Directory  |  Calendar  |  Forms  |  Contact Us  |  Login

Is Your Practice Prepared for the New Red Flags Rule?

As many as nine million Americans have their identities stolen each year.  In an effort to curb the incidence of this crime, the Federal Trade Commission (FTC) has issued a set of regulations known as the “Red Flags Rule.”  The rule requires certain entities to develop and implement a written identity theft prevention and detection program to protect consumers from identity theft.

• WHO MUST COMPLY
• SPOTTING RED FLAGS
• SETTING UP YOUR IDENTITY THEFT PREVENTION PROGRAM
• WHAT’S AT STAKE
• OTHER RESOURCES

WHO MUST COMPLY
Every healthcare practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule.   Whether the law applies to you isn’t based on your status as a healthcare provider, but rather on whether your activities fall within the law’s definition of the term “creditor.”  Creditors are those who do not require payment before or at the time of service.  The law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services.
SPOTTING RED FLAGS
What red flags signal identity theft? There’s no standard checklist. Supplement A to the Red Flags Rule — available at ftc.gov/redflagsrule — sets out some examples, but here are a few warning signs that may be relevant to healthcare providers:

• Suspicious documents. Has a new patient given you identification documents that look altered or forged? Is the photograph or physical description on the ID inconsistent with what the patient looks like? Under the Red Flags Rule, you may need to ask for additional information from that patient.
• Suspicious personally identifying information. If a patient gives you information that doesn’t match what you’ve learned from other sources, it may be a red flag of identity theft. For example, if the patient gives you a home address, birth date, or Social Security number that doesn’t match information on file, fraud could be afoot.
• Suspicious activities. Is mail returned repeatedly as undeliverable, even though the patient still shows up for appointments? Does a patient complain about receiving a bill for a service that he or she didn’t get? These questionable activities may be red flags of identity theft.
• Notices from victims of identity theft, law enforcement authorities,  or others suggesting possible identity theft. Have you received word about identity theft from another source? Cooperation is key. Heed warnings from others that identity theft may be ongoing.

SETTING UP YOUR IDENTITY THEFT PREVENTION PROGRAM
The Red Flags Rule gives healthcare providers flexibility to implement a program that best suits the operation of their organization or practice.  If you’re covered by the Rule, your program must:

1. Identify the kinds of red flags that are relevant to your practice;
2. Explain your process for detecting them;
3. Describe how you’ll respond to red flags to prevent and mitigate identity theft; and
4. Spell out how you’ll keep your program current.

WHAT’S AT STAKE
Although there are no criminal penalties for failing to comply with the Rule, violators may be subject to financial penalties. But even more important, compliance with the Red Flags Rule assures your patients that you’re doing your part to fight identity theft.

OTHER RESOURCES
Looking for more information about the Red Flags Rule? The FTC has published Fighting Fraud with the Red Flags Rule: A How-To Guide for Business, a plain-language handbook on developing an Identity Theft Prevention Program. For a free copy of the Guide and for more information about compliance, visit ftc.gov/redflagsrule.

In addition, the FTC has released a fill-in-the-blank form for businesses and organizations at low risk for identity theft. The online form offers step-by-step instructions for creating your own written Identity Theft Prevention Program. You can fill it out online and print it. The do-it-yourself form is available at ftc.gov/redflagsrule.