| Identity theft is the number one crime in America. | | | | an identity theft program that contains written |
| Medical identity theft, where individuals receive | | | | "reasonable policies and procedures" to: |
| medical care using stolen false identities, is widely | | | | Identify relevant patterns, practices, and specific |
| considered to be the fastest growing type of this | | | | forms activity that are "red flags," Detect these |
| crime. An increasing number of people are falling | | | | patterns, or "red flags"; Respond to those |
| victim to this crime and are having their lives | | | | detected to prevent and mitigate identity theft; |
| turned upside down, while being forced to spend | | | | and Ensure the program is updated periodically to |
| hundreds of hours to clear their good name. The | | | | reflect changes in risks. In administering such a |
| cost to business has most recently been | | | | program, a practice would need to: Illustrate |
| estimated at nearly $50 billion dollars per year. | | | | approval of the program from its board or board |
| In response to this growing problem the Federal | | | | committee; Appoint a designee(s) as a red flag |
| Trade Commission is now requiring an ID Theft | | | | officer; Train staff on awareness, red flags, and |
| Red Flag Program be in place for any medical | | | | appropriate responses; Exercise oversight of |
| practice that does not collect complete payment | | | | service provider arrangements. |
| at the time it provides services to its patients. | | | | While some health care practices have begun to |
| Any practice that is billing insurance on behalf of | | | | check identification prior to providing services this |
| its patients, where the patient is ultimately | | | | will now be a necessary step for all providers that |
| responsible for the payment, is now being | | | | have patients covered under this rule. The identity |
| considered a "creditor" by the FTC, and falls under | | | | theft red flags that need to be identified in a |
| these requirements. The deadline for laving a | | | | policy fall under these categories: Suspicious |
| program in place has been moved back to August | | | | documents; Suspicious identifying information; |
| 1, 2009, as the FTC found many industries still | | | | Unusual or suspicious activity related to patient; |
| unaware of their obligations under this rule. It is at | | | | and/or Notices from patients, victims of identity |
| that point that the FTC will begin to enforce civil | | | | theft, insurance investigators, law enforcement, |
| and monetary penalties per infraction. | | | | about possible identity theft. |
| Although the American Medical Association (AMA) | | | | Training of staff is a very important element to |
| and other medical associations have argued that | | | | this program as not only new procedures will |
| they should not fall under this rule, the FTC | | | | need to be adopted, but also a new awareness |
| recently responded with a nine page letter making | | | | among staff needs to be created to adequately |
| it clear they would not be granting an exemption | | | | follow policies. Most employees within the health |
| to these requirements for health care providers. | | | | care industry know very little about this problem |
| The purpose of these requirements is to minimize | | | | and will find it difficult to identify the red flags, |
| the risk to individuals that have had their | | | | follow proper reporting requirements, and |
| information stolen for the purpose of identity | | | | recognize the appropriate responses if their |
| theft. While having to comply with a new law may | | | | thinking and behavior has not been impacted by |
| at first seem frustrating, practices will be reducing | | | | this training. |
| their liability and minimizing the expense of | | | | Proper training should also impact behavior related |
| providing services where payment would | | | | to how information is handled, and go a long way |
| otherwise go uncollected. Medical identity theft can | | | | towards data theft and breaches that are |
| often go unnoticed, mixed in with a practices' bad | | | | increasingly common. This is especially true when |
| debt from services that are unable to be | | | | 61% of current data breaches are a result of |
| collected when the actual patient is unknown. | | | | administrative error. |
| Third party payors can also demand a refund | | | | According to Betsy Broder, the Assistant |
| from physicians if identity theft is discovered | | | | Director, Division of Privacy and Identity |
| after the payment has been applied. Ultimately, | | | | Protection at the Federal Trade Commission, the |
| the financial cost of this growing problem is most | | | | FTC will be looking for "reasonable efforts" at this |
| often born by the practice, and good policies and | | | | initial point of enforcement. According to Broder, |
| staff awareness can reduce that cost. | | | | "What we're looking for is good faith efforts on |
| The "Red Flag Rules" requires practices to develop | | | | their part to develop programs. |