Expert Offers Advice on Coping With Red Flags Rule

WASHINGTON — The federal Red Flags Rule that requires creditors to check for identity theft may mean a few new procedures for office-based physicians, Patricia King said at the American Health Lawyers Association's annual meeting.

“Do health care providers have to comply with the Red Flags Rule? Yes, if they're [considered] creditors,” said Ms. King, assistant general counsel at Swedish Covenant Hospital in Chicago.

The rule requires creditors to establish formal identify theft prevention programs to protect consumers.

Aimed primarily at the financial industry, the regulation was originally scheduled to go into effect on Nov. 1, 2008. However, to give small businesses more time to prepare for compliance, the Federal Trade Commission (FTC) delayed enforcement until May 1, and then until Aug. 1, and most recently until Nov. 1.

Earlier this year, the AMA and physician specialty societies argued that physicians are not creditors because they bill insurance companies, not individual consumers, Ms. King said. “But the patient does get billed for copays, deductibles, and excluded services, so unless all those charges are collected up front, the health care provider is billing and possibly deferring payment for the cost of services.”

To address health care providers' concerns, the FTC has published guidance and developed a template for identity theft prevention program for low-risk creditors. (The information is available at www.ftc.gov/bcp/edu/pubs/articles/art11.shtm

Low-risk providers who see the same patients regularly can adopt a simple identity theft program, she said, adding that personnel involved with front desk, medical records, and patient account functions should be involved in the program.

Physicians need to identify which patient accounts will be covered by the rule—such as those patients who need to make repeat payments—and develop appropriate policies and procedures, Ms. King said.

“The final [Red Flags] rule had 26 examples of identity theft. Look through them and see which ones are most applicable to you.”

Providers also need to look at what information they collect when patients register. “Many of us need to re-think our standard registration procedures and beef them up,” said Ms. King. One example might be to ask for a photo ID.

Procedures for guarding against identity theft need to be approved by the organization's board of directors and overseen by senior management, according to the rule, “because this is intended to be a high-priority program, not something that's delegated to a lower-level manager.”

Typical “red flags” that practices should watch for include:

▸ Insurance information that cannot be verified;

▸ No identification;

▸ A photo ID that does not match the patient;

▸ Documents that appear to be altered or forged;

▸ Information given that is different from information already on file;

▸ An invalid Social Security number;

▸ A patient who receives a bill or an explanation of benefits for services he or she didn't receive;

▸ A patient who finds inaccurate information on their credit report or on a medical record; or

▸ A payer that says its patient information does not match that supplied by the provider.

When a particular patient raises one or more red flags, the practice has two options, according to Ms. King. It could refuse to provide service, although this might raise a problem under the Emergency Medical Treatment and Active Labor Act (EMTALA), a law that prohibits providers from not treating persons with questionable identification who require emergency care.

Or the practice could provide the service, but ask the patient to bring in the correct information to his or her next visit. Ms. King cautioned providers about freely providing medical records to a patient suspected of identity theft, because it could lead to more identity theft.

Patients also will have to be educated about the new rule, Ms. King said. “Providers are going to run into problems with patient expectations. Patients have gotten used to coming to their doctor … with either no identifying documents or only their insurance card. They will need some education in advance by being informed when they call on the phone to schedule an appointment, or by signs in the waiting room, that you really need to have identifying documents with you.”

Ms. King encountered a case of identity theft at her own hospital involving two elderly women, one of whom had a public assistance card, while the other one didn't.

The two of them thought it would be all right if the woman without the card used her friend's public assistance card to get care. The identity theft was discovered by radiologist in the hospital who noticed that the women's scans were different.

She noted that under EMTALA, a hospital cannot delay performing the medical screening examination or stabilizing treatment, to inquire about insurance or payment, “but it can follow reasonable registration processes as long as the medical screening exam is not delayed by the process. So after the patient has been triaged and is sitting in the waiting room waiting to be seen for the medical screening exam, you can ask them for identifying information. But if they don't have identifying information, you can't turn them away. You have to provide the [screening exam] and necessary stabilizing treatment.”

Providers also should note that compliance with the Health Insurance Portability and Accountability Act (HIPAA) does not shield them from complying with the Red Flags Rule.

“One of the questions we get is, 'I already comply with HIPAA; aren't I done?' The answer is, 'Probably not,'” said Naomi Lefkowitz of the division of privacy and identity protection at the Federal Trade Commission.

“The Red Flags Rule is really about fraud protection, and HIPAA is more about data security. There is certainly some overlap, and to the extent that, for example, someone is checking photo IDs … to make sure that the person only has access to their [own] medical record, that's a policy that might do double duty under the client's identity theft program as far as verifying identification.

“But merely having the HIPAA program is probably not going to make [providers] compliant with Red Flags,” she added.

Mary Ellen Schneider contributed to this article.

WASHINGTON — The federal Red Flags Rule that requires creditors to check for identity theft may mean a few new procedures for office-based physicians, Patricia King said at the American Health Lawyers Association's annual meeting.

“Do health care providers have to comply with the Red Flags Rule? Yes, if they're [considered] creditors,” said Ms. King, assistant general counsel at Swedish Covenant Hospital in Chicago.

The rule requires creditors to establish formal identify theft prevention programs to protect consumers.

Aimed primarily at the financial industry, the regulation was originally scheduled to go into effect on Nov. 1, 2008. However, to give small businesses more time to prepare for compliance, the Federal Trade Commission (FTC) delayed enforcement until May 1, and then until Aug. 1, and most recently until Nov. 1.

Earlier this year, the AMA and physician specialty societies argued that physicians are not creditors because they bill insurance companies, not individual consumers, Ms. King said. “But the patient does get billed for copays, deductibles, and excluded services, so unless all those charges are collected up front, the health care provider is billing and possibly deferring payment for the cost of services.”

To address health care providers' concerns, the FTC has published guidance and developed a template for identity theft prevention program for low-risk creditors. (The information is available at www.ftc.gov/bcp/edu/pubs/articles/art11.shtm

Low-risk providers who see the same patients regularly can adopt a simple identity theft program, she said, adding that personnel involved with front desk, medical records, and patient account functions should be involved in the program.

Physicians need to identify which patient accounts will be covered by the rule—such as those patients who need to make repeat payments—and develop appropriate policies and procedures, Ms. King said.

“The final [Red Flags] rule had 26 examples of identity theft. Look through them and see which ones are most applicable to you.”

Providers also need to look at what information they collect when patients register. “Many of us need to re-think our standard registration procedures and beef them up,” said Ms. King. One example might be to ask for a photo ID.

Procedures for guarding against identity theft need to be approved by the organization's board of directors and overseen by senior management, according to the rule, “because this is intended to be a high-priority program, not something that's delegated to a lower-level manager.”

Typical “red flags” that practices should watch for include:

▸ Insurance information that cannot be verified;

▸ No identification;

▸ A photo ID that does not match the patient;

▸ Documents that appear to be altered or forged;

▸ Information given that is different from information already on file;

▸ An invalid Social Security number;

▸ A patient who receives a bill or an explanation of benefits for services he or she didn't receive;

▸ A patient who finds inaccurate information on their credit report or on a medical record; or

▸ A payer that says its patient information does not match that supplied by the provider.

When a particular patient raises one or more red flags, the practice has two options, according to Ms. King. It could refuse to provide service, although this might raise a problem under the Emergency Medical Treatment and Active Labor Act (EMTALA), a law that prohibits providers from not treating persons with questionable identification who require emergency care.

Or the practice could provide the service, but ask the patient to bring in the correct information to his or her next visit. Ms. King cautioned providers about freely providing medical records to a patient suspected of identity theft, because it could lead to more identity theft.

Patients also will have to be educated about the new rule, Ms. King said. “Providers are going to run into problems with patient expectations. Patients have gotten used to coming to their doctor … with either no identifying documents or only their insurance card. They will need some education in advance by being informed when they call on the phone to schedule an appointment, or by signs in the waiting room, that you really need to have identifying documents with you.”

Ms. King encountered a case of identity theft at her own hospital involving two elderly women, one of whom had a public assistance card, while the other one didn't.

The two of them thought it would be all right if the woman without the card used her friend's public assistance card to get care. The identity theft was discovered by radiologist in the hospital who noticed that the women's scans were different.

She noted that under EMTALA, a hospital cannot delay performing the medical screening examination or stabilizing treatment, to inquire about insurance or payment, “but it can follow reasonable registration processes as long as the medical screening exam is not delayed by the process. So after the patient has been triaged and is sitting in the waiting room waiting to be seen for the medical screening exam, you can ask them for identifying information. But if they don't have identifying information, you can't turn them away. You have to provide the [screening exam] and necessary stabilizing treatment.”

Providers also should note that compliance with the Health Insurance Portability and Accountability Act (HIPAA) does not shield them from complying with the Red Flags Rule.

“One of the questions we get is, 'I already comply with HIPAA; aren't I done?' The answer is, 'Probably not,'” said Naomi Lefkowitz of the division of privacy and identity protection at the Federal Trade Commission.

“The Red Flags Rule is really about fraud protection, and HIPAA is more about data security. There is certainly some overlap, and to the extent that, for example, someone is checking photo IDs … to make sure that the person only has access to their [own] medical record, that's a policy that might do double duty under the client's identity theft program as far as verifying identification.

“But merely having the HIPAA program is probably not going to make [providers] compliant with Red Flags,” she added.

Mary Ellen Schneider contributed to this article.

WASHINGTON — The federal Red Flags Rule that requires creditors to check for identity theft may mean a few new procedures for office-based physicians, Patricia King said at the American Health Lawyers Association's annual meeting.

“Do health care providers have to comply with the Red Flags Rule? Yes, if they're [considered] creditors,” said Ms. King, assistant general counsel at Swedish Covenant Hospital in Chicago.

The rule requires creditors to establish formal identify theft prevention programs to protect consumers.

Aimed primarily at the financial industry, the regulation was originally scheduled to go into effect on Nov. 1, 2008. However, to give small businesses more time to prepare for compliance, the Federal Trade Commission (FTC) delayed enforcement until May 1, and then until Aug. 1, and most recently until Nov. 1.

Earlier this year, the AMA and physician specialty societies argued that physicians are not creditors because they bill insurance companies, not individual consumers, Ms. King said. “But the patient does get billed for copays, deductibles, and excluded services, so unless all those charges are collected up front, the health care provider is billing and possibly deferring payment for the cost of services.”

To address health care providers' concerns, the FTC has published guidance and developed a template for identity theft prevention program for low-risk creditors. (The information is available at www.ftc.gov/bcp/edu/pubs/articles/art11.shtm

Low-risk providers who see the same patients regularly can adopt a simple identity theft program, she said, adding that personnel involved with front desk, medical records, and patient account functions should be involved in the program.

Physicians need to identify which patient accounts will be covered by the rule—such as those patients who need to make repeat payments—and develop appropriate policies and procedures, Ms. King said.

“The final [Red Flags] rule had 26 examples of identity theft. Look through them and see which ones are most applicable to you.”

Providers also need to look at what information they collect when patients register. “Many of us need to re-think our standard registration procedures and beef them up,” said Ms. King. One example might be to ask for a photo ID.

Procedures for guarding against identity theft need to be approved by the organization's board of directors and overseen by senior management, according to the rule, “because this is intended to be a high-priority program, not something that's delegated to a lower-level manager.”

Typical “red flags” that practices should watch for include:

▸ Insurance information that cannot be verified;

▸ No identification;

▸ A photo ID that does not match the patient;

▸ Documents that appear to be altered or forged;

▸ Information given that is different from information already on file;

▸ An invalid Social Security number;

▸ A patient who receives a bill or an explanation of benefits for services he or she didn't receive;

▸ A patient who finds inaccurate information on their credit report or on a medical record; or

▸ A payer that says its patient information does not match that supplied by the provider.

When a particular patient raises one or more red flags, the practice has two options, according to Ms. King. It could refuse to provide service, although this might raise a problem under the Emergency Medical Treatment and Active Labor Act (EMTALA), a law that prohibits providers from not treating persons with questionable identification who require emergency care.

Or the practice could provide the service, but ask the patient to bring in the correct information to his or her next visit. Ms. King cautioned providers about freely providing medical records to a patient suspected of identity theft, because it could lead to more identity theft.

Patients also will have to be educated about the new rule, Ms. King said. “Providers are going to run into problems with patient expectations. Patients have gotten used to coming to their doctor … with either no identifying documents or only their insurance card. They will need some education in advance by being informed when they call on the phone to schedule an appointment, or by signs in the waiting room, that you really need to have identifying documents with you.”

Ms. King encountered a case of identity theft at her own hospital involving two elderly women, one of whom had a public assistance card, while the other one didn't.

The two of them thought it would be all right if the woman without the card used her friend's public assistance card to get care. The identity theft was discovered by radiologist in the hospital who noticed that the women's scans were different.

She noted that under EMTALA, a hospital cannot delay performing the medical screening examination or stabilizing treatment, to inquire about insurance or payment, “but it can follow reasonable registration processes as long as the medical screening exam is not delayed by the process. So after the patient has been triaged and is sitting in the waiting room waiting to be seen for the medical screening exam, you can ask them for identifying information. But if they don't have identifying information, you can't turn them away. You have to provide the [screening exam] and necessary stabilizing treatment.”

Providers also should note that compliance with the Health Insurance Portability and Accountability Act (HIPAA) does not shield them from complying with the Red Flags Rule.

“One of the questions we get is, 'I already comply with HIPAA; aren't I done?' The answer is, 'Probably not,'” said Naomi Lefkowitz of the division of privacy and identity protection at the Federal Trade Commission.

“The Red Flags Rule is really about fraud protection, and HIPAA is more about data security. There is certainly some overlap, and to the extent that, for example, someone is checking photo IDs … to make sure that the person only has access to their [own] medical record, that's a policy that might do double duty under the client's identity theft program as far as verifying identification.

“But merely having the HIPAA program is probably not going to make [providers] compliant with Red Flags,” she added.

Mary Ellen Schneider contributed to this article.