As part of the Federal Trade Commission’s (FTC) implementation of the Fair and Accurate Credit Transactions (FACT) Act of 2003, creditors are required to develop and implement a written Identity Theft Prevention Program to detect warning signs or “red flags” of identity theft in their day-to-day operations. While the rule was initially scheduled to go into effect on November 1, 2008, several extensions have been granted since then and now, for the final time (we hope), an extension has been granted until November 1, 2009.
Healthcare providers fall under the category of “creditors” because they extend credit or defer payment until after the services are completed (i.e., setting up payment plans after services have been rendered and/or accepting insurance and balance billing patients for unpaid amounts as required by insurance contracts).
Further, most healthcare providers are considered “low risk” creditors. A two-part template to help such creditors comply with the law is available on the FTC website:
- Part A helps you determine whether your business or organization is at low risk
- Part B helps you design your written Identity Theft Prevention Program if your business is in the low risk category
The American Medical Association also offers guidance and provides a sample policy for your Red Flags Identity Theft Prevention Program on its website.
What red flags signal the type of identity theft your Identity Theft Prevention Program is trying to prevent? There is no definitive answer. A patient showing up for appointments even though their mail is repeatedly returned as undeliverable and inconsistencies between a physical examination or medical history reported by the patient and their treatment records are a couple examples of warning signs, though.
Once you have implemented an Identity Theft Prevention Program, you will want to post signage in your office or facility explaining the requirement under the government’s Red Flags Rule to confirm and verify patients’ identity. A copy of a photo identification card, such as a driver’s license, should also be made and filed in the patient’s medical record so it can be used at future visits to confirm a patient’s identity and to prohibit any illegal misuse of their financial and medical information by another party.
With so many resources available, like this article specifically for the healthcare sector titled The “Red Flags” Rule: What Health Care Providers need to Know About Complying with New Requirements for Fighting Identity Theft, practices need only develop “reasonable policies and procedures” regarding the identity theft prevention program. These policies and procedures can be incorporated into the company’s current compliance or security programs.
Do you have questions about implementing an Identity Theft Prevention Program at your practice? Contact our Healthcare Consulting Group at 440-449-6800.
Topics: Ohio healthcare consulting, Litigation advisory services