patient never patronized.
• An explanation of benefits for health services never received.
• Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.
• A patient or insurer report stating that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.
• A person who omits required information on a form and doesn’t respond to notices that the form is incomplete.
• An account that has been inactive for a long time is suddenly used again.

STEP 3: Establish a system to detect relevant red flags. Your program must include policies and procedures to detect possible red flags in connection with opening and maintaining covered accounts. According to the FTC, the greatest risk of identity theft for healthcare providers exists when a patient account is opened. For most physicians, this may mean establishing a secure system for obtaining identifying information about, and verifying the identity of, a patient opening an account. It may also include verifying the identity of patients with existing accounts, periodically monitoring transactions on patient accounts for aberrant activity and validating any address changes associated with the accounts. This is why banks and other institutions will generally send you a letter letting you know that your address has been changed on your account and cautioning you to contact the institution immediately in case of an error. In addition, you should train your staff to detect red flags and assign a designated staff member to investigate any red flags.

STEP 4: Establish policies and procedures to respond to red flags. Once someone in your office detects a red flag, you must have policies on how to respond. Responses should always be appropriate to the level of risk posed. For example, a patient who provides information related to his or her account to someone fraudulently claiming to represent the physician’s office poses a greater risk than someone who puts in for a change of address. Responses should include a plan for gathering documentation if an incident occurs, a process for reporting the incident, and guidelines for appropriate action. Appropriate action may include contacting the patient to verify the accuracy of information, closing the account and opening a new one for the patient, or more closely monitoring an account when a red flag is detected.

STEP 5: Keep the identity theft program up-to-date. You’ll need to review whatever program you put in place at least once a year to make sure all of the red flags are current. You may need to modify your program as methods of identity theft evolve, as technology changes or as your practice changes by, for example, bringing in new physicians or switching third-party billing agents. You’ll also need to adjust your program as your level of risk rises or lowers, and of course, you’ll want to streamline policies and procedures as you gain more experience with your program.

Administering Your Program
No one likes adding more reports and administrative overhead into a practice. Fortunately, the Red Flags Rule’s administrative requirements are straightforward and should not be any more work than introducing any other new procedure into your practice. If your practice is small and the patient load equally small, then the administrative part of your program can be very simple.

The Red Flags Rule requires that a member of the board or a management-level team member oversee the program. This oversight includes planning, design and implementation of the program. It’s fine for the administrator to delegate responsibilities to other staff members for implementing the program, reviewing compliance reports and approving changes to the program. You might consider designating your HIPAA compliance officer as your Red Flags Rule administrator as well since there is overlap between the two programs. (For a detailed comparison of the two programs, check out the CMA’s Red Flags Toolkit, which you can find on their website at www.cmanet.org).

Your program administrator is responsible for providing written reports to the board or to senior management at least once a year. If the administrator does not write the report, he or she must approve a report written by a staff member who is involved in the management of the program. Reports should address issues such as the effectiveness of policies and procedures in addressing the risk of identity theft associated with opening covered accounts and with active accounts, service provider arrangements, significant identity theft incidents and management’s response and recommendations for changes to the program.

Earlier we mentioned that your program needs to cover outside service providers, such as collection agencies or even janitorial services, who may have access to sensitive patient information. Unfortunately, the FTC is not clear about what steps are adequate to comply with this portion of the Rule. Basically, however, the FTC is using this as a reminder to physicians that they are ultimately responsible for compliance, even if they outsource some services to a third party. Physicians, therefore, should take at least some steps to ensure that third parties are compliant. For example, you might change the third party’s contract to say that they will implement policies and procedures to detect relevant red flags, and either report the red flags to the physician or take steps to prevent identity theft when a red flag is detected. In many instances, your service provider may also be subject to the Red Flags Rule and already be compliant.

The End Result
While the Red Flags Rule can seem a little ridiculous at first glance, identity theft is a very real—and very serious—threat in today’s electronic society. As with HIPAA, the Red Flags Rule is meant to help patients and physicians keep information confidential and maintain a trusting relationship. It’s very unlikely that you’ll need to change your practice significantly in order to comply with the program.

It’s also important to remember that the rules do not dictate what information you may or may not obtain from patients. And remember that the wording in the rules stresses that the program should be reasonable and appropriate to the size and complexity of your practice. You do not need to get overzealous in hunting for red flags—go too far and your patients may feel unduly hassled. For example, you may be stepping over the line if you ask a longtime patient that your staff knows well to show an identification card at every visit.

Also remember that your program should take advantage of existing policies and practices so as to minimize disruptions or the need for overhauling workflows. And, of course, you have many resources available to you. Both the CMA and AMA offer sample programs (the CMA’s is a simple, brief four-page program); the FTC offers a basic PDF entitled “Fighting Fraud with the Red Flags Rule,” which you can download from their website at ftc.gov as well as a list of other resources such as information on data security, protecting personal information and more sources on identity theft in general.

So take a deep breath, use the resources available and get started.