Getting Red Flag Ready

If you’ve been putting off developing a compliance procedure for the new Red Flags Rule aimed at preventing identity theft, the time has come to act.

The deadline has been pushed to Nov. 1 (from Aug 1), but you shouldn’t expect any further delays. And your practice is most likely not exempt from the rules, which were enacted by the Federal Trade Commission.

Creditors must be able to spot the warning signs, or so-called “red flags,” of identity theft.

Despite the AMA’s aggressive efforts to exempt physicians from the rule, the FTC has determined that most medical practices are indeed considered “creditors.” If you regularly bill patients after the completion of services, including the remainder of fees not covered by insurance, or set up payment plans for patients, you’re considered a creditor by the FTC. Only the cash-only practices that require the entire payment before or at the time of service are not considered creditors and are off the hook here.

The Red Flag Rule is separate from HIPAA privacy regulations. HIPAA is about patients’ medical privacy; the Red Flag Rule is about consumer financial security. Under the rule, practices must show a process for detecting identity theft red flags, preventing and responding to identity theft, and for keeping their program up to date.

Compliance boils down to making sure your patients are who they say they are. Here are a few steps to get you started:

• Check every patient’s ID. Before making a copy of the driver’s license or government-issued ID card, take a closer look and make sure the photo and information match your patient, and that it hasn’t expired. And if the address on the card doesn’t match the one the patient gave you, ask questions, says Barry Herrin, an attorney and partner at Smith Moore Leatherwood LLP, which focuses on healthcare law and policy.

• Look out for suspicious activity. What if a patient gives you insurance information over the phone, but can’t produce the card in person? That seems strange. Or the medical record doesn’t match the information a patient gives (she is a lot taller in person than her chart claims)? Also a little fishy. “You’re dealing with the subtleties of things that don’t add up,” says medical practice consultant Lucien Roberts.

• Fine tune your system for interacting with patients remotely. If a patient calls to ask about her bill, ask for her driver’s license number, Herrin says, or consider having her sign and fax you a statement that you can compare with what you have on file.

• Separate clinical and financial information. Herrin recommends keeping financial information in a separate and secure computer and out of the patient’s medical chart, so Social Security and credit card numbers are viewed by fewer people.

• Set up a comprehensive program. Your Red Flags policy must show the procedures you’ve put in place to detect the red flags, describe how you prevent identity theft, and include details on how you’re training staff on the new procedures. It also must be approved by your Board of Directors and kept up to date to address new risks.

It’s smart to warn your patients of the changes, so they won’t forget to bring along the right information to their next appointment. Send a letter or postcard, and ask them to stop by the office any time to have their ID copied. Some patients may be frustrated by the new procedures, so be ready to put a positive spin on it by explaining that the new rule aims to protect their identity.

Ultimately, the Red Flag Rule will allow your practice to collect better information on your patients, which can mean more efficient billing and fewer denials from third party payers, Herrin says, adding, “And it all comes back to money.”

Sara Michaelis an associate editor with Physicians Practice. She can be reached at sara.michael@cmpmedica.com.

WANT TO KNOW MORE?

• Listen to the Physicians Practice podcast discussion on Red Flag Rules with Cheyenne Brinson, a consultant at Karen Zupko and Associates.
  

• Check out our suggested policy form for complying with Red Flag rules.
  

• Here are some additional identity theft forms related to the regulation.

For more information, visit the FTC guide, the AMA guide, or read the World Privacy Forum report.