FTC Issues Red Flag Rule Regarding Identity Theft
FAQ Helps Physicians Understand Rule
UPDATE! April 30, 2009
In order to allow institutions additional time to develop and implement identity theft procedures, the Federal Trade Commission (FTC) has granted a three-month delay on the enforcement of the Red Flag rule. The rule considers physicians to be “creditors,” thereby requiring them to establish procedures to protect against consumer identity theft or requiring payment in full in advance of service. The new implementation date is now August 1, 2009. The osteopathic profession, in conjunction with other physician groups, continues to object to this classification of physicians as creditors and will continue to urge the FTC to reconsider the decision. To view the full text of the announcement, go to www.ftc.gov/opa/2009/04/redflagsrule.shtm.
On November 9, 2007, the Federal Trade Commission (FTC) published its Red Flag rule concerning identity theft. Under the rule, financial institutions and creditors are required to develop and implement a written identity theft program to identify, detect, and respond to possible risks of identity theft relevant to them. The original compliance deadline was November 1, 2008. The FTC extended the deadline to May 1, 2009, after receiving complaints, particularly from the medical community, regarding the definition of creditor.
According to the FTC, a creditor is "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit." FTC attorneys have taken the position that physicians are creditors, if they do not require full payment upfront at the time they see patients, but bill patients after the services are rendered. The physician associations have called on the FTC to not apply this rule to the physician community.
In February, the FTC responded to physicians associations in a written letter that the creditor definition does apply to the physician community. The FTC noted that the rule's requirements are risk-based, meaning that the steps covered entities must take to address potential identity theft should be commensurate with the risks they encounter. Therefore, if a physician's practice is at low risk for identity theft, an appropriate program may consist of checking photo identification and having procedures in place in case the physician's office is notified that the patient's identity has been misused.
The American Osteopathic Association signed onto a letter with other physician organizations maintaining the FTC rule should not apply to the physician community. The letter also called on the FTC to reopen the rule for public comment. In the meantime, the AOA has compiled this Frequently Asked Questions and Guide to help physicians with the red flag rule.
What is a Red Flag?
The FTC defines the Red Flag as a pattern, practice, or specific activity that indicates the possible risk of identity theft. Examples include:
- Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
- The presentation of suspicious documents;
- The presentation of suspicious personal identifying information, such as a suspicious address change;
- The unusual use of, or other suspicious activity related to, a covered account; and
- Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.
Does the red flag policy differ from HIPAA?
HIPAA's privacy and security requirements are meant to protect a patient's personal health information. The FTC Red Flag Rule extends protection to other information such as credit card information, tax identification numbers (i.e., Social Security numbers), and insurance claim information.
How prevalent is Medical Identity Theft?
According to the FTC, 8.3 million American adults were victims of identity theft in 2005. Three percent of those victims said that the thief had obtained medical treatment, services, or supplies using their personal information.
What are some examples of Medical Identity Theft?
The World Privacy Forum has released a report on how the FTC rule applies to health care providers. The report gives many examples of medical identity theft, such as your patient receives a bill for another individual, or for a product or service he/she did not receive, or from a doctor he/she did not see. (For the full report, go to www.worldprivacyforum.org) Other examples are:
- Records showing medical treatment inconsistent with physical exam or medical history of the patient.
- Coverage for a legitimate hospital stay is denied because insurance benefits have been depleted or a life time cap has been reached.
- A complaint or question from a patient about information added to a credit report by a health care provider or insurer.
- A dispute of a bill by a patient who claims to be the victim of any type of identity theft.
- A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.
How to detect a suspicious document?
According to the FTC, suspicious documents include ones for identification that are inconsistent with: the appearance of the individual presenting the identification; information provided by the individual; readily accessible information that is on file with the physician's practice such as a recent check. Other examples that could indicate identity theft: the individual's phone number is invalid, or associated with a pager or answering service; there's no correlation between the Social Security Number range and date of birth; the address provided is fictitious, a mail drop, or a prison; and the documents presented for identification appear forged or altered.
What is my practice required to do under the FTC Red Flag Rule?
As stated earlier, the rule's requirements are risk-based, meaning that the steps covered entities must take to address potential identity theft should be commensurate with the risks they encounter. For example, the risk of identity theft may be low for a small practice in which the patients are more familiar to the physician and staff. In that case, checking photo identification, i.e., driver's license and having a plan in place in case the physician's office is notified that the patient's identity has been misused may be sufficient.
In general, however, physicians who are creditors by the agency's definition must:
- Develop and implement a written Identity Theft Prevention Program that is designed to identify, detect, respond, prevent and mitigate identity theft relevant to their practice and in the way patient accounts are established and maintained.
- Periodically update the program to reflect any changes in the risks, prevention, as well as changes to business arrangements such as new billing or collection contracts.
- Involve owners, board of directors, or senior management including a designated employee in the oversight, development, implementation and administration of the program.
- Train staff to effectively implement the program.
- Require staff to develop a report at least annually on program compliance, effectiveness of policies and procedures in addressing the risk of identity theft, service provider arrangements, significant incidents involving identity theft and management's response, and recommendations for changes to the program.
- Take steps to ensure that service providers that conduct activities with patient accounts have reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.
What procedures should my practice consider?
When a patient makes an appointment, the patient should be instructed to bring at the time of the appointment a photo ID and health insurance card. If the photo identification does not indicate a current home address, the patient should bring utility bills or other correspondence indicating current residence. This procedure could be waived if this is an established patient. Staff should update patient information particularly if the patient has not been seen within the last six months.
What are appropriate responses to detecting Red Flags?
If a red flag is detected, the staff should document and report the incident to his/her supervisor or designated compliance officer. If the activity is determined to be fraudulent, the physician practice should consider: 1) not open a new account; 2) cancel existing account; 3) contact the affected patient; 4) contact law enforcement; 5) contact affected physician(s).
What steps should I consider if my patient claims to be a victim of identity theft?
Encourage your patient to contact law enforcement and to fill out the FTC's ID Theft Affidavit (www.ftc.gov/bcp/edu/resources/forms/affidavit.pdfhttp://www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf), or call (877) IDTHEFT. Compare the patient's documentation with personal information in the practice's records. If the patient's identity has been stolen, the practice should consider additional actions to determine whether the patient's medical records were affected and if they were, identity theft should be noted in the record. The practice also should determine if any additional files were affected and take appropriate action.
Are there penalties for non-compliance?
Physician practices may face a penalty of up to $2,500 per "knowing violation."