Found it!
Subject: Red Flag Rules require you to watch for identity theft among patients
Source Coder Pink Sheets: Orthopedic
Publication Orthopedic: Orthopedic Coder's Pink Sheet, April 2009, Vol. 10, No. 4
Effective Date Apr 1, 2009
Publish Date Apr 1, 2009
Starting May 1, a new set of government rules require health care providers, including orthopedic practices, to keep an eye out for the possibility of identity theft involving their patients.
Those regulations are the Federal Trade Commission's (FTC's) Red Flag and Address Discrepancy Rules. (The rules actually took effect Nov. 1, 2008, but the FTC extended the implementation date until May 1 this year.) They apply to any entity that may offer credit to consumers, e.g., allowing a patient to pay for a procedure in installments.
What it is: A "Red Flag" is "a pattern, practice, or specific activity that could indicate identity theft," according to a report prepared by the World Privacy Forum to help health care providers understand and apply the Red Flag Rules.
As part of your compliance procedures, you will need to keep an eye out for the possibility your patients may be the victim of identity theft, but you should also consider overseeing employee and vendor access to patient data as well, the Forum report advises.
How to spot it: Potential red flags for physician practices, according to the World Forum report, include complaints or questions from patients based on receipt of:
a bill for another individual;
a bill for a product or service the patient says he never received;
a bill from a health care provider the patient never visited; or
a notice of insurance benefits (or explanation of benefits) for health services never received.
"If you did a good job of HIPAA privacy and security compliance, compliance with the Red Flag Rules will be fairly simple - it will probably amount to a memo or official training," explains Linda Gates-Striby, compliance manager at The Care Group, a 150-doctor physician practice in Indianapolis, Ind.
"You need to be on the lookout for patients who say: ‘I didn't see that doctor,'" Gates-Striby warns. In the past, such a complaint might have made you think there was a billing mistake, she explains. "Now you must also consider the possibility that the patient was a victim of identity fraud."
Tip: Make sure you have a formal way to confirm key facts in the patient's chart when a patient comes in for a visit or procedure.
"Some offices are starting to make a copy of the patient's driver's license, but providers might not want to do that," Gates-Striby says, "because it increases your liability and security exposure to have that on file."
In any case, you can look out for practical "red flags" among your patients, including changes in age, race, or significant variation in chart or height, she advises.
As electronic medical records become more widespread in use, practices will be able to download an increasing amount of this type of demographic and observational data in advance - even on new patients, if they've already been seen by physicians in a different office. And that could help you spot a possible identity theft even for your first-time patients.
What to do if you think you have an identity theft case on your hands: The FTC says that in your Red Flag compliance program, you must "describe appropriate responses that would prevent and mitigate the crime, and detail a plan to update the program."
That response might include inserting a Red Flag Alert in the patient's medical record "to warn providers, insurers, and consumers of potential fraudulent activity," suggests the World Privacy Forum.
If identity theft is confirmed, you may also need to have a process for purging all information entered as a result of the fraudulent activity, leaving a brief cross-reference and explanation of the deletion, the Forum report says.
Official resources:
View an FTC notice about the Red Flag Rules here:
http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
Download the World Privacy Forum report, "Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers," here:
http://www.worldprivacyforum.org/medical.html
