A practical guide to creating and maintaining a ‘red flag’ program

Federal regulations require doctors' offices to set up written procedures to protect against identity theft. Practice pearls outline steps to follow to comply with the new law.

The red flags final rule that takes effect Aug. 1 addresses medical identity theft's increasingly possible dangers. The regulations also list the identifying characteristics of and ways to prevent medical identity theft. Because the rule applies to health care providers who routinely allow patients (consumers) to defer payment (typically while waiting for the insurance policy to reimburse the medical expense), internists are placed in the category of “creditor,” along with banks, credit unions and other financial institutions.

[Editor's note: The rule was originally to take effect May 1; the FTC announced it would delay enforcement on April 30. This Web edition updates ACP Internist's print edition, which mailed to members before the FTC's announced delay.]

The red flags rule requires internists who allow deferral of payments to set up a written identity theft prevention program for their practices. The red flags program must perform four functions.

Identify relevant red flags. With your staff, review the ways you could potentially run into medical identity theft. Are there reports you use that might tell you that something's “not quite right?” Have you experienced it before, and is that pattern emerging again? How was it handled in the past, and were the measures effective? How could they be improved? Develop the resulting comments and suggestions into your written program.

Detect flags. Your practice's red flags program should include:

  • alerts, notifications, or other warnings received from consumer reporting agencies or fraud detection services,
  • the presentation to your office of suspicious documents or suspicious personal identifying information, such as an address change,
  • the unusual use of or other suspicious activity related to an account,
  • notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft, or
  • unusually frequent prescription refill requests, signatures that don't match, inconsistent blood types, or physical characteristics that don't match the information in the existing patient chart.

Prevent and mitigate the risks. Respond appropriately to any red flags that are detected. Be sure you are protecting patient account information. Your practice probably is already doing so for HIPAA compliance. Determine whether your processes contain safeguards for access and/or modification of patient identification information.

Review your existing processes for opening new accounts. If you're not already doing it, make it a policy to request positive identification of your patients at the time of service. Ask to see the patient's photo ID with a name and address. Verify that the patient's address on the presented ID matches the information you have in your files.

Appropriate responses to detected red flags may include the following: monitoring a covered account for evidence of identity theft; contacting the customer; changing any passwords, security codes, or other security devices that permit access to a covered account; reopening a covered account with a new account number; not opening a new covered account; closing an existing covered account; not attempting to collect on a covered account or not selling a covered account to a debt collector; notifying law enforcement; or determining that no response is warranted under the particular circumstances.

Maintain your practice's program. Ensure that your red flags program is updated periodically to reflect changes in risks from identity theft to customers or to the safety and soundness of the financial institution or creditor. Obtain approval of your program from your board of directors, or from a designated senior staff person if you do not have a board. Train your staff to follow and maintain the policies and procedures of your red flags program.

Make your service providers aware of your red flags program. You might want to require them to develop policies and procedures to detect relevant red flags that may arise in the performance of their own activities, and to either report the red flags to your practice or take appropriate steps to prevent or mitigate identity theft.

Assign responsibility for maintaining the written policy to one person, who becomes the compliance officer. Ascertain that all staff is trained in the policies and procedures of the red flags program. Schedule periodic meetings to go over your program to assess how well it's working and whether modifications should be made.

Remember that your program can be tailored to fit the individual needs of each practice, based on its size, its administrative complexity and the nature of its operations. The rule encourages physicians to make their programs' policies and procedures “reasonable.”